MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2214417ca9bcffaa0455831c963b576cbb072efb7ad6dca11068ebe69444cdcc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2214417ca9bcffaa0455831c963b576cbb072efb7ad6dca11068ebe69444cdcc
SHA3-384 hash: 267f1305eb295607769860a01a29dd09f0402bc4716c9bde3204a02c561baab991891a263b8cab51028ac8c5da4a4319
SHA1 hash: 65564cc1e52e5ea21a58c2d58f783917194ffce6
MD5 hash: 849c169c3d155741b67917f0d2fc1b42
humanhash: football-hamper-red-one
File name:RFQ U75553389.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:436'082 bytes
First seen:2023-03-30 12:51:35 UTC
Last seen:2023-03-30 18:42:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep 6144:mT4DtVDc8/gxCuWcoa4fuY9nNk7Us/MwIUvsu/w04rpsXesv/apx/c6v3suc9S+c:mTuStPuNkb/jVV4r+XlvS7x/suc0Gs5n
Threatray 1'418 similar samples on MalwareBazaar
TLSH T18694120932A0F86BD71606326E3ECFEBAE72DC1258E15F7637533B5D2A344514A0BB91
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 56b120e4ceecf0d0 (2 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ U75553389.exe
Verdict:
Malicious activity
Analysis date:
2023-03-30 12:55:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8601785a-a852-4312-9193-5e7f4a65b92e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/378826/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Inject.25852.26225.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Searching for the window
Creating a process from a recently created file
Launching a process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/75769/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/642585f484fe7631c302f17f/reports/96bdbc2c-f872-4e8f-9e8f-bce534889270/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/2214417ca9bcffaa0455831c963b576cbb072efb7ad6dca11068ebe69444cdcc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b15a8110-ce44-438a-9b50-fa6f5fd5c9fa
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1205165
Signature
Antivirus detection for URL or domain
Found potential ransomware demand text
Installs a global keyboard hook
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suspicious powershell command line found
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 838083 Sample: RFQ_U75553389.exe Startdate: 30/03/2023 Architecture: WINDOWS Score: 100 31 mail.primevisionuae.com 2->31 33 googlehosted.l.googleusercontent.com 2->33 35 4 other IPs or domains 2->35 47 Antivirus detection for URL or domain 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 May check the online IP address of the machine 2->51 53 2 other signatures 2->53 9 RFQ_U75553389.exe 1 19 2->9         started        signatures3 process4 file5 25 C:\Users\user\AppData\Local\...\Multani.Fri, ASCII 9->25 dropped 27 C:\Users\user\AppData\...\VMwareHostOpen.exe, PE32+ 9->27 dropped 29 C:\Users\user\...\QCA.HDP.CustomControls.dll, PE32+ 9->29 dropped 63 Suspicious powershell command line found 9->63 65 Obfuscated command line found 9->65 13 powershell.exe 12 9->13         started        signatures6 process7 signatures8 67 Very long command line found 13->67 16 powershell.exe 13 13->16         started        19 conhost.exe 13->19         started        process9 signatures10 43 Writes to foreign memory regions 16->43 45 Tries to detect Any.run 16->45 21 CasPol.exe 15 22 16->21         started        process11 dnsIp12 37 api4.ipify.org 64.185.227.155, 443, 49846 WEBNXUS United States 21->37 39 mail.primevisionuae.com 95.172.86.31, 49847, 587 SINGLEHOP-LLCUS United Kingdom 21->39 41 2 other IPs or domains 21->41 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->57 59 Tries to steal Mail credentials (via file / registry access) 21->59 61 4 other signatures 21->61 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2214417ca9bcffaa0455831c963b576cbb072efb7ad6dca11068ebe69444cdcc/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-03-30 08:34:34 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eikec7fjxt72ubcvqmojmo2xns5qolx3pllnziiqndv6nfcezxga._file
Verdict:
unknown
Similar samples:
0df9cc018e5258e289ffea0bb4137ae6f0bc8fe85b48b544520c7dae95453f68
AgentTesla
4709918939b87a9c054e217770dc158f33c7446815b548d5dabd4a6b138b61b8
AgentTesla
486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5
AgentTesla
799cb4b1d385475c155fae6fc0c214b059f191ed06b9229f287a8d9225ba8a21
AgentTesla
cf890935581d55d30342de2c71190393c3c03b99258ba7a1e3e3139099ee0b97
AgentTesla
cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1
AgentTesla
cfdcbcca4f75f287d6389cda895571530ddb9a2bbdf54cce52c1c65e969ac0a3
AgentTesla
f7f5898bbed2b677a52a031071110b8aebb4b3eba2669703f6dd60e6953dc2a2
AgentTesla
+ 1'408 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230330-p33jvscf89/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks QEMU agent file
AgentTesla
Unpacked files
SH256 hash:
2214417ca9bcffaa0455831c963b576cbb072efb7ad6dca11068ebe69444cdcc
MD5 hash:
849c169c3d155741b67917f0d2fc1b42
SHA1 hash:
65564cc1e52e5ea21a58c2d58f783917194ffce6
Link:
https://www.unpac.me/results/7e3600c7-80d9-4b57-a393-d7c8ec94fe12/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2214417ca9bc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2214417ca9bcffaa0455831c963b576cbb072efb7ad6dca11068ebe69444cdcc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/378826/

Comments