MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a37b22c671459258c8f420f9a6934dda93eb9c700ea86f390193dea31316724. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a37b22c671459258c8f420f9a6934dda93eb9c700ea86f390193dea31316724
SHA3-384 hash: 08af8a404635402510eff7cb80239224a0e4e82cfd8cfdf8fc6a2157f29d29cd085aecc2a6db0c5b59c2fba18db42e18
SHA1 hash: e3161500917651893bf4f38d792fb6f4fe88a94c
MD5 hash: ee1b10319caecabab0da68953fffe7ef
humanhash: romeo-glucose-lamp-butter
File name:SecuriteInfo.com.Win32.RATX-gen.3367.22786
Download: download sample
Signature AgentTesla
Create hunting rule
File size:610'816 bytes
First seen:2023-04-20 18:29:41 UTC
Last seen:2023-05-13 22:57:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:gGRflPa0ap7+wh6bfQmr+eEoM+v/agklrbTDm0W9M6:56Lcwh60mr+Nodv/1WrTma
Threatray 2'387 similar samples on MalwareBazaar
TLSH T11ED4E0E17027A792CB7AFEF4232D25351FF242B7E500D46DBE0D64D93931BC44A582AA
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
317
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.RATX-gen.3367.22786
Verdict:
Malicious activity
Analysis date:
2023-04-20 18:31:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/492e208a-32d2-4393-99a0-1481fd0bfa56

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383813/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/644184ac2694673273701b0d/reports/80457332-1412-4392-94c8-50cead495ead/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1a37b22c671459258c8f420f9a6934dda93eb9c700ea86f390193dea31316724
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/db320404-7bf4-4941-8afa-39260cd3eb16
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1218244
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a37b22c671459258c8f420f9a6934dda93eb9c700ea86f390193dea31316724/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=di33eldhcrmsldepiihzu2ju3wut5oohadvin44qde66umjrm4sa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0699e889c84a872eccddfa07916b7a7e379ce6335e1796d67d119b6450323790
AgentTesla
0b89806418ec582854a24adb93fba607c7f27938f2b653a081aefd1a5e419e4f
AgentTesla
2069c3254c5a28daea136f39db600c179ba421e70f71cdd5765575012eb42d42
AgentTesla
416d574131255e4656d9d548ef7c74c1ba3850aa80a9acd9dbd0352eb03053ee
AgentTesla
8fcc45ad91c946c56a807d763576062e0a427539b9cb7fe2deb239b1da98e775
AgentTesla
9d83a9e060a29f32c19203afbffe3e6b3d22d71ec4779bc7139c0b22a9881e65
AgentTesla
bd407e66453e00d96368122b1d8761c995aa3a9606995dbd46ec1629debb18ed
AgentTesla
c7afa76d4d1a5546ea2c384d69b1d167306bd1f71dbcc848cfb77cd964c5e71a
AgentTesla
e58e0ed6eff59ab0ddb1da96a07aaeda4302bf94894fb62d909d3e9663c7a7c7
AgentTesla
e6e90d14d8ae1df119d47eb1d5550d5f0eef77323dc95e576e3980a53e2555a3
AgentTesla
+ 2'377 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230420-w5fw7sbf57/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
c8808b69b0f4d52c253e35b001da94086786b34162fd51daa3f17eda94bac7f0
MD5 hash:
da56041df789c24cb2a36a364431f766
SHA1 hash:
876e6c579d1092a76ce90c500c43af0cf11724a4
Link:
https://www.unpac.me/results/c780f02d-1e2e-4252-acca-fa2cef777264/
SH256 hash:
62b46fecccbce5317add50cc6ba8b6e13d68a2dfe4eab43a6e197cf0c28571b7
MD5 hash:
2d9d8241de90d47011b8764e91880f5b
SHA1 hash:
74d7ff1a31e0423485d4bada1710983e3567d417
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/c780f02d-1e2e-4252-acca-fa2cef777264/
Parent samples :
1a37b22c671459258c8f420f9a6934dda93eb9c700ea86f390193dea31316724
1025ea55a0dc2b783a15f4c8d980b63d16a89a1e0fdfce39931de521d76f9f3a
SH256 hash:
fb0887bed96454370f9096bcd2d1e63d2c9f9f472b91373cd466a5822241f5cb
MD5 hash:
90550d411a89b8d408fd89a900da2dd8
SHA1 hash:
69b65a4c2c23ad2e7d9441cd44ffcba49018a22a
Link:
https://www.unpac.me/results/c780f02d-1e2e-4252-acca-fa2cef777264/
SH256 hash:
6d2914ac58ea14350758971047034e53169f95c8b3c0b5ece6b6836e24f4d28f
MD5 hash:
691c81e448f4451476f820e1376ed3dd
SHA1 hash:
5d5567f07ef08f865d0faf552ab5736da270a087
Link:
https://www.unpac.me/results/c780f02d-1e2e-4252-acca-fa2cef777264/
SH256 hash:
d5d58456243a62c6777d1f33a79bec005f337cf2d76e0e0ad22bbcbf1bcbfc14
MD5 hash:
b9281b718aeccf17d06b4beb262f00e2
SHA1 hash:
335db609c18197da69fb9870913c2b1f559d21ae
Link:
https://www.unpac.me/results/c780f02d-1e2e-4252-acca-fa2cef777264/
SH256 hash:
1a37b22c671459258c8f420f9a6934dda93eb9c700ea86f390193dea31316724
MD5 hash:
ee1b10319caecabab0da68953fffe7ef
SHA1 hash:
e3161500917651893bf4f38d792fb6f4fe88a94c
Link:
https://www.unpac.me/results/c780f02d-1e2e-4252-acca-fa2cef777264/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1a37b22c6714/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/1a37b22c671459258c8f420f9a6934dda93eb9c700ea86f390193dea31316724

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/383813/

Comments