MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20b4ef8e8decc7e48f1ce33615ea9280c20f6ff81efafa86cf5f9bd7de4ebcdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20b4ef8e8decc7e48f1ce33615ea9280c20f6ff81efafa86cf5f9bd7de4ebcdd
SHA3-384 hash: ad2a5d5546f0e5d5d4a11d6be504b04bf1278015a2bc468bb7ef97e8397e1768205b5a0ae78d419e3a5d57d30c4bb777
SHA1 hash: c4cdee3aebadc6b7492e3df5a8fba45474349cdd
MD5 hash: b33deba4aed98e836c610e93cebbb4bd
humanhash: quiet-papa-seven-crazy
File name:Qppge.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'106'944 bytes
First seen:2023-11-20 09:02:33 UTC
Last seen:2023-11-20 14:41:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:X63IURxKjmT3V1fpJ6vrpnuiZicOL2ruqABfJXA:Kb6yfpJ6vr57ZiR2ruqABfJXA
Threatray 2'029 similar samples on MalwareBazaar
TLSH T1EB35F703BA978DF5D39B2737C6AB04047B78E8816223D71FFA8A235928837775E45613
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b3b3b371716b93b3 (25 x CryptOne, 12 x RemcosRAT, 6 x RedLineStealer)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
333
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Qppge.exe
Verdict:
Malicious activity
Analysis date:
2023-11-20 09:05:59 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/ffd801bb-53b0-4e7c-9c6f-77ece211c285

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/459280/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Creating a file in the %AppData% directory
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/20b4ef8e8decc7e48f1ce33615ea9280c20f6ff81efafa86cf5f9bd7de4ebcdd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f2d555da-d7e6-41bd-9b31-6bf01abb9144
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1345069
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1345069 Sample: Qppge.exe Startdate: 20/11/2023 Architecture: WINDOWS Score: 100 70 mail.bezzleauto.com 2->70 72 clients1.google.com 2->72 74 clients.l.google.com 2->74 90 Snort IDS alert for network traffic 2->90 92 Found malware configuration 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 7 other signatures 2->96 9 Qppge.exe 1 6 2->9         started        13 pdf.exe 6 2->13         started        15 pdf.exe 2->15         started        17 svchost.exe 1 2 2->17         started        signatures3 process4 dnsIp5 66 C:\Users\user\AppData\Roaming\pdf.exe, PE32 9->66 dropped 108 Encrypted powershell cmdline option found 9->108 110 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->110 112 Writes to foreign memory regions 9->112 20 RegAsm.exe 2 9->20         started        24 cmd.exe 1 9->24         started        26 powershell.exe 23 9->26         started        28 cmd.exe 1 9->28         started        114 Multi AV Scanner detection for dropped file 13->114 116 Machine Learning detection for dropped file 13->116 118 Allocates memory in foreign processes 13->118 30 RegAsm.exe 13->30         started        32 powershell.exe 13->32         started        36 2 other processes 13->36 120 Injects a PE file into a foreign processes 15->120 34 RegAsm.exe 15->34         started        38 4 other processes 15->38 68 127.0.0.1 unknown unknown 17->68 file6 signatures7 process8 dnsIp9 76 mail.bezzleauto.com 45.151.123.240, 25, 49736, 49778 STUMPNERNETDE Germany 20->76 98 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->98 100 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->100 102 Tries to steal Mail credentials (via file / registry access) 20->102 104 Uses ipconfig to lookup or modify the Windows network settings 24->104 51 2 other processes 24->51 40 chrome.exe 9 26->40         started        43 conhost.exe 26->43         started        53 2 other processes 28->53 45 chrome.exe 32->45         started        47 conhost.exe 32->47         started        106 Tries to harvest and steal browser information (history, passwords, etc) 34->106 55 4 other processes 36->55 49 chrome.exe 38->49         started        57 5 other processes 38->57 signatures10 process11 dnsIp12 78 192.168.2.8, 138, 25, 443 unknown unknown 40->78 80 192.168.2.22 unknown unknown 40->80 82 239.255.255.250 unknown Reserved 40->82 59 chrome.exe 40->59         started        62 chrome.exe 45->62         started        64 chrome.exe 49->64         started        process13 dnsIp14 84 142.250.31.139, 443, 49755, 49770 GOOGLEUS United States 59->84 86 www.google.com 142.251.111.147, 443, 49715, 49716 GOOGLEUS United States 59->86 88 12 other IPs or domains 59->88
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/20b4ef8e8decc7e48f1ce33615ea9280c20f6ff81efafa86cf5f9bd7de4ebcdd
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/20b4ef8e8decc7e48f1ce33615ea9280c20f6ff81efafa86cf5f9bd7de4ebcdd/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-11-20 09:02:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
15 of 23 (65.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ec2o7dun5td6jdy44m3bl2usqdba637yd35pvbwpl6n5pxsoxtoq._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
Similar samples:
0f6154350e73fcd971f98f7bf3fd43773edd1cca24c16d259a4c755958970332
AgentTesla
aebcd6039f3bfcf9ddfadaee2d5e631afb676e36e1497036283b24c73b810800
AgentTesla
b78001c65caffc4ff2cf300a7b2c2924a00720b34a38e5d021d115dfa419cbd5
AgentTesla
df5e129f51b16e5dec57270b57c8c742242d83d3fe7c556184cb004ef353eea5
AgentTesla
e5a39d95388a1324e37c31b9bc6a527941dd0c0736a0971ead7ec611474d2eb7
AgentTesla
+ 2'019 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/231120-kz1tmseg94/
Behaviour
Enumerates system info in registry
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
20b4ef8e8decc7e48f1ce33615ea9280c20f6ff81efafa86cf5f9bd7de4ebcdd
MD5 hash:
b33deba4aed98e836c610e93cebbb4bd
SHA1 hash:
c4cdee3aebadc6b7492e3df5a8fba45474349cdd
Link:
https://www.unpac.me/results/706eca4c-5cd8-4d9a-9b04-8adf35775a5f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/20b4ef8e8dec/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20b4ef8e8decc7e48f1ce33615ea9280c20f6ff81efafa86cf5f9bd7de4ebcdd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

7z 0c2d3bb028c729f96e4338566577cfd390b0ea6cb28684d807d379a6a6839fe6

pdf aa37c9834962ef744c594c5dc3c3c29f2636214a883539517ced0543743da548

zip 76f948c084b30647cc6fe5aa31ad9a8af237f8b3d3d48d7811fbe56c01a82057

AgentTesla

Executable exe 20b4ef8e8decc7e48f1ce33615ea9280c20f6ff81efafa86cf5f9bd7de4ebcdd

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 76f948c084b30647cc6fe5aa31ad9a8af237f8b3d3d48d7811fbe56c01a82057
  
URLhaus
https://urlhaus.abuse.ch/url/2732145/
Cape
Cape
https://www.capesandbox.com/analysis/459280/
  
Dropped by
MD5 dfb73550b16f3035977b82a6ab3a5bd3

Comments