MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 093349f01a9a8ac53c05206763726569e4062e97a061795727968af3bd17b7ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 093349f01a9a8ac53c05206763726569e4062e97a061795727968af3bd17b7ad
SHA3-384 hash: a3a119d1674864a36978cb05e91a817acf99431671416ef2d43445d01b90cfb63c5c1aa9297b090b30b51322ddf69138
SHA1 hash: f24aca197cad0e0c2cbc06c1c9d1063e7dde32c1
MD5 hash: 5cb31213e34b960dd22125d5881d783b
humanhash: four-india-purple-leopard
File name:5cb31213e34b960dd22125d5881d783b
Download: download sample
Signature AgentTesla
Create hunting rule
File size:611'328 bytes
First seen:2023-06-29 09:05:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:/2iNQ5NwL8eNhOIW4Q5OxBXWeJ6HkINgp/MyEJOlZ:/1W5NwLfNU3oo+MkINin
Threatray 131 similar samples on MalwareBazaar
TLSH T1EFD4583C1CBE2A3BC174DAB9CFE48463F450D47B39226A36A4D78755474AEA221C723D
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
329
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
2esHVNjmytPH05O (1).exe
Verdict:
Malicious activity
Analysis date:
2023-06-29 08:24:38 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/bfab3455-cb1f-4fc0-a4b0-3432d8b74978

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/403720/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/649d497c2aeaabaa7b77c08c/reports/b0e05bcb-fc1c-4e17-b1ca-4caff3c87197/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/093349f01a9a8ac53c05206763726569e4062e97a061795727968af3bd17b7ad
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e9868557-8ca1-42b0-a152-c149787912cb
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1263152
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 896182 Sample: URmjZ5ocgI.exe Startdate: 29/06/2023 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Sigma detected: Scheduled temp file as task from temp location 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 5 other signatures 2->55 7 URmjZ5ocgI.exe 7 2->7         started        11 BttqxcYvYaRne.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\BttqxcYvYaRne.exe, PE32 7->31 dropped 33 C:\...\BttqxcYvYaRne.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp9EE8.tmp, XML 7->35 dropped 37 C:\Users\user\AppData\...\URmjZ5ocgI.exe.log, ASCII 7->37 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->57 59 May check the online IP address of the machine 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Adds a directory exclusion to Windows Defender 7->63 13 URmjZ5ocgI.exe 15 7 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 21 BttqxcYvYaRne.exe 14 7 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 valerehandstand.com 66.29.132.105, 49694, 49695, 49699 ADVANTAGECOMUS United States 13->39 41 api4.ipify.org 64.185.227.155, 443, 49692 WEBNXUS United States 13->41 43 api.ipify.org 13->43 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        45 173.231.16.76, 443, 49693 WEBNXUS United States 21->45 47 api.ipify.org 21->47 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->69 71 Tries to steal Mail credentials (via file / registry access) 21->71 73 Tries to harvest and steal browser information (history, passwords, etc) 21->73 29 conhost.exe 23->29         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/093349f01a9a8ac53c05206763726569e4062e97a061795727968af3bd17b7ad/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-27 11:23:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
25 of 37 (67.57%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bezut4a2tkfmkpafebtwg4tfnhsamluxubqxsvzhs2fphpixw6wq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c4fbc2a7b532485b65e5046e3bc7191f479df3fa9d401f3f78cb3d6b47429a4
AgentTesla
5d0e819a624b53524558b2e89007e0a645123a0e401a4dd5c2e5f709730e8f0e
AgentTesla
82459746ad789498fb60c495e633e452cd072fe0ac457a0032cac23fd12f6610
AgentTesla
ac6dc0a36b72587d81149bc0bb5755ff33f9d9d926cc4086e508f1086fe4a7c1
AgentTesla
ba5cfc9373499678bbd2a9ca62e554be9c114d913cf97c00822917226df0bbe2
AgentTesla
e3a60c9d44679aa4a97d4a7d8c60e56dfc63243c126a8e92a92ba527dc4f5ee2
AgentTesla
e9cd9696e6bf493ed5be1c9099a5181593f585aaccb80397f02e6311ee3766e9
AgentTesla
f03d67ed2031e2139d12a96b4a43b4c4b871711329d74472f8a97ec8f2e8ed8e
AgentTesla
+ 121 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230629-k2q28ace52/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
8022eb6a31ff09510ea4bc66e3a92f6f5ef5cd23412d10e12207e93ec38c3672
MD5 hash:
14ee8b8b7e47469317d1012f0898b111
SHA1 hash:
c6da4e2f1ab8c277129026648cbf97d8d6126245
Link:
https://www.unpac.me/results/b5c9b29f-ebb9-4f1e-af2d-4aa23ee1caa4/
SH256 hash:
9319fed6a4affba0a057071d36587882803cf884e75db44c34553369aba5b2c4
MD5 hash:
1ecab728c4cfe42f5b846631725ce538
SHA1 hash:
bde585721da6c333646b76fee42a840ac7be91af
Link:
https://www.unpac.me/results/b5c9b29f-ebb9-4f1e-af2d-4aa23ee1caa4/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/b5c9b29f-ebb9-4f1e-af2d-4aa23ee1caa4/
SH256 hash:
2de99c0c27d3f955def3348c621de01f2dcb89221a9ea2d9ec4e0f76f42fb795
MD5 hash:
12b0878e8abca3141f8fc111172cbfe1
SHA1 hash:
8703c0f114bb7cd0298caa4d5fd28cf98c370791
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/b5c9b29f-ebb9-4f1e-af2d-4aa23ee1caa4/
Parent samples :
0015bb398faf3d5bd6cce91271f01606686ea8cb73ae9c7f648dfff9d0091dfe
093349f01a9a8ac53c05206763726569e4062e97a061795727968af3bd17b7ad
612f3aecb33df03a30f2c2a09ce41160d90a2388cbaf75f1f4e3fb2ee218e178
SH256 hash:
8022eb6a31ff09510ea4bc66e3a92f6f5ef5cd23412d10e12207e93ec38c3672
MD5 hash:
14ee8b8b7e47469317d1012f0898b111
SHA1 hash:
c6da4e2f1ab8c277129026648cbf97d8d6126245
Link:
https://www.unpac.me/results/b5c9b29f-ebb9-4f1e-af2d-4aa23ee1caa4/
SH256 hash:
9319fed6a4affba0a057071d36587882803cf884e75db44c34553369aba5b2c4
MD5 hash:
1ecab728c4cfe42f5b846631725ce538
SHA1 hash:
bde585721da6c333646b76fee42a840ac7be91af
Link:
https://www.unpac.me/results/b5c9b29f-ebb9-4f1e-af2d-4aa23ee1caa4/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/b5c9b29f-ebb9-4f1e-af2d-4aa23ee1caa4/
SH256 hash:
2de99c0c27d3f955def3348c621de01f2dcb89221a9ea2d9ec4e0f76f42fb795
MD5 hash:
12b0878e8abca3141f8fc111172cbfe1
SHA1 hash:
8703c0f114bb7cd0298caa4d5fd28cf98c370791
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/b5c9b29f-ebb9-4f1e-af2d-4aa23ee1caa4/
Parent samples :
0015bb398faf3d5bd6cce91271f01606686ea8cb73ae9c7f648dfff9d0091dfe
093349f01a9a8ac53c05206763726569e4062e97a061795727968af3bd17b7ad
612f3aecb33df03a30f2c2a09ce41160d90a2388cbaf75f1f4e3fb2ee218e178
SH256 hash:
8022eb6a31ff09510ea4bc66e3a92f6f5ef5cd23412d10e12207e93ec38c3672
MD5 hash:
14ee8b8b7e47469317d1012f0898b111
SHA1 hash:
c6da4e2f1ab8c277129026648cbf97d8d6126245
Link:
https://www.unpac.me/results/b5c9b29f-ebb9-4f1e-af2d-4aa23ee1caa4/
SH256 hash:
9319fed6a4affba0a057071d36587882803cf884e75db44c34553369aba5b2c4
MD5 hash:
1ecab728c4cfe42f5b846631725ce538
SHA1 hash:
bde585721da6c333646b76fee42a840ac7be91af
Link:
https://www.unpac.me/results/b5c9b29f-ebb9-4f1e-af2d-4aa23ee1caa4/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/b5c9b29f-ebb9-4f1e-af2d-4aa23ee1caa4/
SH256 hash:
2de99c0c27d3f955def3348c621de01f2dcb89221a9ea2d9ec4e0f76f42fb795
MD5 hash:
12b0878e8abca3141f8fc111172cbfe1
SHA1 hash:
8703c0f114bb7cd0298caa4d5fd28cf98c370791
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/b5c9b29f-ebb9-4f1e-af2d-4aa23ee1caa4/
Parent samples :
0015bb398faf3d5bd6cce91271f01606686ea8cb73ae9c7f648dfff9d0091dfe
093349f01a9a8ac53c05206763726569e4062e97a061795727968af3bd17b7ad
612f3aecb33df03a30f2c2a09ce41160d90a2388cbaf75f1f4e3fb2ee218e178
SH256 hash:
8022eb6a31ff09510ea4bc66e3a92f6f5ef5cd23412d10e12207e93ec38c3672
MD5 hash:
14ee8b8b7e47469317d1012f0898b111
SHA1 hash:
c6da4e2f1ab8c277129026648cbf97d8d6126245
Link:
https://www.unpac.me/results/b5c9b29f-ebb9-4f1e-af2d-4aa23ee1caa4/
SH256 hash:
9319fed6a4affba0a057071d36587882803cf884e75db44c34553369aba5b2c4
MD5 hash:
1ecab728c4cfe42f5b846631725ce538
SHA1 hash:
bde585721da6c333646b76fee42a840ac7be91af
Link:
https://www.unpac.me/results/b5c9b29f-ebb9-4f1e-af2d-4aa23ee1caa4/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/b5c9b29f-ebb9-4f1e-af2d-4aa23ee1caa4/
SH256 hash:
2de99c0c27d3f955def3348c621de01f2dcb89221a9ea2d9ec4e0f76f42fb795
MD5 hash:
12b0878e8abca3141f8fc111172cbfe1
SHA1 hash:
8703c0f114bb7cd0298caa4d5fd28cf98c370791
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/b5c9b29f-ebb9-4f1e-af2d-4aa23ee1caa4/
Parent samples :
0015bb398faf3d5bd6cce91271f01606686ea8cb73ae9c7f648dfff9d0091dfe
093349f01a9a8ac53c05206763726569e4062e97a061795727968af3bd17b7ad
612f3aecb33df03a30f2c2a09ce41160d90a2388cbaf75f1f4e3fb2ee218e178
SH256 hash:
093349f01a9a8ac53c05206763726569e4062e97a061795727968af3bd17b7ad
MD5 hash:
5cb31213e34b960dd22125d5881d783b
SHA1 hash:
f24aca197cad0e0c2cbc06c1c9d1063e7dde32c1
Link:
https://www.unpac.me/results/b5c9b29f-ebb9-4f1e-af2d-4aa23ee1caa4/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/093349f01a9a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 093349f01a9a8ac53c05206763726569e4062e97a061795727968af3bd17b7ad

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2673720/
Cape
Cape
https://www.capesandbox.com/analysis/403720/

Comments


Avatar
zbet commented on 2023-06-29 09:05:32 UTC

url : hxxps://zummil.com/data/2esHVNjmytPH05O.exe