MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0974f06e3838a87a0e6364e011e72f8d416f64cf08557d790940d8399aca7037. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0974f06e3838a87a0e6364e011e72f8d416f64cf08557d790940d8399aca7037
SHA3-384 hash: 0e56cf99b65a7d903d241e8af0a6d3daac905ac6c59a1a66d4d5e01b654ad5fd7f44d0eea3d682b630cb432ca6b5776a
SHA1 hash: f24cfe300c26c87a039556266dfc28574517ef4d
MD5 hash: dbbf4c308788100b235eb6ccb6542290
humanhash: delaware-rugby-tennis-salami
File name:payment receipt.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'404'928 bytes
First seen:2022-10-18 15:26:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNusszZvcRWOB:RSbcUE/b0sXxfLfFdjm
Threatray 20'763 similar samples on MalwareBazaar
TLSH T1685549BA2280229EE826B2758563EDB322F77D255121D1CF50C33F6FBD781B79512287
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 6a6a6a6adacacada (1 x SnakeKeylogger, 1 x AgentTesla)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
payment receipt.exe
Verdict:
Malicious activity
Analysis date:
2022-10-18 11:54:21 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/1a4190d4-9639-4b4b-82cd-138cfb76c56a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321432/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/634ec5c6b5f60e72b8c74f15/reports/ffaf1ae5-d16f-4a05-b11d-3f3261e69f47/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97602b78-2a33-4f91-a028-79fa6823e15d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1092866
Signature
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 725489 Sample: payment receipt.exe Startdate: 18/10/2022 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 13 other signatures 2->55 7 laGOYnkJugv.exe 5 2->7         started        10 payment receipt.exe 7 2->10         started        process3 file4 57 Multi AV Scanner detection for dropped file 7->57 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->59 61 May check the online IP address of the machine 7->61 67 2 other signatures 7->67 13 laGOYnkJugv.exe 3 7->13         started        17 schtasks.exe 1 7->17         started        31 C:\Users\user\AppData\...\laGOYnkJugv.exe, PE32 10->31 dropped 33 C:\Users\...\laGOYnkJugv.exe:Zone.Identifier, ASCII 10->33 dropped 35 C:\Users\user\AppData\Local\...\tmp6C97.tmp, XML 10->35 dropped 37 C:\Users\user\...\payment receipt.exe.log, ASCII 10->37 dropped 63 Adds a directory exclusion to Windows Defender 10->63 65 Injects a PE file into a foreign processes 10->65 19 payment receipt.exe 15 3 10->19         started        21 powershell.exe 21 10->21         started        23 schtasks.exe 1 10->23         started        signatures5 process6 dnsIp7 39 3.232.242.170, 443, 49709 AMAZON-AESUS United States 13->39 41 api.ipify.org 13->41 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->69 71 Tries to steal Mail credentials (via file / registry access) 13->71 73 Tries to harvest and steal ftp login credentials 13->73 75 Tries to harvest and steal browser information (history, passwords, etc) 13->75 25 conhost.exe 17->25         started        43 api.telegram.org 149.154.167.220, 443, 49708, 49710 TELEGRAMRU United Kingdom 19->43 45 api.ipify.org.herokudns.com 3.220.57.224, 443, 49707 AMAZON-AESUS United States 19->45 47 api.ipify.org 19->47 27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0974f06e3838a87a0e6364e011e72f8d416f64cf08557d790940d8399aca7037/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-18 10:09:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
64
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bf2pa3ryhcuhudtdmtqbdzzprvaw6zgpbbkx26ijidmdtgwkoa3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
49adec13776b1d5c1a583a7ecfc3dca07898f060ba46010cdabd2923348d0ed0
AgentTesla
5e3e727709eadb8dcd9737154bee61d39431485042865f1b0b69887c9c75905f
AgentTesla
60500347dcd01ce976f1edc949b4f5e1f7f52f4c553c34bfda79e16bfadd4a6e
AgentTesla
8a009a9d847c3daafcc51139c4b315e17a53bebf28575ae911ea9e893f5a3f1b
AgentTesla
8db786d79b58e358610e6b182c91838796fb7478b3b2f3266576ba6cc83f2979
AgentTesla
ab828ebbb7925536f94b2fe3f34100bdc8326589deb88e90dd3490893495f19c
AgentTesla
be06f8a3ed040aadf2598bc5a9b4c886c271ad7866505dba11b723dba968f518
AgentTesla
cf633ec437e48b72f1bbf05a6f21ace7b94686afa55a6c473ff72ef6d4dc1bc7
AgentTesla
+ 20'753 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221018-svqrwagefr/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5329940603:AAEm7pamtb0Y3gJkFH2RisynqkQ5_GX9q5A/
Gathering data
Unpacked files
SH256 hash:
fd3258ba617f768378144dec11b88364f7e9114ca81b056aa443b3fe57c38416
MD5 hash:
f3249ab8a9ae5069248622e6a8f3da93
SHA1 hash:
c2a02ec725429d8fd47d44841c7b9ce5ea98c77d
Link:
https://www.unpac.me/results/a83c6d65-0440-46f7-9973-6feb1ecf46b1/
SH256 hash:
acc307df31535b7bfcc8039b4bf26ae71567fab6f78c8fcefab496d3f8302fe2
MD5 hash:
5c52fdce79c6038ffaa2d97ec0b4fdbc
SHA1 hash:
b6c5580a9ac77fdbb38d700036b3a6f559f5605b
Link:
https://www.unpac.me/results/a83c6d65-0440-46f7-9973-6feb1ecf46b1/
SH256 hash:
5b6e58fcbea0ed8ed669c3a024e49879c761476b184788c78ca1c2a4a0af0889
MD5 hash:
1c19534188e3ae362e05e694479ff8ae
SHA1 hash:
2b5bbfca981597568e01c5115b7e4f3882721f16
Link:
https://www.unpac.me/results/a83c6d65-0440-46f7-9973-6feb1ecf46b1/
SH256 hash:
f0ddd61a1e775658369da851fa431834a1172a98b806dd0400ecf1f301b651d1
MD5 hash:
466a05e9bd7767ed265df79baa3df66c
SHA1 hash:
2a162908ad8704e7b4c1e67ab912462d31ade1f5
Link:
https://www.unpac.me/results/a83c6d65-0440-46f7-9973-6feb1ecf46b1/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/a83c6d65-0440-46f7-9973-6feb1ecf46b1/
SH256 hash:
0974f06e3838a87a0e6364e011e72f8d416f64cf08557d790940d8399aca7037
MD5 hash:
dbbf4c308788100b235eb6ccb6542290
SHA1 hash:
f24cfe300c26c87a039556266dfc28574517ef4d
Link:
https://www.unpac.me/results/a83c6d65-0440-46f7-9973-6feb1ecf46b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0974f06e3838a87a0e6364e011e72f8d416f64cf08557d790940d8399aca7037

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 0974f06e3838a87a0e6364e011e72f8d416f64cf08557d790940d8399aca7037

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/321432/

Comments