MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f58807249befd1a37d00ad7d19ecc29140b027c5f2faebb18e13e67e5750cb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f58807249befd1a37d00ad7d19ecc29140b027c5f2faebb18e13e67e5750cb8
SHA3-384 hash: bb2a8a696309bad1d631c8377dd09345ba074abcb9a718067a9f3ff14960525c82515fc7711b7d328a21348d90ed422d
SHA1 hash: 3d269d9a97e934f855db5ba1538885fcf7b9c9ce
MD5 hash: a5f1490fe9eb9af962f8dcf5276a1113
humanhash: orange-mockingbird-alpha-mars
File name:1f58807249befd1a37d00ad7d19ecc29140b027c5f2faebb18e13e67e5750cb8.bin
Download: download sample
Signature AgentTesla
Create hunting rule
File size:249'856 bytes
First seen:2020-12-08 09:23:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a262877a36fc7e0f830054e0f70f76cb (7 x Matiex, 4 x AgentTesla, 4 x Loki)
ssdeep 6144:RIS6FsH/UWQcfjXKQTMyq63dG4XkQFX47pJNLsI6DF:RISBMcfrKQVq63Z0eI9l6D
Threatray 1'682 similar samples on MalwareBazaar
TLSH 5734121969D180B3F016593829E4D672653EF856DA30C02D3F853AAD2FB4BD81DF532B
Reporter Anonymous
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1f58807249befd1a37d00ad7d19ecc29140b027c5f2faebb18e13e67e5750cb8.bin
Verdict:
Malicious activity
Analysis date:
2020-12-08 09:26:08 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/5b8a91c8-44a6-4c32-8109-6b46341b184f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107219/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a window
Creating a file
Setting a keyboard event handler
Launching a process
Reading critical registry keys
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Moving a recently created file
Replacing files
Deleting a recently created file
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/557787
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Detected unpacking (creates a PE file in dynamic memory)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 327991 Sample: Vu5xvXUTHf.bin Startdate: 08/12/2020 Architecture: WINDOWS Score: 100 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus / Scanner detection for submitted sample 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 4 other signatures 2->63 8 Vu5xvXUTHf.exe 2->8         started        process3 signatures4 65 Detected unpacking (creates a PE file in dynamic memory) 8->65 67 Maps a DLL or memory area into another process 8->67 11 Vu5xvXUTHf.exe 1 12 8->11         started        process5 dnsIp6 33 smtp.yandex.ru 77.88.21.158, 465, 49721 YANDEXRU Russian Federation 11->33 69 Writes to foreign memory regions 11->69 71 Allocates memory in foreign processes 11->71 73 Tries to steal Crypto Currency Wallets 11->73 75 2 other signatures 11->75 15 RegSvcs.exe 15 5 11->15         started        19 InstallUtil.exe 14 2 11->19         started        21 InstallUtil.exe 11->21         started        23 5 other processes 11->23 signatures7 process8 dnsIp9 35 226.127.10.0.in-addr.arpa 15->35 47 6 other IPs or domains 15->47 49 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->49 51 Tries to steal Instant Messenger accounts or passwords 15->51 53 Tries to steal Mail credentials (via file access) 15->53 37 226.127.10.0.in-addr.arpa 19->37 39 147.75.47.199, 49717, 49718, 49720 PACKETUS Switzerland 19->39 41 226.127.10.0.in-addr.arpa 21->41 55 Tries to harvest and steal browser information (history, passwords, etc) 21->55 43 226.127.10.0.in-addr.arpa 23->43 45 226.127.10.0.in-addr.arpa 23->45 25 WerFault.exe 23->25         started        27 WerFault.exe 23->27         started        29 WerFault.exe 23->29         started        31 WerFault.exe 23->31         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f58807249befd1a37d00ad7d19ecc29140b027c5f2faebb18e13e67e5750cb8/
Threat name:
Win32.Backdoor.Rescoms
Create hunting rule
Status:
Malicious
First seen:
2020-12-08 02:36:45 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d5mia4sjx36run6qbll5dhwmfekawat4l4x25oyy4e7gpzlvbs4a._file
Verdict:
unknown
Similar samples:
06252fa9991f022f9c0ea65dd4799d71179cdc14692c16a754a14a3fc34304a1
AgentTesla
10294374734e4bb56cbf03eba2d257784ac87c057586d27a97c2b8b30f1f0f6d
AgentTesla
28b2e9be250b41e1f4ec167dff3620f09597b7292ad23f0c48a8d6cdcc388959
AgentTesla
4e54f08a98b07f89fe1441642c32d046c37875460aa66d03111b3c6219707842
AgentTesla
84f8bd87a1f8207da3a4722b9eee322be498919fed6323fe33c0ce60ef7aadcf
AgentTesla
88b664781d7b10fc5130cf6453fbde5b26b129f0e2f5e002d62be833b0fcd020
AgentTesla
8f9cc080f09d5612b9e1303538c5ed99565ab26d2512c3867e15ff353356d27a
AgentTesla
9666c06b6da42bc3cc7ae265a46cd4d137c74a1be711151efe9a44c31a894a78
AgentTesla
9bd1b5b1c597bbc1bf4d05845eafcbd21ee7caafcc94f743484fad3e936f89f0
AgentTesla
bd2bf7c79dda8208f9ec0c2199d1ec61058aa43bbe6f8548623444fc143a3aec
AgentTesla
+ 1'672 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201208-yyhblvwfax/
Behaviour
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
1df40cb5488a471dd25970dc8a42040cae2b52b06a014f1a7c3450a7c5ff6d6a
MD5 hash:
8f1daaea1859f217a9e3074e18667286
SHA1 hash:
269a2b04b24fb94a23d84d616e0c070f7011f427
Link:
https://www.unpac.me/results/0947a128-b035-4b4a-9c71-66a18d5014a6/
SH256 hash:
ea7db54e8ca9387b376c7e414d456d201cdd8aa065b2e7f2a8e582638963aec6
MD5 hash:
335920cbba13e337a6adefec360627dd
SHA1 hash:
58c337e62751ce2bdbbba123f23d1ed359147cc3
Link:
https://www.unpac.me/results/0947a128-b035-4b4a-9c71-66a18d5014a6/
SH256 hash:
1f58807249befd1a37d00ad7d19ecc29140b027c5f2faebb18e13e67e5750cb8
MD5 hash:
a5f1490fe9eb9af962f8dcf5276a1113
SHA1 hash:
3d269d9a97e934f855db5ba1538885fcf7b9c9ce
Link:
https://www.unpac.me/results/0947a128-b035-4b4a-9c71-66a18d5014a6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Zbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f58807249befd1a37d00ad7d19ecc29140b027c5f2faebb18e13e67e5750cb8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/107219/

Comments