MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10796f485eeb2a41905c482e0fbdd2c059d536a8324c6e4c421532257ea61720. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10796f485eeb2a41905c482e0fbdd2c059d536a8324c6e4c421532257ea61720
SHA3-384 hash: a48d631d8e47ce62e842adac8a79c1d832461c25ebae64cf63189401425cb2003dd43bb6aa94b405b5c82c5e788a4f7c
SHA1 hash: 74c34478c317e404873b5177a1ee7373d1106365
MD5 hash: 3c78e1e1266030d768d10cdc21ba40ae
humanhash: mockingbird-artist-foxtrot-pip
File name:December 2023 - Exchange Rate.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:581'632 bytes
First seen:2023-12-22 06:55:17 UTC
Last seen:2023-12-22 08:19:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:+KbmomWOHSIomJ3OYoLi4/yRUz1VzBFPEWF5J481WR4:Hb/BIoqg9/Tq88R4
Threatray 444 similar samples on MalwareBazaar
TLSH T1AEC412A87BAA8407DC6D03FE0022011893BD75265623E7CD5D8731E60EF6BA4C7567AF
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0060796969697000 (8 x AgentTesla, 6 x Formbook)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
274
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/468923/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65853305b4e856b728233547/reports/b714ac01-7035-434e-a256-8864800a9c17/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/10796f485eeb2a41905c482e0fbdd2c059d536a8324c6e4c421532257ea61720
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fece329e-e118-4f87-9c31-dd72b1afc547
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1365996
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1365996 Sample: December_2023_-_Exchange_Rate.exe Startdate: 22/12/2023 Architecture: WINDOWS Score: 100 33 us2.smtp.mailhostbox.com 2->33 35 Found malware configuration 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 6 other signatures 2->41 7 MmRKwR.exe 3 2->7         started        10 December_2023_-_Exchange_Rate.exe 3 2->10         started        12 MmRKwR.exe 2 2->12         started        signatures3 process4 signatures5 43 Antivirus detection for dropped file 7->43 45 Multi AV Scanner detection for dropped file 7->45 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->47 49 Machine Learning detection for dropped file 7->49 14 MmRKwR.exe 2 7->14         started        51 Injects a PE file into a foreign processes 10->51 17 December_2023_-_Exchange_Rate.exe 1 5 10->17         started        21 MmRKwR.exe 2 12->21         started        process6 dnsIp7 27 208.91.198.143, 587 PUBLIC-DOMAIN-REGISTRYUS United States 17->27 29 us2.smtp.mailhostbox.com 208.91.199.223, 587 PUBLIC-DOMAIN-REGISTRYUS United States 17->29 31 2 other IPs or domains 17->31 23 C:\Users\user\AppData\Roaming\...\MmRKwR.exe, PE32 17->23 dropped 25 C:\Users\user\...\MmRKwR.exe:Zone.Identifier, ASCII 17->25 dropped 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->53 55 Tries to steal Mail credentials (via file / registry access) 17->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->57 59 Tries to harvest and steal browser information (history, passwords, etc) 21->59 file8 signatures9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/10796f485eeb2a41905c482e0fbdd2c059d536a8324c6e4c421532257ea61720
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/10796f485eeb2a41905c482e0fbdd2c059d536a8324c6e4c421532257ea61720/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Suspicious
First seen:
2023-12-22 06:56:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
15 of 23 (65.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cb4w6sc65mvedec4jaxa7posybm5knvigjgg4tcccuzck7vgc4qa._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
700e76e7520021aeb60b4cd42c3ab8bbd2a20fc36228ad4dfce94c927b6e7f58
AgentTesla
93c6d96d2c4eff6927c67389dbfa6be605fb70f8005783c3b9915a1ed9fd47f9
AgentTesla
ba5b23fdbec77442d3d5e9e87ea46dba8ce7df395fa5668edabe9be96eebae10
AgentTesla
c073d55e30e424b99d07e376c38ca35b579dbd327da6be96cec527b0e3132ccd
AgentTesla
+ 434 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/231222-hqcdksbcek/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
bb265a8187cc1151c765128f6b8340c01b6283e29a3bbc8a3086a6c0a822c604
MD5 hash:
cb694dfef9a731230d1534e865e8f9b1
SHA1 hash:
defec996a4dc314488b016d7727f6c22ef4917fd
Link:
https://www.unpac.me/results/c1fdd6d6-7918-4d16-90fb-7dac8befae88/
SH256 hash:
1e549cfdf127402804e41e53ed40200876598aa167ef3f586d996c9a7982fc52
MD5 hash:
0fc8ebb6535797c45348ede4da50f5c6
SHA1 hash:
b14b20d9e69d962627addf30a9ed8205f35603aa
Detections:
AgentTeslaXorStringsNet
Create hunting rule
MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/c1fdd6d6-7918-4d16-90fb-7dac8befae88/
Parent samples :
4ab89b325e3a60240b9696e26406d31b5c328d5c684759022a9c1523104fc5a0
47560478ac10be3464c9193150527e27af88e214e2c8acace019e7fe32df5197
1cd1f5ab76966f57655f53e59b4d210ece1338051884e1fbe167e99020fc7ce4
c073d55e30e424b99d07e376c38ca35b579dbd327da6be96cec527b0e3132ccd
10796f485eeb2a41905c482e0fbdd2c059d536a8324c6e4c421532257ea61720
c569fe7d3ccb9bf36356f829d5ab7de3ba4261d3beaffef1e690d8d197919c71
SH256 hash:
e84e6b1f833d206172865a6dd2551825babd0a6c6316a8b68894955c72068769
MD5 hash:
6905b21a34b82aa10ccbf81fc7f8dbfe
SHA1 hash:
8fc3aedd90dc22424c2047eb603dc149a6fa2fb0
Link:
https://www.unpac.me/results/c1fdd6d6-7918-4d16-90fb-7dac8befae88/
SH256 hash:
0f49d90bba0035f57e41b8a4afb6f48e23945fcc9a73d6552b844c20829efac4
MD5 hash:
eb6a5d03227b41356d54a42c2d13492e
SHA1 hash:
77abf7582bf2d8ab60411623ba57467ec9269366
Link:
https://www.unpac.me/results/c1fdd6d6-7918-4d16-90fb-7dac8befae88/
SH256 hash:
10796f485eeb2a41905c482e0fbdd2c059d536a8324c6e4c421532257ea61720
MD5 hash:
3c78e1e1266030d768d10cdc21ba40ae
SHA1 hash:
74c34478c317e404873b5177a1ee7373d1106365
Link:
https://www.unpac.me/results/c1fdd6d6-7918-4d16-90fb-7dac8befae88/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/10796f485eeb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/10796f485eeb2a41905c482e0fbdd2c059d536a8324c6e4c421532257ea61720

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 10796f485eeb2a41905c482e0fbdd2c059d536a8324c6e4c421532257ea61720

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/468923/

Comments