MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 18

Intelligence 18 IOCs YARA 4 File information Comments 1

SHA256 hash:	18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d
SHA3-384 hash:	4519d48781c6b0c112ad22a63b659c66a8688a74115f882d4de991e6da286caa8dd06493cf2e123709cab66303d84bef
SHA1 hash:	3809d6d83545814b6ca32ee97de22a5d9ce43114
MD5 hash:	77e7f5ee129d7a0eb6a063c6700083f6
humanhash:	timing-five-michigan-august
File name:	77e7f5ee129d7a0eb6a063c6700083f6
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	842'752 bytes
First seen:	2023-12-05 03:44:42 UTC
Last seen:	2023-12-05 05:39:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:PWcXtW8G34/uK45+po2PUabkUh88z0IvoFMY1EUcCzetvc4en1ccxfD0whVS3UeJ:634/up+pJKY3o7NHiFcrn9xfnV+bJ
Threatray	3'222 similar samples on MalwareBazaar
TLSH	T17505236572E9E70BC87A13F2DD3D614083B1BD263A32E55D5EC360EE46727019A40FAB
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	zbetcheckin
Tags:	32 AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

358

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

77e7f5ee129d7a0eb6a063c6700083f6

Verdict:

Malicious activity

Analysis date:

2023-12-05 03:46:52 UTC

Tags:

evasion stealer agenttesla

Link:

https://app.any.run/tasks/738a1612-5761-4f12-8f7c-cc5cdda493bf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/462498/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.59820.30138.5834.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Setting a keyboard event handler

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

92%

Tags:

packed

Link:

https://www.filescan.io/uploads/656e9cbf3636548f373a64bd/reports/b8d2d815-5982-4681-8297-2f3551f167fe/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/23af0a01-b13d-4f6a-9a4e-dececca053c3

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1353697

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-12-05 03:45:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 21 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ddtua5luu2hxpyp24pj4qggyms32mgyejyliax3ijfudgumxzr6q._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

AgentTesla

18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d

AgentTesla

945e176b7aa6d3b13ca4f6cd758fe5ee04c49ab1778c2b5433166dfce5adc9e2

AgentTesla

a057aab2994c9b2d3214e2ebdfa28dcce023546bf7154c8832bd27112c693e86

AgentTesla

a1c70ed91881778f7e0fc6ad5275848145424d452e1053a5a4c5c7ca58fc61fc

AgentTesla

fa1263a8e9dea6c3fa9dce2ca23f8f235f8821446eb5089574c706c37db54442

AgentTesla

+ 3'212 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/231205-ea2rrahd75/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot6695508500:AAHkexS5oB1E5lJkAEKZx2DzV7hRPW1U52k/

Unpacked files

SH256 hash:

c2df80da21dfd6355168936eee8e91ea332e92c166dca34400578387ba1b5fba

MD5 hash:

ed7d2390692afd9366358022ba62d93b

SHA1 hash:

552e99f5e0f23170552afc3f275f4396f412dd5b

Detections:

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/60779ad1-5b24-479d-9cf4-04c06940ffd6/

SH256 hash:

2968fe2da0bc9fbf1cf451705c317911c39d3cd652c03491f708bb8950f9ee21

MD5 hash:

f7addfdb4f93a189e5e54d4c8981a055

SHA1 hash:

2fa16218f2a63370e2b60086e2767e8ec3f69fe4

Link:

https://www.unpac.me/results/60779ad1-5b24-479d-9cf4-04c06940ffd6/

SH256 hash:

2340d070fc92470913072bab9087c4ed5675a0e8d4c61145553a8aad52a16994

MD5 hash:

0cf35c9e685b649b084dc5d385aaa62b

SHA1 hash:

06ab63a9a595c6ef82206c7388ff6aee4b1adb51

Link:

https://www.unpac.me/results/60779ad1-5b24-479d-9cf4-04c06940ffd6/

SH256 hash:

9603024464826dca0ed27613873f97c8f46f68497a9239f71a9fdaa26bca95b7

MD5 hash:

46d6dbb8000123f7de2a0f7ecbf6ef27

SHA1 hash:

05ff5bd0bc9d5081aaa0d174a86cadf4722cbf7c

Link:

https://www.unpac.me/results/60779ad1-5b24-479d-9cf4-04c06940ffd6/

SH256 hash:

18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d

MD5 hash:

77e7f5ee129d7a0eb6a063c6700083f6

SHA1 hash:

3809d6d83545814b6ca32ee97de22a5d9ce43114

Link:

https://www.unpac.me/results/60779ad1-5b24-479d-9cf4-04c06940ffd6/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/18e7407574a6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

exe 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/462498/

URLhaus

https://urlhaus.abuse.ch/url/2737592/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-12-05 03:44:43 UTC

url : hxxp://5.181.80.126/LjYLHSho7Xgoi1P.exe