MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1355e7cc9be9bbd45a846e2c1bfd3f0ad58465e8e1fac10d0372ea3d8a2e8652. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1355e7cc9be9bbd45a846e2c1bfd3f0ad58465e8e1fac10d0372ea3d8a2e8652
SHA3-384 hash: 4f6cfd35008fcc4e437d2fc8afcee5719bbf208b4510a36e625c96f8047aed06d391c5c920bc026b8240ea71c99aed35
SHA1 hash: 8c979bceb158d742c53c44aa6ff016f584826a93
MD5 hash: f6be23c3f7026244588232f8f0a325cb
humanhash: kentucky-freddie-asparagus-summer
File name:INQUIRY7908-PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'948'160 bytes
First seen:2023-10-25 11:42:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fa3b722e205828938fb31d64d4d39adc (1 x AgentTesla, 1 x DBatLoader)
ssdeep 24576:CZWP3Mm+MYaUVfsaH9EYmZBR4kfSQ/dTdXnZvjqhrycDeu+6SXVTBtnJfWLrgtbS:COMiYJ9EWYz3ZvOFqu+6SXIrg7dCb
Threatray 2 similar samples on MalwareBazaar
TLSH T11395F1FAE3F1983BF07385349FDEC1E47C2C7965AC05691B66D40A8C9638AD1B92406F
TrID 36.1% (.SCR) Windows screen saver (13097/50/3)
29.0% (.EXE) Win64 Executable (generic) (10523/12/4)
12.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 74f4d4dce4e4d4dc (1 x AgentTesla, 1 x DBatLoader)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
348
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
INQUIRY7908-PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-10-25 11:45:15 UTC
Tags:
dbatloader stealer agenttesla
Link:
https://app.any.run/tasks/a20a0510-d6e0-4128-9e5c-cde2e2f92912

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
ModiLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/456263/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.9475.19876.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Query of malicious DNS domain
Sending a TCP request to an infection source
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control keylogger lolbin packed remcos
Link:
https://www.filescan.io/uploads/6538ff472b74b3f20ddaf66b/reports/8dd0389d-e611-4c36-9fb3-f6b6c74b6430/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1355e7cc9be9bbd45a846e2c1bfd3f0ad58465e8e1fac10d0372ea3d8a2e8652
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/903609ea-d159-4e70-ac20-4b4a49cbe54d
Result
Threat name:
AgentTesla, DBatLoader, RedLine, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331842
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected DBatLoader
Yara detected RedLine Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1331842 Sample: INQUIRY7908-PDF.exe Startdate: 25/10/2023 Architecture: WINDOWS Score: 100 67 web.fe.1drv.com 2->67 69 w0qurg.sn.files.1drv.com 2->69 71 3 other IPs or domains 2->71 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 Multi AV Scanner detection for dropped file 2->81 83 9 other signatures 2->83 12 INQUIRY7908-PDF.exe 1 8 2->12         started        16 Mxvmxjja.PIF 2->16         started        18 Mxvmxjja.PIF 2->18         started        signatures3 process4 file5 57 C:\Users\Public\Libraries\netutils.dll, PE32+ 12->57 dropped 59 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 12->59 dropped 61 C:\Users\Public\Libraries\ajjxmvxM.pif, PE32 12->61 dropped 63 C:\Users\Public\Libraries\Mxvmxjja.PIF, PE32 12->63 dropped 107 Drops PE files with a suspicious file extension 12->107 109 Writes to foreign memory regions 12->109 111 Allocates memory in foreign processes 12->111 20 cmd.exe 1 12->20         started        23 ajjxmvxM.pif 2 12->23         started        113 Multi AV Scanner detection for dropped file 16->113 115 Machine Learning detection for dropped file 16->115 117 Sample uses process hollowing technique 16->117 26 ajjxmvxM.pif 16->26         started        28 ajjxmvxM.pif 18->28         started        signatures6 process7 dnsIp8 85 Uses ping.exe to sleep 20->85 87 Drops executables to the windows directory (C:\Windows) and starts them 20->87 89 Uses ping.exe to check the status of other devices and networks 20->89 30 easinvoker.exe 20->30         started        32 PING.EXE 1 20->32         started        35 xcopy.exe 2 20->35         started        38 8 other processes 20->38 73 terminal7.veeblehosting.com 185.56.136.50, 587 SECUREDSERVERS-EU Malta 23->73 91 Detected unpacking (changes PE section rights) 23->91 93 Detected unpacking (overwrites its own PE header) 23->93 95 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->95 97 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 23->97 99 Tries to steal Mail credentials (via file / registry access) 28->99 101 Tries to harvest and steal browser information (history, passwords, etc) 28->101 signatures9 process10 dnsIp11 40 cmd.exe 1 30->40         started        65 127.0.0.1 unknown unknown 32->65 53 C:\Windows \System32\easinvoker.exe, PE32+ 35->53 dropped 55 C:\Windows \System32\netutils.dll, PE32+ 38->55 dropped file12 process13 signatures14 103 Adds a directory exclusion to Windows Defender 40->103 43 cmd.exe 1 40->43         started        46 conhost.exe 40->46         started        process15 signatures16 105 Adds a directory exclusion to Windows Defender 43->105 48 powershell.exe 27 43->48         started        process17 signatures18 75 DLL side loading technique detected 48->75 51 conhost.exe 48->51         started        process19
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1355e7cc9be9bbd45a846e2c1bfd3f0ad58465e8e1fac10d0372ea3d8a2e8652
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1355e7cc9be9bbd45a846e2c1bfd3f0ad58465e8e1fac10d0372ea3d8a2e8652/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-10-25 05:56:07 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cnk6pte35g55iwuenywbx7j7blkyizpi4h5mcdidolvd3croqzja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
5e9fb70e299a28b494b0ef9522226219e4dbf7dcf1aeae541f23eaa90ff3f28f
AgentTesla
af2a5455f4de7136e90e94e7bee5ba398d01f09ab9d01ef32bb70e560030b650
AgentTesla
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:modiloader family:zgrat keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/231025-nvkhmsha8t/
Behaviour
Enumerates system info in registry
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ModiLoader Second Stage
AgentTesla
Detect ZGRat V1
ModiLoader, DBatLoader
ZGRat
Unpacked files
SH256 hash:
7c45bf2b96f83862d041b02f815b22013fc013c734aa23837da1a6265065c3fe
MD5 hash:
03f378057f182976ec0143a6067e6cea
SHA1 hash:
d4f55dd9e73995435d8a88d59388d05b2f1f4b64
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/1ad85805-1dae-4e9b-b957-c1a04a33ab7f/
Parent samples :
1355e7cc9be9bbd45a846e2c1bfd3f0ad58465e8e1fac10d0372ea3d8a2e8652
052e1b54c491c63c662fa47b08b71ba2f2c25bbb20bca619893785b87f90257d
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/1ad85805-1dae-4e9b-b957-c1a04a33ab7f/
SH256 hash:
1355e7cc9be9bbd45a846e2c1bfd3f0ad58465e8e1fac10d0372ea3d8a2e8652
MD5 hash:
f6be23c3f7026244588232f8f0a325cb
SHA1 hash:
8c979bceb158d742c53c44aa6ff016f584826a93
Link:
https://www.unpac.me/results/1ad85805-1dae-4e9b-b957-c1a04a33ab7f/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1355e7cc9be9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1355e7cc9be9bbd45a846e2c1bfd3f0ad58465e8e1fac10d0372ea3d8a2e8652

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 1355e7cc9be9bbd45a846e2c1bfd3f0ad58465e8e1fac10d0372ea3d8a2e8652

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/456263/

Comments