MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23157d470ccf1ca2c01dd51631fa5696330cfa7b2d8e7330e4537d7f0c45e327. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23157d470ccf1ca2c01dd51631fa5696330cfa7b2d8e7330e4537d7f0c45e327
SHA3-384 hash: 2c79b5be4edef1046073d0a5baf476cc24d0fb1e317dc857188b974732f6783c72a61050fc031ee746c28819b0b01456
SHA1 hash: 9912bd2e5e5eb531822e0d7b00186e0ace76dcd3
MD5 hash: 92ed77d51c8ef3d1a8423c36adba3013
humanhash: kilo-beryllium-hot-east
File name:92ed77d51c8ef3d1a8423c36adba3013.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:577'024 bytes
First seen:2022-06-28 10:27:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:OWfv2iN/2iNdDTd5juhWvaWhrT82dUPZPTXaD29nBn7/w9iojRpeNkPRxliW1:Lfv1J1TdhZvaGrTwR2D29nB7/xbNkPRV
Threatray 18'532 similar samples on MalwareBazaar
TLSH T1D6C4129D03F40B19E9FB5BF818EC92940BF5A41DA4E5D26BBCD123CFE9917A04250B27
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
server53.web-hosting.com:25

Intelligence

File Origin
# of uploads :
1
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Message_7071025.eml
Verdict:
Malicious activity
Analysis date:
2022-06-28 08:09:06 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader agenttesla
Link:
https://app.any.run/tasks/47def757-60d5-45ef-95e4-e0cd39174427

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/283892/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed wacatac
Link:
https://www.filescan.io/uploads/62bad7f4cd5fc77b1d513644/reports/4672db49-4d2b-4e0a-a87e-f82d22abd4a9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d562ec07-b4e8-429f-ab52-8406229dbedf
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1021100
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 653597 Sample: ob8ngSgvAv.exe Startdate: 28/06/2022 Architecture: WINDOWS Score: 100 31 server53.web-hosting.com 2->31 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected AgentTesla 2->39 41 6 other signatures 2->41 7 ob8ngSgvAv.exe 3 2->7         started        11 TmZaMAa.exe 3 2->11         started        13 TmZaMAa.exe 2 2->13         started        signatures3 process4 file5 25 C:\Users\user\AppData\...\ob8ngSgvAv.exe.log, ASCII 7->25 dropped 43 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->43 45 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->45 47 Injects a PE file into a foreign processes 7->47 15 ob8ngSgvAv.exe 2 5 7->15         started        19 ob8ngSgvAv.exe 7->19         started        49 Multi AV Scanner detection for dropped file 11->49 51 Machine Learning detection for dropped file 11->51 21 TmZaMAa.exe 2 11->21         started        23 TmZaMAa.exe 13->23         started        signatures6 process7 file8 27 C:\Users\user\AppData\Roaming\...\TmZaMAa.exe, PE32 15->27 dropped 29 C:\Users\user\...\TmZaMAa.exe:Zone.Identifier, ASCII 15->29 dropped 33 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->33 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/23157d470ccf1ca2c01dd51631fa5696330cfa7b2d8e7330e4537d7f0c45e327/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-06-28 05:09:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
20 of 39 (51.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=emkx2rymz4okfqa52uldd6swsyzqz6t3fwhhgmhekn6x6dcf4mtq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00ac3cb444c1bf9719bb9f3958b288d132591bfe299c2c7f006a96956f26c8f4
AgentTesla
3728b436ce177b5153e4b5a673d79f2dbf2e377960e35fea9db40bae8ec04618
AgentTesla
9168bf8f055bbaf60630375f130577d45c9fb532204a9c373169ddf8c7dfcc2a
AgentTesla
9ada932ad6919b4f21da2eb872e9af9ab1da22a818a13c57ae65b8679c6c7be1
AgentTesla
9ed750b07b16001b5f78dd725fb6ada74d583075fd25dd66aaa65f80be26e541
AgentTesla
a96934da1f7a4fb130eb2d1d36af4c07de114c639c363b5249617e81e75422bb
AgentTesla
b391d1b72b14882c85b88f43578341edce500e922a621026784dcb86ac31d37e
AgentTesla
bd784854e186a0f43ecfba7babc1f16bf5e8b42d8674e8f7af4443cefc99e719
AgentTesla
d90ef51332f34d911c129992a9dc092349f5d8b8f51dfae5bf75d4650d6ba05c
AgentTesla
+ 18'522 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220628-mhntvsgger/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
9168bf8f055bbaf60630375f130577d45c9fb532204a9c373169ddf8c7dfcc2a
MD5 hash:
29477f425d6c631468a2233cbbee919b
SHA1 hash:
fa6d8c94952d076c3bef0d9edb704262793a0fea
Link:
https://www.unpac.me/results/5b700e50-dae5-456a-9cea-444d44028898/
SH256 hash:
3f10a560c7cada2d9f1e294f8277c2dcf65c7021b0d003db734c73029d385987
MD5 hash:
62bab599343962c787b7b60c2d0101d2
SHA1 hash:
d151c89de43aafec96524db1a9d66b9030837bc8
Link:
https://www.unpac.me/results/5b700e50-dae5-456a-9cea-444d44028898/
SH256 hash:
87577e6c69af07ba0e6383a2a152b59a39d6b336631ce4baa250bd9f8adce03d
MD5 hash:
9b17d560e68eff0da30f79b3c391c9a3
SHA1 hash:
5ceda263b1ea13401f652c709dd884d58945fe57
Link:
https://www.unpac.me/results/5b700e50-dae5-456a-9cea-444d44028898/
SH256 hash:
14132b0bd8aeee3b559ae52118831d29c512f26120ec3ccf6f468487acdb5849
MD5 hash:
01bffe7d6a84c745db60afcaebfef5c9
SHA1 hash:
2f0e2e4ca7b5a80acbde46dbbc260c4e437d600d
Link:
https://www.unpac.me/results/5b700e50-dae5-456a-9cea-444d44028898/
SH256 hash:
220120aee86c319c60942441c2d74f13420a6e33c76b65354bc45197be0c1aee
MD5 hash:
f313946486d59d6930b11da27ffc04ac
SHA1 hash:
0c309b706a942e0a7b0e7cac37e42653e4f81aee
Link:
https://www.unpac.me/results/5b700e50-dae5-456a-9cea-444d44028898/
SH256 hash:
23157d470ccf1ca2c01dd51631fa5696330cfa7b2d8e7330e4537d7f0c45e327
MD5 hash:
92ed77d51c8ef3d1a8423c36adba3013
SHA1 hash:
9912bd2e5e5eb531822e0d7b00186e0ace76dcd3
Link:
https://www.unpac.me/results/5b700e50-dae5-456a-9cea-444d44028898/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/23157d470ccf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/23157d470ccf1ca2c01dd51631fa5696330cfa7b2d8e7330e4537d7f0c45e327

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_ab4444e9
Create hunting rule
Author:Johannes Bader
Description:detects Agent Tesla
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 23157d470ccf1ca2c01dd51631fa5696330cfa7b2d8e7330e4537d7f0c45e327

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2251968/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/283892/

Comments