MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 237940fb7eb32c73099ff9c044e68bedbdd2806052d702ced089cdc36c7dcb2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 237940fb7eb32c73099ff9c044e68bedbdd2806052d702ced089cdc36c7dcb2e
SHA3-384 hash: 7768727fe88fa19ad2ed3ef9296de6464ed6b3c67d4d6ad38df79ee5a99ab0f69d5f5d7727f6691b1dd0a49ac450ef2c
SHA1 hash: 7f45a69804991ceb2e2b9bb3fb7917e8b7d1c760
MD5 hash: 564f99b6cf9b92729bf277ef93fd856f
humanhash: kitten-johnny-single-oklahoma
File name:SecuriteInfo.com.Win32.PWSX-gen.22069.13959
Download: download sample
Signature AgentTesla
Create hunting rule
File size:587'776 bytes
First seen:2023-07-12 11:45:02 UTC
Last seen:2023-07-12 13:22:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:VRPSaWou6GKKSGZy8MQV03BXVayaL6ue91:XUwJKv43BXraL6ue
Threatray 341 similar samples on MalwareBazaar
TLSH T18BC412ADA66B482FC91B0FF5847022F093F89BD57735E3C38C8271DDA9897C58688617
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
276
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.22069.13959
Verdict:
Malicious activity
Analysis date:
2023-07-12 11:47:26 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/8a370101-727b-44c6-8e70-5c6755cc829c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/416776/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.22069.13959.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/64ae924057d1eb6a904f2e70/reports/c0306e04-9faa-454d-bedb-f9539435ec54/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/237940fb7eb32c73099ff9c044e68bedbdd2806052d702ced089cdc36c7dcb2e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2157a72d-7514-489d-bff3-4251e758ed1d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1271678
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/237940fb7eb32c73099ff9c044e68bedbdd2806052d702ced089cdc36c7dcb2e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-12 09:47:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=en4ub636wmwhgcm77haejzul5w65fadakllqftwqrhg4g3d5zmxa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
069c1a556943461282bfbf8411afc6213a359df9ce4894a80881e45a2ba9bc84
AgentTesla
2d1a013b096ee6e0e8917809ba4c7d8f25cd7808a00e59cdb145b1f489ba546a
AgentTesla
67597ef80dae09206d734a28cd5f67bb236050a49916d46d8c19be0c2d2b9b5b
AgentTesla
69178c04c4ccf7401b69b7e2407a7389a548cdeb369eb555565e09c9a9c8ab9d
AgentTesla
73ca2bb8b5a217092150b3fc0fc469416868198b11179e51a05d18840742c2ac
AgentTesla
89838c428e6292848d7e8345eee67d50c664b078751c74d7f3db20ebca31c675
AgentTesla
8f9233b7e07ec6df616188249b01afc694cabc2130291a15d3e7c434430c9783
AgentTesla
c3d408d3ba7f6ea4acf913b8fd845e98c587fc8a6c67f48ef3542e3895ba7153
AgentTesla
cb2cbedac34829b45dcc25735d79fb332bed3098741a7ca8a7954de5ceb894ec
AgentTesla
+ 331 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230712-nwqq2sda37/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
4a6d5c859ac6f4fa63423d452cf679f6474cdce50b4772560f9b6f8f1436e951
MD5 hash:
eb17ae8700ca5e4a6312c89754edbd40
SHA1 hash:
ee4cf58cebd350dff838e19850976bd232eb2d5d
Link:
https://www.unpac.me/results/dbd39145-fd87-446c-8dd2-6631fed5c013/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/dbd39145-fd87-446c-8dd2-6631fed5c013/
SH256 hash:
14a5e013f01835daa301aa4175f373b4d0fd071fb3b76b1308fb37531b9a3310
MD5 hash:
42dbbb477de5f83e8056e1f5c843b4d2
SHA1 hash:
719ee6a0fb53ae67ba9b9dcfdc071e768e86280f
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/dbd39145-fd87-446c-8dd2-6631fed5c013/
Parent samples :
237940fb7eb32c73099ff9c044e68bedbdd2806052d702ced089cdc36c7dcb2e
309892ec1d5c26c1ffe3d4ea531df5475ddb9d0959ccc3f8b4c147eae55bf5aa
afe76c98b98a456cd1d72cbedfd856706006149048244109fd8e2630af9482d3
SH256 hash:
3e24c77fe108059f14fe61b8400c5fe023dc2b0ec7c4fe23fa9911681086f7a9
MD5 hash:
a5228b97b33467ac41fac5cac2718252
SHA1 hash:
28bb020c8a53b046fc8e8106f2913e62c5941a0d
Link:
https://www.unpac.me/results/dbd39145-fd87-446c-8dd2-6631fed5c013/
SH256 hash:
237940fb7eb32c73099ff9c044e68bedbdd2806052d702ced089cdc36c7dcb2e
MD5 hash:
564f99b6cf9b92729bf277ef93fd856f
SHA1 hash:
7f45a69804991ceb2e2b9bb3fb7917e8b7d1c760
Link:
https://www.unpac.me/results/dbd39145-fd87-446c-8dd2-6631fed5c013/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/237940fb7eb3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/416776/

Comments