MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17c6ca8dd665049e6bca2a1813289ab85037f67c6ea8aad739731c818354e67a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17c6ca8dd665049e6bca2a1813289ab85037f67c6ea8aad739731c818354e67a
SHA3-384 hash: afb8d0af2676c3bea0bda9841bcebe37e62533e6e280479b9a359ee3b6877065ede212f31971b093cfb2159f83a26cd8
SHA1 hash: 26f3bdacb5eece4b2220a695ad2e8f320571cb8b
MD5 hash: ad7fa4ea1cef139146e276cd559e2332
humanhash: salami-mike-green-nineteen
File name:Havale Referansı 0230958PO541150_jpg .exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:218'112 bytes
First seen:2024-01-17 07:19:08 UTC
Last seen:2024-01-17 17:04:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 3072:s9rZ4epJFbu/k8w70df7eNg8gTZJk0M7m4u2XTho8HwUYiVqXeXv59HN:s0epjJ700gtTbS7i2XThZwfQq
Threatray 6'249 similar samples on MalwareBazaar
TLSH T10D248C83288642B4F45B0E3891722C446277AF9ABC7BF549BD17B1638B733D775A2807
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 77c5194749693a1a (2 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
356
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.12133.21458.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/17c6ca8dd665049e6bca2a1813289ab85037f67c6ea8aad739731c818354e67a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a3fd0bf2-a3fe-41ae-a157-175439ec94ac
Result
Threat name:
AgentTesla, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1375881
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/17c6ca8dd665049e6bca2a1813289ab85037f67c6ea8aad739731c818354e67a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17c6ca8dd665049e6bca2a1813289ab85037f67c6ea8aad739731c818354e67a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-01-17 07:20:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c7dmvdowmucj426kfimbgke2xbidp5t4n2ukvvzzomoida2u4z5a._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
6af6f1e03bf8c177c98b8fe74b5dd447c19d8e8534f4a901935df29242a04dbe
AgentTesla
6cb36f0f7e413667ee3a0fbc42e6c95e08853e1025f8382270e63e91dad0a0fb
AgentTesla
8645bdb895457e08db9625bba8903490cecaad66c6cd3c0af3688afa60a425c1
AgentTesla
8a2668c26c25219a4ae1646a53a3704113cff49697347e119e110b28ace9c49a
AgentTesla
c85d22efc496f0a219b604a451155446480f45d7e61c56fadedbf41688bede62
AgentTesla
e59982d604d5291f603029cba5d5e18b95ee831e29f5dfe49950738b07d78652
AgentTesla
+ 6'239 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/240117-h535vabfc8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
17c6ca8dd665049e6bca2a1813289ab85037f67c6ea8aad739731c818354e67a
MD5 hash:
ad7fa4ea1cef139146e276cd559e2332
SHA1 hash:
26f3bdacb5eece4b2220a695ad2e8f320571cb8b
Link:
https://www.unpac.me/results/9d86fd4f-23b7-4f8f-af7e-db95a01ab3ab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17c6ca8dd665049e6bca2a1813289ab85037f67c6ea8aad739731c818354e67a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 17c6ca8dd665049e6bca2a1813289ab85037f67c6ea8aad739731c818354e67a

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments