MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17bd7aa4aca93d885db9713836c87f1d73b4f9190f52bc4e052272d19a891cf1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17bd7aa4aca93d885db9713836c87f1d73b4f9190f52bc4e052272d19a891cf1
SHA3-384 hash: e303a8d00c266fa6d96ab8f9278b5976fd02a3c23f48d98aaaad3816e34a2727ffdd14bdf984788dbf014c4e516455a6
SHA1 hash: 2f3c5ae3801a7fa16391e11c14607664cd584e2c
MD5 hash: 77ff9a75c2243fc5f045932f222158e0
humanhash: shade-delaware-mexico-lion
File name:77ff9a75c2243fc5f045932f222158e0
Download: download sample
Signature AgentTesla
Create hunting rule
File size:662'016 bytes
First seen:2023-06-24 06:14:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:64M2iNh4/mNUABQgKXAYKzeA8RA57DdgKgeSUH4b6g5y:XM1D4/QUQQlX/KzB8wOfsM6g5y
Threatray 4'056 similar samples on MalwareBazaar
TLSH T1BBE4011A60B14A61F4365FF9A0B141A1CBFDF956FA12F34E1FE830F90583B514A53AA3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e0cc8e8e8eccccf0 (19 x AgentTesla, 8 x Loki, 7 x Formbook)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
77ff9a75c2243fc5f045932f222158e0
Verdict:
Malicious activity
Analysis date:
2023-06-24 06:17:02 UTC
Tags:
agenttesla rat
Link:
https://app.any.run/tasks/1e9e2dd2-7ac6-4106-b5c5-ee381a3b1b62

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/402310/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/649689e7942dd42877ba7466/reports/bbc08e4d-9977-46d8-ac4b-c72ea8b2d7ad/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/17bd7aa4aca93d885db9713836c87f1d73b4f9190f52bc4e052272d19a891cf1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3758143b-a3e3-45c2-86a6-c61e04171b1d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1260843
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/17bd7aa4aca93d885db9713836c87f1d73b4f9190f52bc4e052272d19a891cf1/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-06-24 06:15:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c66xvjfmve6yqxnzoe4dnsd7dvz3j6izb5jlytqfejzndgujdtyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05b9b2ba7cef56b08f7d979f09119528e4de33b6165599c5f550b8c3c7a3f9d2
AgentTesla
1c4c7802f3a6bcc8d0355ad3e5c482c0fcdcb79845733a5ffe5c081ef59241cb
AgentTesla
3034f4c4123e20d2d2306263c3fc0cf2ddd0b9ed15e480386d45c4550140233c
AgentTesla
4d60f9998376b2059e5a19aa9337f44285cce66c0e6bf0535de18a87d3aaf973
AgentTesla
59084f9c3435606045261122fcece85c7dcff26b245657929a983e896b905405
AgentTesla
813ee787efe7691b84a7286dfb567f0f6f377f3ac0f0d2dc200e106df9f8f222
AgentTesla
9267fc3af8040cbf3f53d4501c063d70e54574c98d7133a5c18c8d5b9686d901
AgentTesla
996802dcddf7a2afc542a0d2eab92d8243a3126dd2f9a8c6e8cb9cebc09e8d61
AgentTesla
bd46a723d17048369ac18ff1a2ec0d0f54a8a4a3c5e23d56a53e014a02d1c42e
AgentTesla
ea9f2431a64fc69fa9fdc839c8526744ede33f35a8e0a7b703fa2e03382c49d2
AgentTesla
+ 4'046 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230624-gzwyxaac46/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
8022eb6a31ff09510ea4bc66e3a92f6f5ef5cd23412d10e12207e93ec38c3672
MD5 hash:
14ee8b8b7e47469317d1012f0898b111
SHA1 hash:
c6da4e2f1ab8c277129026648cbf97d8d6126245
Link:
https://www.unpac.me/results/e79089ae-c4d5-433d-aab0-7c2a6268e072/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/e79089ae-c4d5-433d-aab0-7c2a6268e072/
SH256 hash:
c361f0668cfc0d57dfdf44fc6f0e26c0f5357566acfc69cfa15de7d59b2ea0c9
MD5 hash:
b332091fb0f349b9c8d9de430b62a5b5
SHA1 hash:
3446c9b83fc21b1b3777da31a3848245906aa54e
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/e79089ae-c4d5-433d-aab0-7c2a6268e072/
Parent samples :
813ee787efe7691b84a7286dfb567f0f6f377f3ac0f0d2dc200e106df9f8f222
9267fc3af8040cbf3f53d4501c063d70e54574c98d7133a5c18c8d5b9686d901
4d60f9998376b2059e5a19aa9337f44285cce66c0e6bf0535de18a87d3aaf973
996802dcddf7a2afc542a0d2eab92d8243a3126dd2f9a8c6e8cb9cebc09e8d61
3034f4c4123e20d2d2306263c3fc0cf2ddd0b9ed15e480386d45c4550140233c
1c4c7802f3a6bcc8d0355ad3e5c482c0fcdcb79845733a5ffe5c081ef59241cb
59084f9c3435606045261122fcece85c7dcff26b245657929a983e896b905405
17bd7aa4aca93d885db9713836c87f1d73b4f9190f52bc4e052272d19a891cf1
1d0cf9a5e034371075cf0a328d98c53f4eeb74325d61ee956222346ebb1f5497
53e575805dc9d69c41f366e65946a7d4adf051f322f463f70e9b2f80d50450cb
cd917c86fe27ecd3feeca690377817bce1f4034830e6d68a19dbffc8c61e97bb
6666bd3cfd70f1e45584b1a6ff5820e2717e177d32ed196201306ef99c957cc7
SH256 hash:
7287fcaf4adcd53377d2f55c67ad2050867449e7c65d6efbb239f0e46785537f
MD5 hash:
1ff5b9d554b1bcad7e1353d882bfdfa9
SHA1 hash:
00555014f7f88e93e5e2fdd3a228200648fc359c
Link:
https://www.unpac.me/results/e79089ae-c4d5-433d-aab0-7c2a6268e072/
SH256 hash:
17bd7aa4aca93d885db9713836c87f1d73b4f9190f52bc4e052272d19a891cf1
MD5 hash:
77ff9a75c2243fc5f045932f222158e0
SHA1 hash:
2f3c5ae3801a7fa16391e11c14607664cd584e2c
Link:
https://www.unpac.me/results/e79089ae-c4d5-433d-aab0-7c2a6268e072/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/17bd7aa4aca9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17bd7aa4aca93d885db9713836c87f1d73b4f9190f52bc4e052272d19a891cf1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 17bd7aa4aca93d885db9713836c87f1d73b4f9190f52bc4e052272d19a891cf1

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/402310/
  
URLhaus
https://urlhaus.abuse.ch/url/2670758/

Comments


Avatar
zbet commented on 2023-06-24 06:14:49 UTC

url : hxxp://194.180.48.59/thirdagodzx.exe