MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17e794be3e69813de034e7f792ac7d05bed22fde3d9fa773d14d4f30a175f4c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	17e794be3e69813de034e7f792ac7d05bed22fde3d9fa773d14d4f30a175f4c7
SHA3-384 hash:	b6e0a196006e25dfd2ee8d7222193524f1d98b7eba4a2dc6f2116723056a26d934d8a47f10616dc5204239f5ef2388e1
SHA1 hash:	fad8f3386a60f9945527a6fe781182933d7fd4a6
MD5 hash:	47fc98bea34e29b3ab5a640a4d4b91f3
humanhash:	delaware-mango-venus-alpha
File name:	SecuriteInfo.com.Trojan.Packed2.44634.5278.3215
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	976'384 bytes
First seen:	2022-11-22 04:32:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:3M+L74mBfNUstzo1nVtJ2SgnxYTUCpO9QjXOieE2WX3r8JN:6nVtlBUCH6ieEJXI
Threatray	23'731 similar samples on MalwareBazaar
TLSH	T16B256B4F2B7FDEF0EB245CFB221457039D3251DABA8ACA7883984BC660F261C5B75464
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

209

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Trojan.Packed2.44634.5278.3215

Verdict:

Malicious activity

Analysis date:

2022-11-22 04:38:39 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/2fc4f47d-c8dc-4493-952a-c5c8b8ce2eec

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/337044/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.44634.5278.3215.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/637c50cda0efd596b82f1553/reports/31f9b5b0-0987-4d2e-b730-464460f4e1c3/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/66f92ce0-432a-48ac-911f-8b838ff39af5

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1118638

Signature

.NET source code contains potential unpacker

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/17e794be3e69813de034e7f792ac7d05bed22fde3d9fa773d14d4f30a175f4c7/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-11-22 04:33:16 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c7tzjpr6ngat3ybu473zfld5aw7nel66hwp2o46rjvhtbilv6tdq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

4971385527e6ce21165b8b519928f83c20e9e32488dcb4309c3241e0721e1f85

AgentTesla

54d48500414b67ed625499d5d6e77230e4e460622d96d5d333a32aea4573ca9e

AgentTesla

5db110dfb57b23725b541beb1cf53e421e94ad03e87b33c8471c96f6a7e3dadc

AgentTesla

7531bcbb7c97977edc17cb20cba271633aa0173bd26a614920194591242a0675

AgentTesla

85903be1134e3fa9350cdf744c0ef9505f97a52a63641c5d0d4bc960b5d4d824

AgentTesla

f63be70bc011d2549aad48b9ad4fea0784922d36ef4bc3b22590210dbb28fe7f

AgentTesla

fca38c9e052eff6de41eda4caabf7bd31405cf29422357a4e0f579a4a6a6bf55

AgentTesla

+ 23'721 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221122-e5z7eaac88/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

95da8d2d828481d6709d974e850408e827b1943e46d3a6e981423d20bcbf949e

MD5 hash:

1c6afd0d12f87e3553d6fe8c42e638af

SHA1 hash:

e7d0000a6022c85ec624d7156d1c9f31c64329de

Link:

https://www.unpac.me/results/8149fb16-1abc-4903-bca2-97eecaaf8183/

SH256 hash:

ae3591409965d4bf8b057ca6b3895cbc23ac860174b809522b58c969042885dc

MD5 hash:

c2f8ed59ec91e62e0e62dd259ea650ed

SHA1 hash:

947ed0428924e7b58acd0f58af9bb7a9be0c0e5b

Link:

https://www.unpac.me/results/8149fb16-1abc-4903-bca2-97eecaaf8183/

SH256 hash:

d3564fe3774198dcf37d0b6182ae78722d9a4053afe1c55271c8459a44d56038

MD5 hash:

bd09cbf7f491da0038d98accaaf03bab

SHA1 hash:

446cabb1103236c28ca329634672129f307ffd29

Link:

https://www.unpac.me/results/8149fb16-1abc-4903-bca2-97eecaaf8183/

SH256 hash:

744928a56b4d36f17e73eea0534c5e99103d1553d5b0a864a6fd9d4f9899b47f

MD5 hash:

91fed5db1afcdf48e0cd6d4058a013ba

SHA1 hash:

3717b3346e25d3f66f00626ad1a771d8655f485f

Link:

https://www.unpac.me/results/8149fb16-1abc-4903-bca2-97eecaaf8183/

SH256 hash:

df28946a3deea16e9cd3b9153e4da0070bc23b9cb3f33f9813bd9644e6a62fbb

MD5 hash:

c94702e4acd21d898b4184d83e806e7e

SHA1 hash:

0b912af63bcd58b7b9cc8e2a508268626f00ebf0

Detections:

AgentTesla

Link:

https://www.unpac.me/results/8149fb16-1abc-4903-bca2-97eecaaf8183/

Parent samples :

17e794be3e69813de034e7f792ac7d05bed22fde3d9fa773d14d4f30a175f4c7
0497f011e1c4eb1d442e26445d5dfb8b7250582848adb7cb243f8cd7247b4222
f2516f84d0107f05ae7daac4843562f2c9d6b6698806a4673e0254ecbed3640f
31ad5de47437e1afa2f31be94c56c5a18c88d9be6da889fe03fd2df0d9cf6a85

SH256 hash:

17e794be3e69813de034e7f792ac7d05bed22fde3d9fa773d14d4f30a175f4c7

MD5 hash:

47fc98bea34e29b3ab5a640a4d4b91f3

SHA1 hash:

fad8f3386a60f9945527a6fe781182933d7fd4a6

Link:

https://www.unpac.me/results/8149fb16-1abc-4903-bca2-97eecaaf8183/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/17e794be3e69/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/17e794be3e69813de034e7f792ac7d05bed22fde3d9fa773d14d4f30a175f4c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/337044/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample