MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 171c707afb64b5ad621864968ce888af80401c2247b5b21a05f45985063d5b88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA 5 File information Comments

SHA256 hash:	171c707afb64b5ad621864968ce888af80401c2247b5b21a05f45985063d5b88
SHA3-384 hash:	883913832fc857fcc643291c73434268cdb3ad80e9ae2850921fc4bae45101803a8cbbeb03b7d2b06409298d0b7d4fd9
SHA1 hash:	a3e093bdc426e5252360183ba677c8f968a4ba5d
MD5 hash:	de10eff61fa8ac7c0d98c6a0aaf5231e
humanhash:	massachusetts-snake-one-sierra
File name:	PO-987098.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	349'184 bytes
First seen:	2023-09-14 23:05:22 UTC
Last seen:	2023-09-14 23:55:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:Pr3LLPrx/Q2+mLLygc5aiEtk3ciynTjcY3ixH+YgsxqaoXmMH59:Pr3LLqG/dlk3XyvcPHYsxi2MZ9
Threatray	5'660 similar samples on MalwareBazaar
TLSH	T1C774021DABC98B54F0EF867294B7524283F5E106BA39D3880EE771D70E2BB560016F67
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla C2:
http://suchitanandanmahavidyalaya.org/test/inc/184d347f3c08fb.php

Intelligence

File Origin

# of uploads :

# of downloads :

313

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

PO-987098.exe

Verdict:

Malicious activity

Analysis date:

2023-09-14 23:07:46 UTC

Tags:

stealer agenttesla

Link:

https://app.any.run/tasks/7dff2938-d8ba-4152-a587-ed649689e220

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/448719/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.DSR.tr.11561.18564.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/650391dbbde819a1d929379d/reports/cb54aab3-45f3-40c4-b010-3178a7a62328/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/171c707afb64b5ad621864968ce888af80401c2247b5b21a05f45985063d5b88

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/28ac4253-1983-43a0-8858-9a4087860e44

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1308631

Signature

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/171c707afb64b5ad621864968ce888af80401c2247b5b21a05f45985063d5b88/

Threat name:

Win32.Trojan.Znyonm

Status:

Malicious

First seen:

2023-09-14 23:06:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 23 (69.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=c4oha6x3ms222yqymsliz2eiv6aeahbci623egqf6rmykbr5loea._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2ee41490283fad1457d4870ff08f65cf2a6fd2ff0632fae5e365170824111f36

AgentTesla

4d9a6071be4656cdcc39fccd1082a68d0e214b20d71bad02c0f71609ece75d71

AgentTesla

5d1e3eddb5c1b6fbbcb136094098945e7db58322b8cf9d2b138e566a447a75eb

AgentTesla

696e61d463de9a976ba014bed15d1a627c9644d1ae8080aa1be7dc2e03acf5ae

AgentTesla

8f1d9ef849d1daaa02e53aceb204985481f9e87bb932d767793fed4aee6dd1ae

AgentTesla

ab701ac288408c45b6a0d0d7cc7f71b44309cd32b64544a3244511098ee20bf6

AgentTesla

edce8f80d69409249e3811bb8b8347bb8151147fd186f0c8847085d2840193be

AgentTesla

+ 5'650 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230914-23dlysff6x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

b0c405fbcdccb59ccbc229e6b6fcb84c326cb03b234b4bbf7527c76ed305ff01

MD5 hash:

c7192d7825ea75af11b37e16940ffbe0

SHA1 hash:

e4263b34322d341c11ffb0e20968e025ed6d39b4

Link:

https://www.unpac.me/results/d4d9c771-25e1-4126-be15-e944e8f1a42d/

SH256 hash:

b39991e0cf1630a6fb51e58475485017cb871bca1a115835abf895df24f18dde

MD5 hash:

fa4f67bc731fc3c41fb6d2609a7ddd76

SHA1 hash:

a7b387ac011f0ac1a6ce602c9bc30d89d487f09d

Link:

https://www.unpac.me/results/d4d9c771-25e1-4126-be15-e944e8f1a42d/

SH256 hash:

f99a0257cc349edbb4b1153b30b65a30706e8fe7bd1c72e53872b32b172c2dc4

MD5 hash:

c50db9a97b65f8f011b1a5b9b6ce59ff

SHA1 hash:

5cdc1ec9292847724bd6fa2777f351081e962c51

Link:

https://www.unpac.me/results/d4d9c771-25e1-4126-be15-e944e8f1a42d/

SH256 hash:

171c707afb64b5ad621864968ce888af80401c2247b5b21a05f45985063d5b88

MD5 hash:

de10eff61fa8ac7c0d98c6a0aaf5231e

SHA1 hash:

a3e093bdc426e5252360183ba677c8f968a4ba5d

Link:

https://www.unpac.me/results/d4d9c771-25e1-4126-be15-e944e8f1a42d/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/171c707afb64/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/171c707afb64b5ad621864968ce888af80401c2247b5b21a05f45985063d5b88

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/448719/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample