MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2244c1910eec55c85a115fa27cfbc558ecbee563441065ba45656b68e3c8cdb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2244c1910eec55c85a115fa27cfbc558ecbee563441065ba45656b68e3c8cdb9
SHA3-384 hash: 4675b0bc0cda7079030841401bce63adbbc15c989bba73d22a126611edf838588eee6c75ab9b57b2d60257c4d0f21a1d
SHA1 hash: 73bc9e63277715d2d342e698b1615d84e80e324f
MD5 hash: a19d27484bcda390d74f51b0e02a06d1
humanhash: floor-paris-hotel-london
File name:SecuriteInfo.com.Win32.RATX-gen.15090.18131
Download: download sample
Signature AgentTesla
Create hunting rule
File size:857'600 bytes
First seen:2022-12-13 16:40:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:bRw+yiu1OM4RUvMMWPijtNqiw3AbBRjtyX:bRuxxDtq3AV3yX
Threatray 12'959 similar samples on MalwareBazaar
TLSH T1A10522AD6E883643DDF588B2C004204B5771EE443607EBBD88DBF866C5EA7CE591A743
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 303edcda9adc3e30 (15 x AgentTesla, 7 x Formbook, 5 x SnakeKeylogger)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.RATX-gen.15090.18131
Verdict:
Malicious activity
Analysis date:
2022-12-13 16:41:49 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/1dc7b3bf-91bf-4f77-aa91-c9304197dbf8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/345920/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.15090.18131.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6398ab2204e0e79bdf42be2c/reports/e0c772f0-9eae-4ee3-b54a-3a5e598a19ac/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/30f19a38-3bf8-4617-8edb-5acbc86247e5
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1133590
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Contains functionality to register a low level keyboard hook
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 766317 Sample: SecuriteInfo.com.Win32.RATX... Startdate: 13/12/2022 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Sigma detected: Scheduled temp file as task from temp location 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 6 other signatures 2->53 7 SecuriteInfo.com.Win32.RATX-gen.15090.18131.exe 7 2->7         started        11 FbBewpXRPzlqpI.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\FbBewpXRPzlqpI.exe, PE32 7->31 dropped 33 C:\...\FbBewpXRPzlqpI.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp4407.tmp, XML 7->35 dropped 37 SecuriteInfo.com.W...15090.18131.exe.log, CSV 7->37 dropped 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->55 57 May check the online IP address of the machine 7->57 59 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->59 67 3 other signatures 7->67 13 SecuriteInfo.com.Win32.RATX-gen.15090.18131.exe 15 3 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 65 Injects a PE file into a foreign processes 11->65 21 FbBewpXRPzlqpI.exe 14 3 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 smtp.yandex.ru 77.88.21.158, 49698, 49699, 587 YANDEXRU Russian Federation 13->39 41 api4.ipify.org 64.185.227.156, 443, 49696, 49697 WEBNXUS United States 13->41 45 2 other IPs or domains 13->45 69 Installs a global keyboard hook 13->69 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        43 api.ipify.org 21->43 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->71 73 Tries to steal Mail credentials (via file / registry access) 21->73 75 Tries to harvest and steal ftp login credentials 21->75 77 Tries to harvest and steal browser information (history, passwords, etc) 21->77 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2244c1910eec55c85a115fa27cfbc558ecbee563441065ba45656b68e3c8cdb9/
Threat name:
Win32.Trojan.RealProtect
Create hunting rule
Status:
Malicious
First seen:
2022-12-13 10:34:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ejcmdeio5rk4qwqrl6rhz66fldwl5zldiqiglosfmvvwry6izw4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a8174bbb3c63745bfd66e7774a83d9802192e7d800fa656dbdecd90f110105e
AgentTesla
15700616b67e3ac2d97cfb221762dca3b2b36cc9d3e1cf7ca8737acc9bb4db84
AgentTesla
1e6f3cac6c20bbf15bfcebc4bdb918515f5f13946b22b6865f3f82507233db68
AgentTesla
24db2e7ba38ff5dc81c50e2b03c174de23cad2b480bb82a989b00f12767e19a0
AgentTesla
4dd83a9f2b7002a9e6e98ce6035a077e3f379722429211c87c2ced4e708c2473
AgentTesla
5082c16f5104588a31af215f9d5c236b64f7bf700232a39c414f8fe3df14e87e
AgentTesla
916d30f29bbbbbbf9cd02ee4c66d611750d1a0aafa7b3f364b35e46216ae90a3
AgentTesla
a32619cd26fbb97072657ec6a481d4f4fd6c51b72ea5ea0837006d9a8dd24800
AgentTesla
bc60f5c19d219304320e8a975a199dbef09c89ac82fce15feacda92bd9152554
AgentTesla
f5c710060042d56e8e18e0d42256a4959c8d5529f8ea90e8e3084a742a9027f4
AgentTesla
+ 12'949 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221213-t64csafb67/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/590dba02-69b8-49a6-bbd2-ead1ea326140
Unpacked files
SH256 hash:
35cad145efd0b5b6396491150d2e307d4cb5e06d4f1b41aa310393c6dce520b9
MD5 hash:
56f8354a2e307e73243ff0056295fedd
SHA1 hash:
ed3257769ea438e1b5e86c3ef033e2deca86e239
Link:
https://www.unpac.me/results/6d771e67-5907-4abf-b4b7-38ee85a6d191/
SH256 hash:
824fb080c8a8884a4600f080ea9258fabd6ffaa6a0c55a04d110fd6926f95386
MD5 hash:
1f4c3a1ddaeaccda4a619fde058e2552
SHA1 hash:
e99c8ac1c8e30961feafc7b480f34b0a1912b7d1
Link:
https://www.unpac.me/results/6d771e67-5907-4abf-b4b7-38ee85a6d191/
SH256 hash:
4ee60523f3c5539d03eddfc2e17cbd4dbf19a18e8909d0d588ad103d6edf035b
MD5 hash:
bff6f69f0462353c9d308ccb4177a957
SHA1 hash:
7cd553cb3f39bd241ac315627c486759299fc218
Link:
https://www.unpac.me/results/6d771e67-5907-4abf-b4b7-38ee85a6d191/
SH256 hash:
776465bc84ae5b6870fb0871f15a31f7615d2bc325a40b68387385bfafec379d
MD5 hash:
c320c861fea24fbb2231f89a8eca4a56
SHA1 hash:
5ffa878a5a8e4fd393d6234d30a50dc67d5096c3
Link:
https://www.unpac.me/results/6d771e67-5907-4abf-b4b7-38ee85a6d191/
SH256 hash:
b0246ed02c5d63b8c1b251fb9709bec11d5afa1273e12b489750c6362bfd5758
MD5 hash:
010651f346201101263da805da00d437
SHA1 hash:
3be9b75194fab9c4022591b6b65ff01feb87ffaf
Link:
https://www.unpac.me/results/6d771e67-5907-4abf-b4b7-38ee85a6d191/
SH256 hash:
2244c1910eec55c85a115fa27cfbc558ecbee563441065ba45656b68e3c8cdb9
MD5 hash:
a19d27484bcda390d74f51b0e02a06d1
SHA1 hash:
73bc9e63277715d2d342e698b1615d84e80e324f
Link:
https://www.unpac.me/results/6d771e67-5907-4abf-b4b7-38ee85a6d191/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2244c1910eec/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2244c1910eec55c85a115fa27cfbc558ecbee563441065ba45656b68e3c8cdb9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/345920/

Comments