MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c83206073dde5d3a78ec0cd98f52c764f520737a88c2f3e255326c9b328aa76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c83206073dde5d3a78ec0cd98f52c764f520737a88c2f3e255326c9b328aa76
SHA3-384 hash: aa86cc0f3bba3a26f619134e5cb6a1dd380b3c91468e57fd4e3a29e5074484d3d3571489261e8001826cd48faea019bc
SHA1 hash: 89bc718c37fc2c323e29bab2dc402e9e8f4d3790
MD5 hash: 69b2e1e1f59d2f99be41767cd6cd5500
humanhash: five-beer-blue-thirteen
File name:rPaymentConfirmation.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:923'648 bytes
First seen:2023-03-08 17:37:31 UTC
Last seen:2023-03-08 19:27:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Ne3yg24K+JfeJujH6MW2YDjw9TCT1yfBj0t26BBi5+obRhH3iXJpmyLG:Ne3gLJujHE7OTo1wBjq26BBEnniX
Threatray 1'393 similar samples on MalwareBazaar
TLSH T1AA15BD57F249A81EE8BEE730DD867D44E830B0727216B51B75DBC09887ACAF19B101E7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 84d4d4d4d4d4d482 (5 x AgentTesla, 2 x SnakeKeylogger, 1 x NanoCore)
Reporter FXOLabs
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rPaymentConfirmation.exe
Verdict:
Malicious activity
Analysis date:
2023-03-08 17:38:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d55e9fa7-64ae-433d-a573-32f47e2b7e70

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372659/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.6318.24724.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6408c7fbed3d33698044cd18/reports/960e821b-1fe5-46f9-8814-dc5d6476903d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1c83206073dde5d3a78ec0cd98f52c764f520737a88c2f3e255326c9b328aa76
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4265c637-ba47-4684-ac89-15b7d89862ef
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1189610
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c83206073dde5d3a78ec0cd98f52c764f520737a88c2f3e255326c9b328aa76/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-08 17:50:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dsbsaydt3xs5hj4oydgzr5jmozhvebzxvcgc6prfkmtmtmzivj3a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2c5117280800871fbceb13a571a8d602c17f3c08247c8ccf546bb9dc8adda73e
AgentTesla
493781dc1d845e09f96742dfdc2edaef673ac5d4b2139875929166f2627dc161
AgentTesla
60d1370a6be9757d7c17dde38c1b092d70fa3bfc4d26a2f9548b095a2c714fb7
AgentTesla
6ae9e95178fbe3f0b8d2495b927ebbba4edf143d9d703170d6a309bce7e8aad8
AgentTesla
6e8160f23b32743ffdcd853036d351c0ec4410d61f28254854b0ec6abdfb4fc3
AgentTesla
8ef2718c254555dcf4f3717e512b73e066d99ae1df7663bb38ab13a17b0a594d
AgentTesla
918057f4d236bf49e9efaceb3c4aaab580baf9960ac45d2fe8d97c5d98111f73
AgentTesla
96c4ff43a964578b8d6e88df75059042c2c7fb55ffafb416c797c36324fd459d
AgentTesla
b7cdc5d7eee046fb090cee2dc703e8b68e84927dbf5b49e787c97e2dcf61777b
AgentTesla
+ 1'383 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230308-v7p28agc35/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
ccea52e2b789bb7cad258c068e648c886bd9891c48cdf87d3e55ebf45c5beaa9
MD5 hash:
29b847b40df1f14e4d5d404e21ad7021
SHA1 hash:
b9266d44295f18725f921e41986d4b509a6b6868
Link:
https://www.unpac.me/results/20982bfe-71f7-4f17-9638-24500c574bc5/
SH256 hash:
b8fb836ca7187eb08192b790fe42a12c47785fd47df90875f061c0cca9957b6e
MD5 hash:
63a704d9cfeee17fae8aec3e96b3e144
SHA1 hash:
b7ee0adc1956cc2f9e791599ffbaf70b6a512eb9
Link:
https://www.unpac.me/results/20982bfe-71f7-4f17-9638-24500c574bc5/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/20982bfe-71f7-4f17-9638-24500c574bc5/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
dd49948e0b3393a8b53084075ec2f2a8c36813d1ba1ca538697eb62ec4b4deae
MD5 hash:
538dab51e58b7dd3809664982f4d0746
SHA1 hash:
4e7f9615f1d96b087c453a72217662f867e0520d
Link:
https://www.unpac.me/results/20982bfe-71f7-4f17-9638-24500c574bc5/
SH256 hash:
5b05cba72d149625151e42659925f5b31ed0f0ec1dd0720661a11b233d2c68e4
MD5 hash:
9ea69501e49db6e4b5ae04114dc81e52
SHA1 hash:
065f5ffbc9564b255b63aa16681898e06756b335
Link:
https://www.unpac.me/results/20982bfe-71f7-4f17-9638-24500c574bc5/
SH256 hash:
1c83206073dde5d3a78ec0cd98f52c764f520737a88c2f3e255326c9b328aa76
MD5 hash:
69b2e1e1f59d2f99be41767cd6cd5500
SHA1 hash:
89bc718c37fc2c323e29bab2dc402e9e8f4d3790
Link:
https://www.unpac.me/results/20982bfe-71f7-4f17-9638-24500c574bc5/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1c83206073dd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/1c83206073dde5d3a78ec0cd98f52c764f520737a88c2f3e255326c9b328aa76

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 1c83206073dde5d3a78ec0cd98f52c764f520737a88c2f3e255326c9b328aa76

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/372659/

Comments