MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17c5a2879cd2f4277cc00047e8f20c39fe9f8849bdf7bb21e0b272309d7ef50b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	17c5a2879cd2f4277cc00047e8f20c39fe9f8849bdf7bb21e0b272309d7ef50b
SHA3-384 hash:	47f44d4e33e8d8402d0a08a9e33e1ec513cf956f5f328cff9e54bfa84cf8bd2674a739c976c793737affe1c9cd4d8e49
SHA1 hash:	5f2fa7104c3ca939d1666012560e5ffd7438051d
MD5 hash:	e5b1971ffaf9640dc601cb3da3e5bc82
humanhash:	jig-steak-kentucky-august
File name:	SecuriteInfo.com.Win64.PWSX-gen.8563.27113
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	3'411'456 bytes
First seen:	2022-12-08 22:27:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:+8AQmTfd4CsmmkDXf9PA4XcuMqlXuXTwA+ebOIuJSto:+8AQmTfdh/VeFp+e6TJS
TLSH	T19EF5ABEF5FBAE73560E9D36287C24E7F18908DCAD2E6623CB0590A543468D0E7177722
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

177

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/344509/

Detection(s):

SecuriteInfo.com.Win64.PWSX-gen.8563.27113.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/639264f404e0e79bdf419b2b/reports/690a0e08-fb9d-4dd8-bdb0-5686a76f4414/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/f4349499-5f46-439a-935c-2f3042cc3615

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1131075

Signature

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/17c5a2879cd2f4277cc00047e8f20c39fe9f8849bdf7bb21e0b272309d7ef50b/

Threat name:

ByteCode-MSIL.Trojan.Pwsx

Status:

Malicious

First seen:

2022-12-08 21:47:13 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

13 of 26 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c7c2fb442l2co7gaabd6r4qmhh7j7ccjxx33wipawjzdbhl66ufq._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection evasion keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221208-2dm44aef7y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Maps connected drives based on registry

Checks BIOS information in registry

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot5482315235:AAGwacbjVLMaBQENAXUuPyVg-cvhlK0vn-w/

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/4dd0dacb-f136-4ec2-ae04-3fd8f43d1e47

Unpacked files

SH256 hash:

17c5a2879cd2f4277cc00047e8f20c39fe9f8849bdf7bb21e0b272309d7ef50b

MD5 hash:

e5b1971ffaf9640dc601cb3da3e5bc82

SHA1 hash:

5f2fa7104c3ca939d1666012560e5ffd7438051d

Link:

https://www.unpac.me/results/7312a6c3-fe6d-40bb-9045-0dd86534d84f/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/17c5a2879cd2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/17c5a2879cd2f4277cc00047e8f20c39fe9f8849bdf7bb21e0b272309d7ef50b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/344509/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample