MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2381505423f5e5778021e1a9b2ce722cff0047b6309cecd484856542d8c872e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2381505423f5e5778021e1a9b2ce722cff0047b6309cecd484856542d8c872e3
SHA3-384 hash: af68e4e0b855b964f895c575c5e51b70780f77c318c7a36ca323d3cd5a8c51e6819e64b09ece3735430d5bc98bfdf4fe
SHA1 hash: 854a9b216b4d21d8c427c881ddaa6096b5c8cd0d
MD5 hash: 5a85a3d9a6a99476beb38b654555cf2c
humanhash: twelve-snake-nevada-oregon
File name:file
Download: download sample
Signature AgentTesla
Create hunting rule
File size:4'073'984 bytes
First seen:2024-06-01 04:40:32 UTC
Last seen:2024-06-11 02:24:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:nZySD2M1OVcUj2EPGljqNHB518gTOe8npDvIce3E+RZ9myDDUx0V040V0Pp029Cu:nZh1O4ljqNHBRTOe8I3RRvlvDX0JqU4
TLSH T11216D026F3E84E29C16E4776D0A1906143F1DF82A327E30F6AD039FA1D6335A4D45AB7
TrID 44.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
34.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
6.3% (.EXE) Win64 Executable (generic) (10523/12/4)
3.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon fdf5c1f19915e5cd (1 x AgentTesla)
Reporter Bitsight
Tags:AgentTesla exe


Avatar
Bitsight
url: https://vk.com/doc863235369_679844332?hash=iVdfpiV3aPaTfDqDuxSX5PVctFwDeZzliFO8aGaWX4o&dl=xZ1npwFByo8aqJFQUXjsoMRDac5kS2WeTRNmH55Hvzs&api=1&no_preview=1#otr

Intelligence

File Origin
# of uploads :
3
# of downloads :
355
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2381505423f5e5778021e1a9b2ce722cff0047b6309cecd484856542d8c872e3.exe
Verdict:
Malicious activity
Analysis date:
2024-06-01 04:45:29 UTC
Tags:
risepro
Link:
https://app.any.run/tasks/7f405e90-d3e6-4afe-a4cb-341c99d38c1c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Dropper.LokiBot-10026310-0
Create hunting rule

Win.Packed.Remcos-10026711-0
Create hunting rule

Verdict:
Malicious
Score:
98.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=665b1b3a29ebcd67665cb20fwin7simulatehigh_evasion
Tags:
Generic Static Stealth Msil Zgrat
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Connection attempt to an infection source
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
agenttesla dotfuscator dotfuscator finger lolbin net obfuscated packed packed remote vbnet
Link:
https://www.filescan.io/uploads/665aa65f32eca5b280016bcf/reports/9aeee631-8615-46aa-9cf9-096ec85bd4f3/overview
Verdict:
Malicious
Labled as:
MSIL_Kryptik.KLE.gen
Link:
https://www.hybrid-analysis.com/sample/2381505423f5e5778021e1a9b2ce722cff0047b6309cecd484856542d8c872e3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RisePro Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d6b11dff-4211-42ec-99d7-4a8c15294b3e
Result
Threat name:
Clipboard Hijacker, PureLog Stealer, Ris
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1450317
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to implement multi-threaded time evasion
Contains functionality to inject threads in other processes
Detected unpacking (changes PE section rights)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Silenttrinity Stager Msbuild Activity
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected PureLog Stealer
Yara detected RisePro Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1450317 Sample: file.exe Startdate: 01/06/2024 Architecture: WINDOWS Score: 100 70 ipinfo.io 2->70 72 fp2e7a.wpc.phicdn.net 2->72 74 2 other IPs or domains 2->74 82 Snort IDS alert for network traffic 2->82 84 Multi AV Scanner detection for domain / URL 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 11 other signatures 2->88 10 file.exe 3 2->10         started        13 EdgeMS2.exe 2->13         started        15 AdobeUpdaterV2.exe 2->15         started        17 5 other processes 2->17 signatures3 process4 signatures5 104 Writes to foreign memory regions 10->104 106 Allocates memory in foreign processes 10->106 108 Injects a PE file into a foreign processes 10->108 19 MSBuild.exe 1 100 10->19         started        110 Antivirus detection for dropped file 13->110 112 Multi AV Scanner detection for dropped file 13->112 114 Detected unpacking (changes PE section rights) 13->114 24 schtasks.exe 1 13->24         started        26 schtasks.exe 1 15->26         started        28 schtasks.exe 1 17->28         started        30 schtasks.exe 1 17->30         started        32 schtasks.exe 17->32         started        process6 dnsIp7 76 185.172.128.82, 49715, 80 NADYMSS-ASRU Russian Federation 19->76 78 ipinfo.io 34.117.186.192, 443, 49710, 49711 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 19->78 80 2 other IPs or domains 19->80 62 C:\Users\user\...\bSIhwhSOQwRX1e1Mi6r9.exe, MS-DOS 19->62 dropped 64 C:\Users\user\AppData\Local\...dgeMS2.exe, MS-DOS 19->64 dropped 66 C:\Users\user\AppData\Local\...\l2[1].exe, MS-DOS 19->66 dropped 68 3 other malicious files 19->68 dropped 96 Found evasive API chain (may stop execution after checking mutex) 19->96 98 Tries to steal Mail credentials (via file / registry access) 19->98 100 Found stalling execution ending in API Sleep call 19->100 102 6 other signatures 19->102 34 bSIhwhSOQwRX1e1Mi6r9.exe 1 19->34         started        38 schtasks.exe 1 19->38         started        40 schtasks.exe 1 19->40         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        file8 signatures9 process10 file11 60 C:\Users\user\AppData\Roaming\...\oobeldr.exe, MS-DOS 34->60 dropped 90 Antivirus detection for dropped file 34->90 92 Multi AV Scanner detection for dropped file 34->92 94 Detected unpacking (changes PE section rights) 34->94 52 schtasks.exe 1 34->52         started        54 conhost.exe 38->54         started        56 conhost.exe 40->56         started        signatures12 process13 process14 58 conhost.exe 52->58         started       
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2381505423f5e5778021e1a9b2ce722cff0047b6309cecd484856542d8c872e3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2381505423f5e5778021e1a9b2ce722cff0047b6309cecd484856542d8c872e3/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2024-06-01 04:41:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eoavavbd6xsxpabb4gu3fttsft7qar5wgcoozveeqvsufwgiolrq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:risepro stealer
Link:
https://tria.ge/reports/240601-fa4rsaah38/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
RisePro
Malware Config
C2 Extraction:
77.91.77.117:50500
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/281810a8-d892-4dd2-b916-8f9a5891895c
Unpacked files
SH256 hash:
81cadb6a9546328647f2fbd1713fcf8ee49921c6a0c7b155f6d287acddab5fd7
MD5 hash:
eb029ab5c2f8de328736c53dc3c7df47
SHA1 hash:
e05c4fba0236fee2516bf53a287e41e0e97a0ee5
Link:
https://www.unpac.me/results/f7237132-f416-40f9-84c4-1fa648ee8777/
Parent samples :
12df075fcaec366639ab37f203aa412540f351ee17e7f126a4a126e7a61c2a9b
b8a5ef9ea9fa588907a197db55c743559460190aa58b227db10d6be75d8bfe39
e603e36cae3f0fa9badbeaeff8fb0becb1ed444776892db76cd8d219e2ba92bd
SH256 hash:
f45d627268f4b4c96dcc91c34eaf92b34cd300f15d8613d55083230dde744ef4
MD5 hash:
2ffdfbadb10d6c3ef0eb7f92f6c4d321
SHA1 hash:
ab75a4765f691d37c3c0834df8a82861849255c4
Link:
https://www.unpac.me/results/f7237132-f416-40f9-84c4-1fa648ee8777/
SH256 hash:
bbc449e1314605e6346cb956c13191bb8fb9ea7faeeea051c1b38f1c3ef90a0f
MD5 hash:
b145d64b396b9ee55ea274714a98248e
SHA1 hash:
8d04cbcf205e0b80840250ab7ae1047362926b93
Link:
https://www.unpac.me/results/f7237132-f416-40f9-84c4-1fa648ee8777/
SH256 hash:
343c4bccd3bc5b5f8f5f76c912eb0ecd860d65be6a86e398cde7f7d84507a1ef
MD5 hash:
29d7c2b1f4e1a7a61ac425465fca2ae1
SHA1 hash:
50eec81e2eae34a56ca8ce59f852383a9d703f32
Link:
https://www.unpac.me/results/f7237132-f416-40f9-84c4-1fa648ee8777/
SH256 hash:
2381505423f5e5778021e1a9b2ce722cff0047b6309cecd484856542d8c872e3
MD5 hash:
5a85a3d9a6a99476beb38b654555cf2c
SHA1 hash:
854a9b216b4d21d8c427c881ddaa6096b5c8cd0d
Detections:
SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
MALWARE_Win_zgRAT
Create hunting rule
Link:
https://www.unpac.me/results/f7237132-f416-40f9-84c4-1fa648ee8777/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2381505423f5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2381505423f5e5778021e1a9b2ce722cff0047b6309cecd484856542d8c872e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_zgRAT
Create hunting rule
Author:ditekSHen
Description:Detects zgRAT
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:msil_suspicious_use_of_strreverse
Create hunting rule
Author:dr4k0nia
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
Author:dr4k0nia, modified by Florian Roth
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Reference:https://github.com/dr4k0nia/yara-rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 2381505423f5e5778021e1a9b2ce722cff0047b6309cecd484856542d8c872e3

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments