MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23cca5dea466cf7693d50889f30519af2b141cc3986ceb0d37f7e14e46b92aa5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23cca5dea466cf7693d50889f30519af2b141cc3986ceb0d37f7e14e46b92aa5
SHA3-384 hash: 7a413d28dcf0c1c1cec9fbec3907c947d10ed21b7ce6046527a3441ad5b4191291348823874ecfed3053f63782dcbd9b
SHA1 hash: f71228f0b07297e87544e43dafa206948c6baf3a
MD5 hash: 8eb3d0bf3a12b42a810f4d8cd9a412e4
humanhash: violet-may-west-carbon
File name:8eb3d0bf3a12b42a810f4d8cd9a412e4
Download: download sample
Signature AgentTesla
Create hunting rule
File size:414'208 bytes
First seen:2021-12-15 12:02:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:GmKS4a0jh2ZWxZ2mwEzNthPRr/mH5qiKtvSLE:GM+sZWxZ2gvCsiIH
Threatray 13'575 similar samples on MalwareBazaar
TLSH T1E294D04539D2E1E8F9BFEBF10DB136C10339B6D5E541B1DEF5C8284AD9A3A944E006B2
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8eb3d0bf3a12b42a810f4d8cd9a412e4
Verdict:
Suspicious activity
Analysis date:
2021-12-15 12:05:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/823a3344-3d52-40db-b0fb-9e8a863d4369

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214332/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.353.12271.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61b9d97a81d2323720030da9/reports/f5922997-ae47-4882-a00e-50667185c16d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ce55aed2-1191-4c1b-b59c-2d988bfe5f74
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/907848
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23cca5dea466cf7693d50889f30519af2b141cc3986ceb0d37f7e14e46b92aa5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-14 20:12:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08ae3a735881e41099740e2e79fcd4107d5e94fe9267e28d6bf8bd9fd80a7ce6
AgentTesla
102b0bdae4e027e3e115490a1fe904b1a9f4fd9e4e52243719ee1167ec4ed62a
AgentTesla
58af5a5798c0a1676aaf191471f73575ea31a886cbd5c7d882b9998b0b1d83a7
AgentTesla
65914c4a71b3670aacb5f165076d8f7f6542be80661727fb6d5d8038c9f13e4d
AgentTesla
6b999f2a2ffb29ab8f254b6454f49753fb1155bbb7414b0bde038ab74d5023ba
AgentTesla
6d3d406d84c61856f092fb6a14caaa67495a48b48ab98a03a3970bf109aadc2c
AgentTesla
72ad22e7df09e217184e472645352c8bfe28a44afe5fda4659f4082268d33da3
AgentTesla
8d10af8f247bb74f1a3d0878785f3afa173c82d4c881f29dd5b60ea6ed5f6b90
AgentTesla
8e0a42940b1c3699bf4c04814773e6c9969b75225295560b4a112e210e63851a
AgentTesla
c9af30b2a800c774844eee76e019d10b72c4637adbccd34a6de3bcc8a4f32ba4
AgentTesla
+ 13'565 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211215-n7116ahdg8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
bdc8485d955fe93a05b5ddc9e87dda298e481fc09a9c864572c5b9d9a180eb99
MD5 hash:
7ceac6c51375e05a2e65512c4fe491de
SHA1 hash:
f90df0085a38563d13e9164a05b111ad56bff698
Link:
https://www.unpac.me/results/43cb8863-a177-4edf-bafd-d5e66ffecdfb/
SH256 hash:
4f35ce680fb11234c4991050e7b2b388f12f5b18b9eb77c50ccec3b486d18b76
MD5 hash:
d1de9f6605504de05080b0f74ce9ef93
SHA1 hash:
e7be596bf5d138b1b867dd425d3ca54d1fbd50bb
Link:
https://www.unpac.me/results/43cb8863-a177-4edf-bafd-d5e66ffecdfb/
SH256 hash:
79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696
MD5 hash:
39f524c1ab0eb76dfd79b2852e5e8c39
SHA1 hash:
428018e1701006744e34480b0029982a76d8a57d
Link:
https://www.unpac.me/results/43cb8863-a177-4edf-bafd-d5e66ffecdfb/
SH256 hash:
23cca5dea466cf7693d50889f30519af2b141cc3986ceb0d37f7e14e46b92aa5
MD5 hash:
8eb3d0bf3a12b42a810f4d8cd9a412e4
SHA1 hash:
f71228f0b07297e87544e43dafa206948c6baf3a
Link:
https://www.unpac.me/results/43cb8863-a177-4edf-bafd-d5e66ffecdfb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/23cca5dea466cf7693d50889f30519af2b141cc3986ceb0d37f7e14e46b92aa5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 23cca5dea466cf7693d50889f30519af2b141cc3986ceb0d37f7e14e46b92aa5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1887403/
Cape
Cape
https://www.capesandbox.com/analysis/214332/

Comments


Avatar
zbet commented on 2021-12-15 12:02:17 UTC

url : hxxp://archbal.sbs/semx/sem.exe