MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23b23bbc8497e567eba43518485bb19fe70d295e54e5af14f90d233b33d862f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	23b23bbc8497e567eba43518485bb19fe70d295e54e5af14f90d233b33d862f9
SHA3-384 hash:	5cfba8882b6808ebea745f99eb7abc7a03b3e50e3502dcea12b9a63f9f325b0f3a9dbf2d0e65392170b4e8ceaeaaa4c7
SHA1 hash:	d8bad219e4c0520afd19de5e0ec1842c5f56f9e1
MD5 hash:	b983d7ae5788fb40c2fda069ef162fc4
humanhash:	may-hotel-nebraska-nineteen
File name:	Docs.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	549'888 bytes
First seen:	2023-02-08 16:05:49 UTC
Last seen:	2023-02-08 17:30:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:S7rhVe5d6U6sRg9db30NOQA+/7lP2alQDL50VOcORIGhCTAaLmAiN3DyuUjW4nRg:8LsRg9db30NOQA+/7lPI0VxUIGhCdfeG
Threatray	20'569 similar samples on MalwareBazaar
TLSH	T128C46F2D39B613E2C138F97A46EB8620B9BD62933303D958D9DE1BF04F865816D8F51C
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

189

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Docs.exe

Verdict:

Malicious activity

Analysis date:

2023-02-08 16:07:58 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7a3fef6e-0103-4379-91ef-e8d49864f7c1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/362069/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.2536.21630.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63e3c86c459bcf4604ff80e3/reports/7e0c3437-d851-49e7-a0a2-a0c30c16f3d4/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/23b23bbc8497e567eba43518485bb19fe70d295e54e5af14f90d233b33d862f9

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/234a4026-3cb7-4d98-aa6f-6951938fd207

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1168973

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large strings

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/23b23bbc8497e567eba43518485bb19fe70d295e54e5af14f90d233b33d862f9/

Threat name:

ByteCode-MSIL.Trojan.GenSteal

Status:

Malicious

First seen:

2023-02-08 14:29:51 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 39 (46.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eozdxpees7swp25egumeqw5rt7tq2kk6kts26fhzburtwm6yml4q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1326d9172aa0687e037a43b532cf2fb0e2ba90bff2e35efdebac87c3b06560f2

AgentTesla

20c94daf0506d27a6bd3de27e378fc900dd44a32328a41912d60fd26677d426d

AgentTesla

4033d9c9ef268cf2bdf04bb0e1c549e5461ba27026797edf70121468abbd1203

AgentTesla

7116f819cf1a305e813cb1bf9d3667fdc18efd1d5ed7e6c5a3afe92c1040addb

AgentTesla

8089619c8dba1d0d3a52b272d619fd6658adc82fd4f44df48582b0d6505f673d

AgentTesla

af044c42784626edaa652ffc0e158cac07b29329f3131321d3d59619329c6010

AgentTesla

d91d2ae4ef54fa855e4b7a36c37717014e0195e815abb272045a25ce46dc66a6

AgentTesla

f144fef878393aa69f18f5cf812ee9a62b0224ccb21936321c8f98d65c98d2f6

AgentTesla

+ 20'559 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230208-tj267scf54/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

452677f7538cdad7eae21f72f500cc0fa48d6fef66e22176612ea26ef4813cdd

MD5 hash:

8bcebae63e79b193a35982314d8c3dbb

SHA1 hash:

7a45432f9b4329dd82dd31389631eb9b907c8e31

Link:

https://www.unpac.me/results/b7a5f1b3-a293-424e-b110-0de6db545ca8/

SH256 hash:

94c2ba257a21a0eb4527346753abdedc7bb2fe3aa72d20642546994626602129

MD5 hash:

874dcc6be499121b1425bfdff1f8ad46

SHA1 hash:

66f83bedc73876b77e152c604b8214bde86d965e

Link:

https://www.unpac.me/results/b7a5f1b3-a293-424e-b110-0de6db545ca8/

SH256 hash:

06bcd34efe4b17be9f97ac6f6d3cbe65990457df6754f5cdb295a6220479d932

MD5 hash:

d71e2993c887d53c94e75d9d59cd0dd7

SHA1 hash:

29342f51492353264a192181917d60565d8d7223

Link:

https://www.unpac.me/results/b7a5f1b3-a293-424e-b110-0de6db545ca8/

SH256 hash:

23b23bbc8497e567eba43518485bb19fe70d295e54e5af14f90d233b33d862f9

MD5 hash:

b983d7ae5788fb40c2fda069ef162fc4

SHA1 hash:

d8bad219e4c0520afd19de5e0ec1842c5f56f9e1

Link:

https://www.unpac.me/results/b7a5f1b3-a293-424e-b110-0de6db545ca8/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/23b23bbc8497/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/23b23bbc8497e567eba43518485bb19fe70d295e54e5af14f90d233b33d862f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.