MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b177241fde84d89a296288549d8a3eb09d0266b15f5cd887a5aed360e3ccc90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b177241fde84d89a296288549d8a3eb09d0266b15f5cd887a5aed360e3ccc90
SHA3-384 hash: 2c650ea51c42a3d77f9514ac89523a9cf9927c26e5a38edd25696c859ca1bb4083c224acfc12f2e2ce35efe2e7139cbe
SHA1 hash: 45287707b30fd7ea36aa83f0404ba57022fa686a
MD5 hash: 93a25583729db52388572ef7b3e07228
humanhash: video-equal-delaware-muppet
File name:PO#JB2210-0005.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'100'800 bytes
First seen:2023-02-27 19:24:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:DRwEx2iNAh/yE10hOSc8Pr0qyaseYsW6JBbwTHHt0uJiWYcg1M8jQ6Irx4jZn78d:9wk1idKvPpysnB87NTt8jQjrqTKmQ
Threatray 1'068 similar samples on MalwareBazaar
TLSH T1E4357B8032F9C155EDCF327D091C96CA7D79B207A152B22AAB7776D6A3077F672C8081
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO#JB2210-0005.exe
Verdict:
Malicious activity
Analysis date:
2023-02-27 19:27:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/be2a8e6d-d05d-436c-b635-f96debd4a02f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/370406/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/63fd0394874679b6f447d2b6/reports/23e8ca71-8895-42b3-a948-71d4aeaa9f6c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1b177241fde84d89a296288549d8a3eb09d0266b15f5cd887a5aed360e3ccc90
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c143da64-928e-415b-bcc0-e045d25138af
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1183505
Signature
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 816340 Sample: PO#JB2210-0005.exe Startdate: 27/02/2023 Architecture: WINDOWS Score: 100 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected AgentTesla 2->26 28 Machine Learning detection for sample 2->28 30 Initial sample is a PE file and has a suspicious name 2->30 6 PO#JB2210-0005.exe 3 2->6         started        process3 file4 16 C:\Users\user\...\PO#JB2210-0005.exe.log, ASCII 6->16 dropped 32 Writes to foreign memory regions 6->32 34 Allocates memory in foreign processes 6->34 36 Injects a PE file into a foreign processes 6->36 10 RegSvcs.exe 15 2 6->10         started        14 RegSvcs.exe 6->14         started        signatures5 process6 dnsIp7 18 api4.ipify.org 173.231.16.76, 443, 49684 WEBNXUS United States 10->18 20 mail.emeraldstargroup.com 65.108.121.3, 49685, 587 ALABANZA-BALTUS United States 10->20 22 api.ipify.org 10->22 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->38 40 Tries to steal Mail credentials (via file / registry access) 10->40 42 Tries to harvest and steal browser information (history, passwords, etc) 10->42 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->44 46 May check the online IP address of the machine 14->46 48 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->48 signatures8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1b177241fde84d89a296288549d8a3eb09d0266b15f5cd887a5aed360e3ccc90/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2023-02-27 08:34:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
22 of 25 (88.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dmlxeqp55bgytiuwfccutwfd5me5ajtlcx243cd2llwtmdr4zsia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
361034f14b8e3519b58ed13287495211c533f2d393accd4e198640aa6c98fc48
AgentTesla
72e713d25be6feb7c88cddfd471d9836371bd44cac7199cc1c44838e6946b807
AgentTesla
bbf7b8c0c3542188f9a8b62cd3c096ce43d9536b8a635c350c9e16e2ee6a0ead
AgentTesla
ddd6cb2af8803e3d83ff9600e2706c205910b9d1a733fb11764b8d1f633ab161
AgentTesla
e60df4c4e0c5fd9cb3bc3863d6ca5e668f44120187dd66fa0239c0741653e5e7
AgentTesla
f9c19f6fab392f8a9fc72e130be89468f5a1e6a5bd9bd76e4af198b58ec3e3e3
AgentTesla
fae100c65ebd2186aaad55877ec5fdf2cdb171a458f1bc675722e8e1e488e370
AgentTesla
+ 1'058 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230227-x4y7tsfd27/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
d43d407dc3ff7bb07849ff4de09c6d8e66cb464ddc4790c0d0980cf876f33d8f
MD5 hash:
011613eeb960d5ddf0635b35c3c61c57
SHA1 hash:
abdface9f47691dc402cd26d3eef35ee047512fd
Link:
https://www.unpac.me/results/869f5adb-a5ad-4ec4-8aa6-58755d45ed68/
SH256 hash:
452677f7538cdad7eae21f72f500cc0fa48d6fef66e22176612ea26ef4813cdd
MD5 hash:
8bcebae63e79b193a35982314d8c3dbb
SHA1 hash:
7a45432f9b4329dd82dd31389631eb9b907c8e31
Link:
https://www.unpac.me/results/869f5adb-a5ad-4ec4-8aa6-58755d45ed68/
SH256 hash:
8e2c26bca1974b222678222a08714e87555812cb8250d722ade5e7147b6bbd43
MD5 hash:
4444506439d6edc49d65c047c724cfc7
SHA1 hash:
239f09152407481efcf21dd9a8b2f24800e7e7dd
Link:
https://www.unpac.me/results/869f5adb-a5ad-4ec4-8aa6-58755d45ed68/
SH256 hash:
e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29
MD5 hash:
d170ab8c03b9c37d5be449454db131d2
SHA1 hash:
2031b6754a65d21b47dd11a34fee86f048d6048d
Link:
https://www.unpac.me/results/869f5adb-a5ad-4ec4-8aa6-58755d45ed68/
SH256 hash:
219a6c7ea5bb974cc9fdf265d13d843e6ba83f2a1ec07744d4b9ca3a6ca90f38
MD5 hash:
88dd74207f3882979e21e26bf33a0e9c
SHA1 hash:
02a2db1bcbdb700f16c730a45d6ca62f805af8d4
Link:
https://www.unpac.me/results/869f5adb-a5ad-4ec4-8aa6-58755d45ed68/
SH256 hash:
1b177241fde84d89a296288549d8a3eb09d0266b15f5cd887a5aed360e3ccc90
MD5 hash:
93a25583729db52388572ef7b3e07228
SHA1 hash:
45287707b30fd7ea36aa83f0404ba57022fa686a
Link:
https://www.unpac.me/results/869f5adb-a5ad-4ec4-8aa6-58755d45ed68/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1b177241fde8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/1b177241fde84d89a296288549d8a3eb09d0266b15f5cd887a5aed360e3ccc90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 7248668b5e26f4cbdb5581177d9741a6598c638d1e1128c61cc61af3068f3979

AgentTesla

Executable exe 1b177241fde84d89a296288549d8a3eb09d0266b15f5cd887a5aed360e3ccc90

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 7248668b5e26f4cbdb5581177d9741a6598c638d1e1128c61cc61af3068f3979
Cape
Cape
https://www.capesandbox.com/analysis/370406/
  
Dropped by
MD5 00542774cb67dda6d652d753ff4cae9a

Comments