MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cf91cee0bb9534573d1ed240c9a54ceed7cf9e7a1a377aa0f3bb354375f1e6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1cf91cee0bb9534573d1ed240c9a54ceed7cf9e7a1a377aa0f3bb354375f1e6c
SHA3-384 hash: 8c458a8f48c27dc970c20da930a612054028a0c5671a0b4768ffb297c8a80e40e27d10983ae94c092c6b741901c02514
SHA1 hash: 7e6ce5151299c086409a8f20209dbfe5f229e458
MD5 hash: c8b8c14f60ba1607e18330f713da141f
humanhash: princess-island-friend-sixteen
File name:Tyrone.dll
Download: download sample
Signature AgentTesla
Create hunting rule
File size:508'928 bytes
First seen:2024-09-21 11:32:04 UTC
Last seen:2024-09-21 11:33:19 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 12288:XryYvQvcGwMu++5lak3JeNGePUhs/HbiIkuPDbYJLEPpM0:XtvQaaIJeo8Uhk7iDEPW0
Threatray 2'103 similar samples on MalwareBazaar
TLSH T121B4AE18FAEACB1FCD9A87F7C8E9587493A49453E14BF71B214202E54D073EB9A012D7
TrID 87.2% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter NDA0E
Tags:AgentTesla dll geo GRC unpacked

Intelligence

File Origin
# of uploads :
2
# of downloads :
397
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Win.Malware.Zusy-10009321-0
Create hunting rule

Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66eeaef0f129e67ada9024f8
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed vbnet
Link:
https://www.filescan.io/uploads/66eeaeef5e9303a294237373/reports/c0d1dd5d-7646-4fbb-adba-a98d18f0bd41/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/1cf91cee0bb9534573d1ed240c9a54ceed7cf9e7a1a377aa0f3bb354375f1e6c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa2043c1-0a6b-49a3-8f4c-12ad32d6a59f
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1514920
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1514920 Sample: Tyrone.dll Startdate: 21/09/2024 Architecture: WINDOWS Score: 68 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 .NET source code contains potential unpacker 2->19 21 2 other signatures 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1cf91cee0bb9534573d1ed240c9a54ceed7cf9e7a1a377aa0f3bb354375f1e6c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1cf91cee0bb9534573d1ed240c9a54ceed7cf9e7a1a377aa0f3bb354375f1e6c/
Threat name:
ByteCode-MSIL.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2024-09-21 11:33:04 UTC
File Type:
PE (.Net Dll)
Extracted files:
6
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dt4rz3qlxfjuk46r5usazgsuz3wxz6phugrxpkqphozvin27dzwa._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
Similar samples:
1cf91cee0bb9534573d1ed240c9a54ceed7cf9e7a1a377aa0f3bb354375f1e6c
AgentTesla
2829d7c07f3a1a966b25c244d05ad931e9b52510dbae293277ff2208f72e6d34
AgentTesla
3796cd93f800a4c068bbadb4da09c577330fc49f0fdd171ef3bfffee0b3b555b
AgentTesla
81fdcde8fbe4d7ad27f94d3bf8b8276aecf45ae7017e6385c6a5f3e472465dac
AgentTesla
8f8dc73b22c993056e407a1dde2946830f4bc24c61ea7d33b9e50bd18f96075f
AgentTesla
dbda8c6ed6803fd8eeb547a60ee600c101315b478fa055d4a1d0ac438fc45527
AgentTesla
+ 2'093 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/240921-nnvp2azeke/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
1cf91cee0bb9534573d1ed240c9a54ceed7cf9e7a1a377aa0f3bb354375f1e6c
MD5 hash:
c8b8c14f60ba1607e18330f713da141f
SHA1 hash:
7e6ce5151299c086409a8f20209dbfe5f229e458
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/8f7b13e6-912d-4c7a-b9e3-ace6e96c3670/
Parent samples :
dbda8c6ed6803fd8eeb547a60ee600c101315b478fa055d4a1d0ac438fc45527
1cf91cee0bb9534573d1ed240c9a54ceed7cf9e7a1a377aa0f3bb354375f1e6c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1cf91cee0bb9534573d1ed240c9a54ceed7cf9e7a1a377aa0f3bb354375f1e6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Word file doc 3e1ba9d9fae253f1cebc7ddaafbc893f10cd8fd9b644e4b18f4e4f06f3cb62b0

AgentTesla

Executable exe dbda8c6ed6803fd8eeb547a60ee600c101315b478fa055d4a1d0ac438fc45527

AgentTesla

DLL dll 1cf91cee0bb9534573d1ed240c9a54ceed7cf9e7a1a377aa0f3bb354375f1e6c

(this sample)

  
Dropped by
SHA256 dbda8c6ed6803fd8eeb547a60ee600c101315b478fa055d4a1d0ac438fc45527
  
URLhaus
https://urlhaus.abuse.ch/url/3184443/
  
Delivery method
Distributed via web download
  
Dropped by
MD5 1046de21cd8e9ff519ce5cb089edd5f5

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments