MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ba924a1929390c208baacddcfa9ad01b115234fb5e699848bbefa2144c6f9f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ba924a1929390c208baacddcfa9ad01b115234fb5e699848bbefa2144c6f9f9
SHA3-384 hash: 60c982521c317561d71adbb51795a6e54c52c90d4763f2d5299ded0666c71c173abd37987e92516b6f9fbdedc0640e37
SHA1 hash: 4e33a3a1382c4804c12ef43868f97c73acf57f09
MD5 hash: f01bdbc4e97c2a1886094c3fe2092448
humanhash: indigo-arkansas-massachusetts-juliet
File name:rPAGO_4536222.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:657'920 bytes
First seen:2023-06-23 14:33:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:gfM2iNh4/mNUA/JJpEEomkjHkapBLcypPddhK3OuhKBVInxoW:GM1D4/QUsEEcjEmBLcytxK3OuofInxoW
Threatray 4'051 similar samples on MalwareBazaar
TLSH T1F2E41219A9B44D74EA7A1FF991B24061CBF5EAA4F703F34E1EE431FA05A3B005A43653
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter FXOLabs
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
rPAGO_4536222.exe
Verdict:
Malicious activity
Analysis date:
2023-06-23 14:36:21 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/656e47f0-46be-45f7-b35a-cdd8d76fdd4a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/402231/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/6495ad5bd1be9f65da1d2bfc/reports/e9d07511-c459-4193-9f12-c7d05ef77bb0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/1ba924a1929390c208baacddcfa9ad01b115234fb5e699848bbefa2144c6f9f9
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b44f3df0-6e9a-4317-b631-6db9f29c9746
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1260573
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1ba924a1929390c208baacddcfa9ad01b115234fb5e699848bbefa2144c6f9f9/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-23 13:52:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
21 of 37 (56.76%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dousjimssoimecf2vto47knnagyrki2pwxtjtbelx35ccrgg7h4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0025fa6f194a33862ff4241a1fefed9477645cb36cb99e65d05b639b29dcdcdd
AgentTesla
021cfdac35b7f0cb8f6ba460a33994d0128883ad281812b380978bc5127abbbc
AgentTesla
31cc68f5423b08e95d1099c3e5f1ee1883a3b118c3cd2f51b8175d501505e92f
AgentTesla
32d504f5a1c52ac26cd08e12a4a21c1685efa55b3558a0745ed4fbc5ed973377
AgentTesla
42a1b1333505c88f790a7fbc5c39856f94cbddaeeffa5be29ae38fb5f567350d
AgentTesla
96fdf5c2a638bb7b2390fc8764534d26027446115f781706aa67d1e83234dcd3
AgentTesla
aa23406d036894ae210e0531e6014c1377bdb409619cde6143e69d0a8dc7b85b
AgentTesla
bb992023216a9723d9157cacbe3f2dec846902eacce0122734d6111c85ee6309
AgentTesla
c9463aa342eb6e6aee71c05a6780f7a467dfb7e86330567a830ce490289bc236
AgentTesla
e5950c07075986a0e853f4e919e1c39f0e64a878ff97143a1d49ea5a4eb186df
AgentTesla
+ 4'041 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230623-rxelysgg2v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/55eff30e-e83c-40b6-9abb-d8addf0148ee/
SH256 hash:
a0d1d0142112218e24bd038c9fd1b3dd5900bf15a0861f0fc35155268f649e49
MD5 hash:
d0b1d87d686e6fb5afa59c002d9c7fb0
SHA1 hash:
7e8aec267c6e52a362bfb365ff1497de455e8b84
Link:
https://www.unpac.me/results/55eff30e-e83c-40b6-9abb-d8addf0148ee/
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/55eff30e-e83c-40b6-9abb-d8addf0148ee/
SH256 hash:
3e36a6a3ba9d3c13206d7fc24f389fdd67efff0ab009f19d35429e06c538ad79
MD5 hash:
ecf7f528e2bd616a6c4204f68ebb630d
SHA1 hash:
2032ef8e27e760ffb3dca6c3908d65dc3a7bbb48
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/55eff30e-e83c-40b6-9abb-d8addf0148ee/
Parent samples :
32d504f5a1c52ac26cd08e12a4a21c1685efa55b3558a0745ed4fbc5ed973377
1ba924a1929390c208baacddcfa9ad01b115234fb5e699848bbefa2144c6f9f9
SH256 hash:
1ba924a1929390c208baacddcfa9ad01b115234fb5e699848bbefa2144c6f9f9
MD5 hash:
f01bdbc4e97c2a1886094c3fe2092448
SHA1 hash:
4e33a3a1382c4804c12ef43868f97c73acf57f09
Link:
https://www.unpac.me/results/55eff30e-e83c-40b6-9abb-d8addf0148ee/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1ba924a19293/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/1ba924a1929390c208baacddcfa9ad01b115234fb5e699848bbefa2144c6f9f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 1ba924a1929390c208baacddcfa9ad01b115234fb5e699848bbefa2144c6f9f9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/402231/

Comments