MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 130fe56cb2926721957a6c7a1430a7f954a85fd59a612c3e91027c4eb1cadbd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 7 File information Comments

SHA256 hash:	130fe56cb2926721957a6c7a1430a7f954a85fd59a612c3e91027c4eb1cadbd1
SHA3-384 hash:	ec2febc2396f50f153e376134f69f02e077a28f51e1d606983f013558b665a73fa80faa15a0b77f1d3d6006e3085f468
SHA1 hash:	785ff56e7a6ff60c9c20c32b4729b34ca143039a
MD5 hash:	d55871ce9a4a9bf4fd214ab1ae21af1c
humanhash:	whiskey-march-november-spaghetti
File name:	EIEZuJif.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	4'737'024 bytes
First seen:	2024-01-19 05:40:46 UTC
Last seen:	2024-01-19 07:28:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	58c1f7ef556a75e5abaa1184b6b6cce6 (1 x Formbook, 1 x AgentTesla)
ssdeep	49152:6FLFS2PohQFpMMZjv4Ln9hSw9qv9e0ViM2DKTgFCeRM3yp92FUXb9zsv+63kWbF:bFcvWM26y7zXJWv
Threatray	57 similar samples on MalwareBazaar
TLSH	T1AB268D06AFD415D4E46ACB30C56B9732EAB1FC990731C72F0811D34A1E739E19E6FA26
TrID	72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 13.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 2.5% (.EXE) OS/2 Executable (generic) (2029/13) 2.5% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	009286868686f800 (4 x Stealc, 4 x AgentTesla, 3 x Smoke Loader)
Reporter	adm1n_usa32
Tags:	64 AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

328

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/471617/

Detection(s):

SecuriteInfo.com.Win64.RATX-gen.23184.29076.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Adding an access-denied ACE

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Reading critical registry keys

Creating a window

Creating a file in the %AppData% subdirectories

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug control lolbin stealer

Link:

https://www.filescan.io/uploads/65aa0b708369fab94df0ce56/reports/19484e8f-ef03-4e67-819e-59cfdbd433fb/overview

Verdict:

Malicious

Labled as:

Trojan.GenericS

Link:

https://www.hybrid-analysis.com/sample/130fe56cb2926721957a6c7a1430a7f954a85fd59a612c3e91027c4eb1cadbd1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3f4ecaaa-3b37-4d78-a690-426264611f67

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1377226

Signature

Allocates memory in foreign processes

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Score:

90%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/130fe56cb2926721957a6c7a1430a7f954a85fd59a612c3e91027c4eb1cadbd1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/130fe56cb2926721957a6c7a1430a7f954a85fd59a612c3e91027c4eb1cadbd1/

Threat name:

Win64.Trojan.FormBook

Status:

Malicious

First seen:

2024-01-18 14:31:07 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cmh6k3fssjtsdfl2nr5bimfh7fkkqx6vtjqsypuraj6e5mok3piq._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

AgentTesla

335af721e0b46dee9598cdfb55bc2421e070fc43f42ff50b23d0e985bf9883a1

AgentTesla

336cf34d2aa06efac3dbf65e742c9947ce39f6f5388047c47a6b71542e36929d

AgentTesla

a9c1d8c8cb11d51a9f8b31548842c4be98d23c510ddd40d4690b837e4e27195a

AgentTesla

b75b7cd9470523130d3983b9618fb8a010042ec85a158cb2215f3ed56fff8e5b

AgentTesla

f26e377ce95895c9d2da1482b565eff58aed2104a63825e175038985c3739d04

AgentTesla

+ 47 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/240119-gdfd2aged8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

130fe56cb2926721957a6c7a1430a7f954a85fd59a612c3e91027c4eb1cadbd1

MD5 hash:

d55871ce9a4a9bf4fd214ab1ae21af1c

SHA1 hash:

785ff56e7a6ff60c9c20c32b4729b34ca143039a

Link:

https://www.unpac.me/results/ef2a186f-2223-4c2a-99cb-f63f02222c35/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/130fe56cb292/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/130fe56cb2926721957a6c7a1430a7f954a85fd59a612c3e91027c4eb1cadbd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://www.hybrid-analysis.com/sample/130fe56cb2926721957a6c7a1430a7f954a85fd59a612c3e91027c4eb1cadbd1

Cape

https://www.capesandbox.com/analysis/471617/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample