MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11b1fdbb6834a0348d8f4357ff39d363953e399b8221c3b7d635d7e66b9a5ce5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11b1fdbb6834a0348d8f4357ff39d363953e399b8221c3b7d635d7e66b9a5ce5
SHA3-384 hash: 427a6770e43c42d1172277f889b0ee973652d6ce91463dc7997fbde69403329c9d1628d83832d3b474817250d27c555c
SHA1 hash: 0de0c1a1187532beab44214b6c6b6a39ba79e599
MD5 hash: 6b7d3eced180bbcfd6b5e50ecb227838
humanhash: cup-hydrogen-thirteen-nevada
File name:inquiry details.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:505'344 bytes
First seen:2023-04-26 14:51:06 UTC
Last seen:2023-05-13 22:52:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:3OVfq/RiZScaPWTtMshwa7fJt93tXg9NieUPw5VlFxVNUYdCa7e1rzXtN1kccgdB:e0/RUMetNwEflJgeQ/xVBZi1zXtxcm
Threatray 2'337 similar samples on MalwareBazaar
TLSH T1B3B46A3C99EE89E6C135F1B2CEBAA821F597C96372429D39A9D711444712EC336C01BF
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 31f098b29298f031 (53 x AgentTesla, 30 x Formbook, 12 x RedLineStealer)
Reporter TeamDreier
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
275
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
inquiry details.scr
Verdict:
Malicious activity
Analysis date:
2023-04-26 14:55:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ec4147d2-12a5-4b64-8a86-f2e4ff4eb95a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/385082/
Detection(s):
SecuriteInfo.com.Variant.Lazy.335434.23000.31382.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo jigsaw packed
Link:
https://www.filescan.io/uploads/64493a93f61aa38da9fc00d7/reports/26806be6-d071-4862-9bae-d51d6b7de725/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/11b1fdbb6834a0348d8f4357ff39d363953e399b8221c3b7d635d7e66b9a5ce5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a3158e0a-d988-4647-a223-074183010f9f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1221639
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 854590 Sample: inquiry_details.scr.exe Startdate: 26/04/2023 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Found malware configuration 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 9 other signatures 2->59 6 inquiry_details.scr.exe 3 2->6         started        10 Ksbblx.exe 3 2->10         started        12 Ksbblx.exe 2 2->12         started        process3 file4 23 C:\Users\user\...\inquiry_details.scr.exe.log, ASCII 6->23 dropped 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->61 63 May check the online IP address of the machine 6->63 65 Contains functionality to register a low level keyboard hook 6->65 14 inquiry_details.scr.exe 17 5 6->14         started        67 Antivirus detection for dropped file 10->67 69 Multi AV Scanner detection for dropped file 10->69 71 Machine Learning detection for dropped file 10->71 19 Ksbblx.exe 14 2 10->19         started        73 Injects a PE file into a foreign processes 12->73 21 Ksbblx.exe 2 12->21         started        signatures5 process6 dnsIp7 29 api4.ipify.org 173.231.16.77, 443, 49692 WEBNXUS United States 14->29 31 api.telegram.org 149.154.167.220, 443, 49698, 49701 TELEGRAMRU United Kingdom 14->31 33 api.ipify.org 14->33 25 C:\Users\user\AppData\Roaming\...\Ksbblx.exe, PE32 14->25 dropped 27 C:\Users\user\...\Ksbblx.exe:Zone.Identifier, ASCII 14->27 dropped 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->43 45 Tries to steal Mail credentials (via file / registry access) 14->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->47 35 104.237.62.211, 443, 49699 WEBNXUS United States 19->35 37 api.ipify.org 19->37 39 64.185.227.155, 443, 49700 WEBNXUS United States 21->39 41 api.ipify.org 21->41 49 Tries to harvest and steal browser information (history, passwords, etc) 21->49 51 Installs a global keyboard hook 21->51 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11b1fdbb6834a0348d8f4357ff39d363953e399b8221c3b7d635d7e66b9a5ce5/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-26 04:11:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cgy73o3igsqdjdmpinl76ootmokt4om3qiq4hn6wgxl6m242ltsq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
007a3cbf2cfa788261a8475ccea642bf097870996cf002bc6720d7edc63d25e6
AgentTesla
11b1fdbb6834a0348d8f4357ff39d363953e399b8221c3b7d635d7e66b9a5ce5
AgentTesla
14dc4992e993f0b0b7b176ee8dd0314ab77e1512e6319f0369b6f9fe45369297
AgentTesla
68deb452c9e483d55be8549e72c4cdf0ae22f722e630d8db198381587e7d320f
AgentTesla
aad777a2d2f4c889859ca2fbdc9d2bc782cf989c31d95be12abda966f4cbaf19
AgentTesla
cc0b46f0893ea5dc35f9b929ff85aee651cd310c0bb9cf6431662480b5b04e1e
AgentTesla
de40dc886e65ade21c305d83650d078c5e7cb5ec897e4dcdbf3fd58e7d37f9d7
AgentTesla
+ 2'327 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230426-r8qhlaaa39/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot2107727636:AAGtenJYFQWUHBz27lev7d_3slnNyCuUhxc/
Unpacked files
SH256 hash:
ff3e9c891bd92f0a5ad8fafdbb44c18bba704de515cff7632b4687dedef28297
MD5 hash:
42ff936082ccd2c28e7ae1db4e46209f
SHA1 hash:
e6e5452cf27d8ea2dbdd6410116e1e7c657f90f7
Link:
https://www.unpac.me/results/e6812db4-ba86-4b52-bc1c-ac934f5d7c14/
SH256 hash:
74012c76cb2fb43fc30000d7b43ba354ccd586318060bb55bd093bc28920c6eb
MD5 hash:
50987dd66c6266046f8965f95d602fb3
SHA1 hash:
aff0563671f91a1ca50a8236f6f584e1b60e2d56
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/e6812db4-ba86-4b52-bc1c-ac934f5d7c14/
Parent samples :
11b1fdbb6834a0348d8f4357ff39d363953e399b8221c3b7d635d7e66b9a5ce5
a1b51cd2f512acccdcff756a2efc57de5776cf017698334c654116095f75d321
701a8cc94a1cab0f2870b4739f00cd41230525ee120cd906187bb0bc74bf6ac4
SH256 hash:
ea8d4c91ec5bba5e1db6c17730d7ba5cdbb5ff3c1a777f70c90e91ce599d9b5d
MD5 hash:
27f5124bf8f451bca8d8a15c73c4f521
SHA1 hash:
5fd557e109b8fd1c3b362b64f0ba9f1600c07211
Link:
https://www.unpac.me/results/e6812db4-ba86-4b52-bc1c-ac934f5d7c14/
SH256 hash:
11b1fdbb6834a0348d8f4357ff39d363953e399b8221c3b7d635d7e66b9a5ce5
MD5 hash:
6b7d3eced180bbcfd6b5e50ecb227838
SHA1 hash:
0de0c1a1187532beab44214b6c6b6a39ba79e599
Link:
https://www.unpac.me/results/e6812db4-ba86-4b52-bc1c-ac934f5d7c14/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/11b1fdbb6834/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/11b1fdbb6834a0348d8f4357ff39d363953e399b8221c3b7d635d7e66b9a5ce5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 11b1fdbb6834a0348d8f4357ff39d363953e399b8221c3b7d635d7e66b9a5ce5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/385082/

Comments