MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f1987c42f73ffac95703d0f7c9445819e46f1471eb6049a51b66e0c7e730804. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f1987c42f73ffac95703d0f7c9445819e46f1471eb6049a51b66e0c7e730804
SHA3-384 hash: 2c0579a71fc27702cd463294fa86d6792ba8e872977f910620ba96affd31f571b0e7440a187dfbcf15f100890d3cfa14
SHA1 hash: 3eab9eb3821126aff70399c80dc1a0a98aad2205
MD5 hash: 9451c422b20b482ac8d7eabbc6ab8f60
humanhash: florida-xray-hamper-mars
File name:image001.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:884'224 bytes
First seen:2023-06-19 11:33:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:YQYqtm8OqKp8+BaTwUqgYU8Fg2Ci9nJ7Ydx6iA:Z+8On8+ETw88FSi9J8dx
Threatray 5'411 similar samples on MalwareBazaar
TLSH T1C015E06436B90B53E07D97F90442A63117FAAA6A743ED3194ED7F0DB2A92F400E91F13
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
image001.exe
Verdict:
Malicious activity
Analysis date:
2023-06-19 11:37:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4f9e127f-d6ac-4972-9bef-a8a52cde80ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400406/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.19786.32650.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/64903d2b10461c2d676a698d/reports/f9b4f414-2021-4c53-b281-85587f364b8b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/1f1987c42f73ffac95703d0f7c9445819e46f1471eb6049a51b66e0c7e730804
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b1ab7bd2-61bf-4776-a7f8-0401217c1191
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1257326
Signature
.NET source code contains potential unpacker
Contains functionality to register a low level keyboard hook
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1f1987c42f73ffac95703d0f7c9445819e46f1471eb6049a51b66e0c7e730804/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-19 08:47:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d4myprbpop72zflqhuhxzfcfqgpen4khd23ajgsrwzxay7ttbaca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1e5492854f8e9e427a594ac5938e7a798e084f7bc960a62fdfa076e3f929de57
AgentTesla
3884e567629d6433ebefa10b2e6d53a27f7b19c9d2e1c4ca7126fc4ceeda230f
AgentTesla
39893af7f960c76c20ab2b99e5caa2acabab3c7fc01e47791586f451eba5be5b
AgentTesla
3d0816e876a59f4e3b56bd2105122ef69499f79bab375b0956716494eb286dbd
AgentTesla
3d9b67b5dc857a2663548b9335d48dde0a880f6b61490f0cced767399a166f2b
AgentTesla
82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59
AgentTesla
8cb05af5d5848832ac7006071a842f3566196a891cd232ff3602b550803e73c5
AgentTesla
d46b8526a8a8b3ad723d25036a6d692009245eb965d64576e90915ae877f9eb5
AgentTesla
db446783db86540d8f04bb5d242b6d4acccd4c426b9f5086773a492db341f55a
AgentTesla
+ 5'401 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230619-npe1zaef5w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
24b077fd9b344cd944a736f24ada8b80c7285f7343ff9dc56b58769bde27e4f6
MD5 hash:
64fcc151459a284a183dbbc044aa2142
SHA1 hash:
a33fa55f857e654bb5688c116680217e673bb600
Link:
https://www.unpac.me/results/b84da1ca-c86f-4cee-a0bf-44a9244c21ea/
SH256 hash:
7b84798ef55c5640d289aee30bbd2a907c5e0dddb37bfbce43f4b0ac98abd4e3
MD5 hash:
fbfcc8e0d89dc54913cebeae73aa3179
SHA1 hash:
78f66f6f856e7834e551577ae4121a860c23c324
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/b84da1ca-c86f-4cee-a0bf-44a9244c21ea/
SH256 hash:
9360658a46a7e2c056ac8491d8bbed511bf78a2119c74715bb1e7b60666fabfb
MD5 hash:
99e5c71207b5dad096475b13c4d2d9cd
SHA1 hash:
3cff8cbec0384b4d49634b0de6e4926b0a457244
Link:
https://www.unpac.me/results/b84da1ca-c86f-4cee-a0bf-44a9244c21ea/
SH256 hash:
f439120bf6685e8a0985512e10f06130f50a413828081a3411d7ac90fe8b6b27
MD5 hash:
fd9c6741f83712f73490efa1b425021a
SHA1 hash:
308d5a944c287697025a29e83b8553d536cf747c
Link:
https://www.unpac.me/results/b84da1ca-c86f-4cee-a0bf-44a9244c21ea/
SH256 hash:
bbd2ed6ad2547fd8d745c55c51240f06c599dae9374b52fd4fac5b74daa86ce0
MD5 hash:
f3d896f7cfdda4ab71acdb0270647d59
SHA1 hash:
27eeb4499d3bf8fb6b6ece4f398b95f6b24eac2e
Link:
https://www.unpac.me/results/b84da1ca-c86f-4cee-a0bf-44a9244c21ea/
SH256 hash:
1f1987c42f73ffac95703d0f7c9445819e46f1471eb6049a51b66e0c7e730804
MD5 hash:
9451c422b20b482ac8d7eabbc6ab8f60
SHA1 hash:
3eab9eb3821126aff70399c80dc1a0a98aad2205
Link:
https://www.unpac.me/results/b84da1ca-c86f-4cee-a0bf-44a9244c21ea/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1f1987c42f73/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f1987c42f73ffac95703d0f7c9445819e46f1471eb6049a51b66e0c7e730804

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 1f1987c42f73ffac95703d0f7c9445819e46f1471eb6049a51b66e0c7e730804

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/400406/

Comments