MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1787a174f2a65c7b8997c8d21b4d9215f0997677184fc937a7a8457bebe8a1e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1787a174f2a65c7b8997c8d21b4d9215f0997677184fc937a7a8457bebe8a1e0
SHA3-384 hash: 0f29e1c40903888f2658624143ded46d1ba819ea5963c0afcbb0b3734974856770dfdfa32423c8e227341e4ec539df77
SHA1 hash: 8251c8f650ff10ac458dc9ec87e6316d773c6c27
MD5 hash: f74fad3bdb4072c274f420171e108ce3
humanhash: early-stream-september-kitten
File name:STATEMENT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:937'984 bytes
First seen:2022-12-27 00:17:40 UTC
Last seen:2022-12-29 01:17:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:pU9v9A2XzQV+w6DgPQt0xFJMSaL7fG1IY/WdVgTCaWUUFM0R:pGFTXzF9DgPt3aXO1AwGM0
Threatray 9'387 similar samples on MalwareBazaar
TLSH T1A215D5395CAB063FE17FC3B58BD489A3F954E4263B019A2618C643E71B57A8261C3D3D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e0f08ab69ecea4e4 (3 x AgentTesla)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
STATEMENT.exe
Verdict:
Malicious activity
Analysis date:
2022-12-27 00:18:59 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/7344ba87-f3a5-48a3-b6ca-41b38ce00567

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.64541771.31094.3140.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Creating a file
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63aa39bb0fdf1633326c1dc5/reports/39cfc9c3-f942-4e2d-98fb-84fd0dc69a07/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f75d48b-331a-454b-81a2-ad526d24d4c1
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1141300
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 774030 Sample: STATEMENT.exe Startdate: 27/12/2022 Architecture: WINDOWS Score: 100 46 Malicious sample detected (through community Yara rule) 2->46 48 Sigma detected: Scheduled temp file as task from temp location 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 7 other signatures 2->52 7 STATEMENT.exe 6 2->7         started        11 WIjKmg.exe 5 2->11         started        13 yGbzOMp.exe 2 2->13         started        15 yGbzOMp.exe 1 2->15         started        process3 file4 38 C:\Users\user\AppData\Roaming\WIjKmg.exe, PE32 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmpECDE.tmp, XML 7->40 dropped 42 C:\Users\user\AppData\...\STATEMENT.exe.log, ASCII 7->42 dropped 68 Uses schtasks.exe or at.exe to add and modify task schedules 7->68 70 Writes to foreign memory regions 7->70 72 Injects a PE file into a foreign processes 7->72 17 RegSvcs.exe 2 5 7->17         started        22 schtasks.exe 1 7->22         started        74 Multi AV Scanner detection for dropped file 11->74 76 Machine Learning detection for dropped file 11->76 24 RegSvcs.exe 11->24         started        26 schtasks.exe 1 11->26         started        28 conhost.exe 13->28         started        30 conhost.exe 15->30         started        signatures5 process6 dnsIp7 44 mail.dominus.com 67.222.55.17, 49701, 49709, 587 UNIFIEDLAYER-AS-1US United States 17->44 36 C:\Users\user\AppData\Roaming\...\yGbzOMp.exe, PE32 17->36 dropped 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->54 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->56 58 Tries to steal Mail credentials (via file / registry access) 17->58 60 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->60 32 conhost.exe 22->32         started        62 Tries to harvest and steal ftp login credentials 24->62 64 Tries to harvest and steal browser information (history, passwords, etc) 24->64 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->66 34 conhost.exe 26->34         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1787a174f2a65c7b8997c8d21b4d9215f0997677184fc937a7a8457bebe8a1e0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-12-26 08:49:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
32
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c6d2c5hsuzohxcmxzdjbwtmscxyjs5txdbh4sn5hvbcxx27iuhqa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1c458dbab474aa55c42e465e34a64faae2b567910490621aeda7ffb51b7b29dc
AgentTesla
2b9b066e3049207623a9b58439eedeb0c226895e8a37431fb65ab15fc168636e
AgentTesla
2f356283c209400c6385a24450f266b59477e035e9389c8d1af4843cd1ad2374
AgentTesla
66e8893d8742feb4cf59cba5705d0ed26ec79f7287c873e56b4216b71903af81
AgentTesla
7c042716cacb46c8c1a105fd13ceb1093f20d28c869623c4d2236805876a9f1d
AgentTesla
7c587545b0b8996ec22490ec200a64cd2e0745441797efa78ac3c94aa1592e32
AgentTesla
916d30f29bbbbbbf9cd02ee4c66d611750d1a0aafa7b3f364b35e46216ae90a3
AgentTesla
b8549fd83dc62872515f5257a64cd681fe92ac324cc5f012e07adc08d00c2b75
AgentTesla
+ 9'377 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221227-all38aea57/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
2649e7f78c1303c36b46faba7f201f3b396e8ab11bbd78188076956ad4654cc7
MD5 hash:
8b40589f74f2517a1f4b32f31a7e8011
SHA1 hash:
ea8d16e20235c71ea288c549227978e85095a8d9
Link:
https://www.unpac.me/results/a0b69052-2bdb-4d9c-8565-0b5203f85133/
SH256 hash:
a327516357b9fa1a75753b3fbd0030e13f374be7cefcdf983d0b731f278b0c59
MD5 hash:
404efdeb9931733904da07f96fabeb72
SHA1 hash:
7ce363cd612f1d9a90b33ec196c4d0a49cdaee02
Link:
https://www.unpac.me/results/a0b69052-2bdb-4d9c-8565-0b5203f85133/
SH256 hash:
f2fcc18c392b9d32de18554a70bfd9f86f1f23259f9129fbf658c68c49efc866
MD5 hash:
d9450d47188f023fde98ab45da20e970
SHA1 hash:
4fead228c2f0e1d9564d613ca036604a77e947eb
Link:
https://www.unpac.me/results/a0b69052-2bdb-4d9c-8565-0b5203f85133/
SH256 hash:
1787a174f2a65c7b8997c8d21b4d9215f0997677184fc937a7a8457bebe8a1e0
MD5 hash:
f74fad3bdb4072c274f420171e108ce3
SHA1 hash:
8251c8f650ff10ac458dc9ec87e6316d773c6c27
Link:
https://www.unpac.me/results/a0b69052-2bdb-4d9c-8565-0b5203f85133/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1787a174f2a6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1787a174f2a65c7b8997c8d21b4d9215f0997677184fc937a7a8457bebe8a1e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar cee8e79053b4fc4a35eebb4a909a170d6633396bf347085bc5d4b82b5f4179bb

AgentTesla

Executable exe 1787a174f2a65c7b8997c8d21b4d9215f0997677184fc937a7a8457bebe8a1e0

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 cee8e79053b4fc4a35eebb4a909a170d6633396bf347085bc5d4b82b5f4179bb
  
Dropped by
MD5 f4ef35c7675cf9ecd54ed59d53bc7b71
  
Dropped by
SHA256 b1f282dadfef931b6e3b41353b3cc674709521a3d0f517bc224e0a10feebb572
  
Dropped by
MD5 73c2b20ada796ed2db6f01d34a20d947

Comments