MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ecc0f1cbcf7576078ecef752a046ffb0e74036ec376aba57cb0e2e9d713fbc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ecc0f1cbcf7576078ecef752a046ffb0e74036ec376aba57cb0e2e9d713fbc6
SHA3-384 hash: 17359bb9faca0f71380f61e5e9d68dd2d50ea40dfa478868e09a4a6d39f70b6b860795e0f7cf891b5ac015dd3a30d08b
SHA1 hash: d5f63b8df546974f792c4f6746a196eb6fe0de4e
MD5 hash: 9f56fd088faafafcc8746b1374718629
humanhash: rugby-purple-paris-emma
File name:Hesap hareketleriniz.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:991'744 bytes
First seen:2023-07-22 08:34:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:BH38Xqlx+VCZTbqsaOVTQsW4aUVTi2e4LN5cxbZy4TjrawZc1sSgWiE9Y:zlx+V+vaOVEliTiMR52NYn9Y
Threatray 529 similar samples on MalwareBazaar
TLSH T12B256A3818BC116BC179DFB58BD9846BF0D49C6F7121AC3DA0A63B564332A46E8C763D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e0f0f0d4f4f092cc (12 x AgentTesla, 3 x Formbook, 3 x SnakeKeylogger)
Reporter abuse_ch
Tags:AgentTesla exe geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Hesap hareketleriniz.exe
Verdict:
Malicious activity
Analysis date:
2023-07-22 08:35:55 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/bc9e7be3-8fba-40ac-a109-330728cd2bc7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/428433/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.29283.25454.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1ecc0f1cbcf7576078ecef752a046ffb0e74036ec376aba57cb0e2e9d713fbc6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/26db9662-fa9d-4c69-a777-6c9fd6439afc
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277752
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1277752 Sample: Hesap_hareketleriniz.exe Startdate: 22/07/2023 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Sigma detected: Scheduled temp file as task from temp location 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 4 other signatures 2->53 7 Hesap_hareketleriniz.exe 7 2->7         started        11 PSaOKcyhULFB.exe 5 2->11         started        process3 file4 37 C:\Users\user\AppData\...\PSaOKcyhULFB.exe, PE32 7->37 dropped 39 C:\Users\...\PSaOKcyhULFB.exe:Zone.Identifier, ASCII 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmp1494.tmp, XML 7->41 dropped 43 C:\Users\...\Hesap_hareketleriniz.exe.log, ASCII 7->43 dropped 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Adds a directory exclusion to Windows Defender 7->59 13 Hesap_hareketleriniz.exe 7 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 23 PSaOKcyhULFB.exe 11->23         started        25 schtasks.exe 11->25         started        27 PSaOKcyhULFB.exe 11->27         started        signatures5 process6 dnsIp7 45 mail.icdanismanlik.com 78.135.107.25, 49707, 49708, 49709 PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR Turkey 13->45 65 Installs a global keyboard hook 13->65 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->67 69 Tries to steal Mail credentials (via file / registry access) 23->69 71 Tries to harvest and steal browser information (history, passwords, etc) 23->71 35 conhost.exe 25->35         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ecc0f1cbcf7576078ecef752a046ffb0e74036ec376aba57cb0e2e9d713fbc6/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-07-22 08:16:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
22 of 25 (88.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d3ga6hf465lwa6hm552subdp7mhhia3oyn3kxjl4wdrotvyt7pda._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d03f0e57bfc9a9b4e583404b127ae9adff260762252e77d11c95bc6181188ce
AgentTesla
0ede8adc61c16ae2b85bb3d904addf4e9c508d351f14f36aae3d047e3a170fb6
AgentTesla
12ac0e2bc46fbe7377d72d30e0759b03ed3f5b79f58d4b75a33d3a1f869fe671
AgentTesla
1a245dd2d65396f9d5530ffd64b85a782218546939597f641edd40ebfaa84905
AgentTesla
51352527c76601017068c21e7847f54eccebff5ff53d60906b076ed0e045c8b4
AgentTesla
53776bf7c5fa91e2914a9ff83a3625d28cd72749d80b2a68a53794bcd3839e50
AgentTesla
58f4506f8082cd93f9f94cdc8c9b7ac1ee8a4eb19f3195fff2aea87c6949ca6e
AgentTesla
65d75891066c1e48fcebb2a923018bbd880a5dbf2265654298b2cd384b524ed8
AgentTesla
c6fbe67bed89ad208fb6eab0fc88f2d632b3441a4e8599e53ece2519ff5bcc00
AgentTesla
e213f4e03acb673bdf171735904353088ee43e966fefe127ab867079e77d4c16
AgentTesla
+ 519 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230722-kg1qxsaf9v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/edb001eb-1af8-48d1-94b1-5f3258587dd1/
SH256 hash:
e6eb8baf2affa91ad834f974a38231fd9544808e545d6f549446853cfd4334f7
MD5 hash:
92e19256d6b114f5bf0b2837ccb2b54a
SHA1 hash:
8cbd06c41ccef9264c5490c8479ae5e447750f80
Link:
https://www.unpac.me/results/edb001eb-1af8-48d1-94b1-5f3258587dd1/
SH256 hash:
eb9659fe647ed73c38a6ed5cf811392aa36230b6ff91a8588d1b5ab557757eb0
MD5 hash:
0364f8100802aade2ab6f4027e7e7c2c
SHA1 hash:
17830b30799b545cf25f676a407608ca4be4c17c
Link:
https://www.unpac.me/results/edb001eb-1af8-48d1-94b1-5f3258587dd1/
SH256 hash:
1ecc0f1cbcf7576078ecef752a046ffb0e74036ec376aba57cb0e2e9d713fbc6
MD5 hash:
9f56fd088faafafcc8746b1374718629
SHA1 hash:
d5f63b8df546974f792c4f6746a196eb6fe0de4e
Link:
https://www.unpac.me/results/edb001eb-1af8-48d1-94b1-5f3258587dd1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ecc0f1cbcf7576078ecef752a046ffb0e74036ec376aba57cb0e2e9d713fbc6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 1ecc0f1cbcf7576078ecef752a046ffb0e74036ec376aba57cb0e2e9d713fbc6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/428433/

Comments