MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11f4870cd0e6fb7ca821b95e19c90dc7def655d2e1e9a56abc81fd2f245119f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11f4870cd0e6fb7ca821b95e19c90dc7def655d2e1e9a56abc81fd2f245119f1
SHA3-384 hash: 910b106411573eb5c14a0426852cd0a8c20becd1f86a16b2bbc40a0c99e0da34dae048955d1de6b0ea1cf22b96284ffa
SHA1 hash: d24b056768d304a3f0d63b9d88e38efe9ff7aef9
MD5 hash: 74918395c6a9352de73eb8039366ac59
humanhash: three-lactose-item-king
File name:74918395c6a9352de73eb8039366ac59
Download: download sample
Signature AgentTesla
Create hunting rule
File size:793'088 bytes
First seen:2023-02-20 09:57:17 UTC
Last seen:2023-02-20 11:42:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:wJd+gc4jIe3ma79+qC9jLZJRbFueVjBfU31gWybr2ay4eaIXSPJcHKx:w7+oIe2aZtC9j+ejBM3mWy7ILq
Threatray 1'185 similar samples on MalwareBazaar
TLSH T131F48C9977B46473F4CB01EE583827CC2E2066537609E22FA777BB91A2719FB72C5201
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0b4dccadcc366b4d (2 x AgentTesla)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PaymentXAdviceX564302.docx
Verdict:
Malicious activity
Analysis date:
2023-02-20 07:16:34 UTC
Tags:
exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/f5d76bdb-0796-483a-a7f4-a74a6d5aaf82

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368380/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63f3442c42bf85850e3e3cf6/reports/733ab6ce-0012-4a72-ae75-422631fc2b35/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/11f4870cd0e6fb7ca821b95e19c90dc7def655d2e1e9a56abc81fd2f245119f1
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9fe5b691-0127-4739-abd4-50c33080880a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1179090
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 811915 Sample: YmpjIMjWrg.exe Startdate: 20/02/2023 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected AgentTesla 2->43 45 Machine Learning detection for sample 2->45 6 YmpjIMjWrg.exe 3 2->6         started        10 gcWPrHZ.exe 3 2->10         started        12 gcWPrHZ.exe 2 2->12         started        process3 file4 23 C:\Users\user\AppData\...\YmpjIMjWrg.exe.log, ASCII 6->23 dropped 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->47 49 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->49 51 Injects a PE file into a foreign processes 6->51 14 YmpjIMjWrg.exe 2 5 6->14         started        53 Multi AV Scanner detection for dropped file 10->53 55 Machine Learning detection for dropped file 10->55 19 gcWPrHZ.exe 2 10->19         started        21 gcWPrHZ.exe 2 12->21         started        signatures5 process6 dnsIp7 29 us2.smtp.mailhostbox.com 208.91.198.143, 49697, 49698, 49699 PUBLIC-DOMAIN-REGISTRYUS United States 14->29 31 192.168.2.1 unknown unknown 14->31 25 C:\Users\user\AppData\Roaming\...\gcWPrHZ.exe, PE32 14->25 dropped 27 C:\Users\user\...\gcWPrHZ.exe:Zone.Identifier, ASCII 14->27 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Tries to steal Mail credentials (via file / registry access) 14->35 37 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->37 39 Tries to harvest and steal browser information (history, passwords, etc) 21->39 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/11f4870cd0e6fb7ca821b95e19c90dc7def655d2e1e9a56abc81fd2f245119f1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-20 09:58:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ch2iodgq435xzkbbxfpbtsiny7ppmvos4hu2k2v4qh6s6jcrdhyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
011c5a93fcf5f1fda343e254b6be02737381be4df4bdec1aa07c8ad23b540599
AgentTesla
0f2eb05747be67744f7e1cd96f79c2c4243b5541a2b61f51b6e8527aceb35123
AgentTesla
1326d9172aa0687e037a43b532cf2fb0e2ba90bff2e35efdebac87c3b06560f2
AgentTesla
20c94daf0506d27a6bd3de27e378fc900dd44a32328a41912d60fd26677d426d
AgentTesla
4033d9c9ef268cf2bdf04bb0e1c549e5461ba27026797edf70121468abbd1203
AgentTesla
8089619c8dba1d0d3a52b272d619fd6658adc82fd4f44df48582b0d6505f673d
AgentTesla
ba542ce1c5d0e51b1e22b56570886c6b7355c2db9e79c440f03a2116966421d8
AgentTesla
bc080be46ac6e8aaff225091e2afdb6074fed20e30d30e1ad018f58a1e1901b7
AgentTesla
dc79d4c2b306acde175efe3396a0ed77062c6b04d8a03e2532038c3cd4c6e709
AgentTesla
f144fef878393aa69f18f5cf812ee9a62b0224ccb21936321c8f98d65c98d2f6
AgentTesla
+ 1'175 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230220-lzhhqshh9v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
680c4ebc25c9f2f98eed0e9fadb18e60272e9cb814f5ca2d51f11000c3199ee9
MD5 hash:
0d657c3a53676c19d7497856acda4fe3
SHA1 hash:
f17b23a479c47d0711649abf680453d3d93d78eb
Link:
https://www.unpac.me/results/bdcf0784-64c9-4d47-af54-7ff7c97dc3d2/
SH256 hash:
a735ded3a1672f8b805347fdd18fc92d308055ee189e4d79e1a425b5ed99ba07
MD5 hash:
34d9f199cff9563e945f3ac317dcb5e8
SHA1 hash:
9f8cf06cc2859d37f56e336e51406a3c41807fda
Link:
https://www.unpac.me/results/bdcf0784-64c9-4d47-af54-7ff7c97dc3d2/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/bdcf0784-64c9-4d47-af54-7ff7c97dc3d2/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
e93b6433988ea667e7d71432d77170d0749a65318bb9bc89afa5a4d57a413f83
MD5 hash:
ef0d85c76794a124fe1185f032f50205
SHA1 hash:
3fbdf30fbaf41d61df7eab8a92cdc7a93ebf730b
Link:
https://www.unpac.me/results/bdcf0784-64c9-4d47-af54-7ff7c97dc3d2/
SH256 hash:
febd5aecda58f43ec76dc2c88af75afc01fb191a6a8f8848aad1a68e3b55b5f3
MD5 hash:
eae360bede736b1f8871d10383e14fe8
SHA1 hash:
0b46ba6c937ceb971a4b49bdbb24b1b56e840398
Link:
https://www.unpac.me/results/bdcf0784-64c9-4d47-af54-7ff7c97dc3d2/
SH256 hash:
11f4870cd0e6fb7ca821b95e19c90dc7def655d2e1e9a56abc81fd2f245119f1
MD5 hash:
74918395c6a9352de73eb8039366ac59
SHA1 hash:
d24b056768d304a3f0d63b9d88e38efe9ff7aef9
Link:
https://www.unpac.me/results/bdcf0784-64c9-4d47-af54-7ff7c97dc3d2/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/11f4870cd0e6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/11f4870cd0e6fb7ca821b95e19c90dc7def655d2e1e9a56abc81fd2f245119f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 11f4870cd0e6fb7ca821b95e19c90dc7def655d2e1e9a56abc81fd2f245119f1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2545608/
Cape
Cape
https://www.capesandbox.com/analysis/368380/

Comments


Avatar
zbet commented on 2023-02-20 09:57:25 UTC

url : hxxp://107.175.202.151/9902/vbc.exe