MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f0ce53c95af874c9fdbceb5780c81e36cfea0aab0ab7012877094bbd5d774f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f0ce53c95af874c9fdbceb5780c81e36cfea0aab0ab7012877094bbd5d774f4
SHA3-384 hash: d4a7efe20b042869edd73bdd1b92a723ff696d17a15f7b2d2eb805184d6a62e8cc7b7439a680b6ac3fe6e4228916175b
SHA1 hash: 9d7006e45eded485f0b1e9ab5408ec08d885d2ac
MD5 hash: 503edafa2dbb4a97ede555d33687d2f0
humanhash: eight-cold-triple-harry
File name:503edafa2dbb4a97ede555d33687d2f0.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:7'168 bytes
First seen:2022-11-19 07:17:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 96:4NaIz1vD88n77KWLLTXTWBkYPHIxCqpRqhOpS402kQf97zNt:4NawW8n77/LLykY/OnvqhOpS407Wd
Threatray 20'302 similar samples on MalwareBazaar
TLSH T17BE1A510A3A94672DFB68BBB5CB393C11278F3815A57DBAE69C4410BDC167980EB3770
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Exploit.CVE-2017-11882.123.24241.20836
Verdict:
Malicious activity
Analysis date:
2022-11-18 06:41:58 UTC
Tags:
exploit cve-2017-11882
Link:
https://app.any.run/tasks/0f6d3516-e9b1-4347-bbdf-c91796719e6e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/336046/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.26687.16454.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6378832e4dc24c6f80b876d8/reports/c9517494-748e-47ef-858e-4608bd72b9ae/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ee78cc6f-45ba-4fad-a80e-48df13e62fc1
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1117043
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f0ce53c95af874c9fdbceb5780c81e36cfea0aab0ab7012877094bbd5d774f4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-18 07:43:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d4gokpevv6duzh63z22xqdeb4nwp5ifkwcvxaeuhocklxvoxot2a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
masslogger
Create hunting rule
Similar samples:
53339c5cdab615030a4c2590e24fff630950bd67efa0befc029cb65c1621ecfb
AgentTesla
5c7a5703622f230645d9d688aad24c3851546523f892fca996458709cb1ddba9
AgentTesla
714bf12a2ee6357ab5f463fe1a40f46819ec9434c214035060ed6dc96c3fe27b
AgentTesla
74e83a5dc2ba21b96dfc04e0c9c09625cc77127383eef34c3dc171f65311ee2a
AgentTesla
791d28363cac830f755941fbd116d6c30cbd38f7c88f4b5f7f318feea4836fdd
AgentTesla
902d6e472c33f0b6deff39548253e09dc3c0df227cec877b16d9c3a646c48508
AgentTesla
abe9339cbaa7e85ee67e130dafa15f9e8d1bc7fc43fa8a980a9eec144db986f1
AgentTesla
c7a456f2d97f0c34cc5fd56f6825d60998a5d730e7d1e9157867257dfbaec0e7
AgentTesla
+ 20'292 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221119-h4x77sec4w/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b9edc061-15ff-4752-b76c-ed2068313a9e
Unpacked files
SH256 hash:
1f0ce53c95af874c9fdbceb5780c81e36cfea0aab0ab7012877094bbd5d774f4
MD5 hash:
503edafa2dbb4a97ede555d33687d2f0
SHA1 hash:
9d7006e45eded485f0b1e9ab5408ec08d885d2ac
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/bd9664d8-cba2-4831-be85-e8c8e0f0b0fb/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1f0ce53c95af/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 1f0ce53c95af874c9fdbceb5780c81e36cfea0aab0ab7012877094bbd5d774f4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2425604/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/336046/

Comments