MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2447933c7bf0db3f5bdcf7c901f4dd45f08267cbb5c5e4efe5f5a118195f0f86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2447933c7bf0db3f5bdcf7c901f4dd45f08267cbb5c5e4efe5f5a118195f0f86
SHA3-384 hash: d196302c51472e128905482ff0ccf20a1c20f5d0ac5be6c19d42be1b422c70c23104f225e0f66268f29d21ab5bcb24bb
SHA1 hash: eb17bddc09d84b5782f301cbd09d9df612ade6fa
MD5 hash: 200244edbf8e052fa0ab9f91dd6d2b19
humanhash: oklahoma-steak-orange-iowa
File name:SecuriteInfo.com.W32.AIDetectNet.01.24747.10588
Download: download sample
Signature AgentTesla
Create hunting rule
File size:391'680 bytes
First seen:2022-07-19 03:32:09 UTC
Last seen:2022-07-19 16:23:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:SrmX2ssgGrd+oh2bZBvWPsMQpWsDU/pE0ZkO4zXUudddagzUsiWh6XOfnbcaFg7c:c1ssg/62brvWPCpWX/pEakpjUudddagZ
Threatray 19'500 similar samples on MalwareBazaar
TLSH T11D8467F675E7410DD856BC389EB9AC23F866ED36488D563CEF3C314A21F20BA0590782
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0800e2eeece2e468 (10 x AgentTesla, 4 x NanoCore, 2 x QuasarRAT)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://193.233.187.19/mico/inc/5f36b6ce790780.php https://threatfox.abuse.ch/ioc/838642/

Intelligence

File Origin
# of uploads :
2
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/291742/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.24747.10588.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a file
Using the Windows Management Instrumentation requests
Creating a window
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62d6262fef2b0e63a824c531/reports/d9d4ebf2-e233-4b5d-b8d9-5b8f2cd31b0b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/995b725a-c129-40bf-bd0d-5b671716f761
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1036232
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Document exploit detected (process start blacklist hit)
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects files into Windows application
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 668726 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 19/07/2022 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 11 other signatures 2->52 7 SecuriteInfo.com.W32.AIDetectNet.01.24747.exe 7 2->7         started        11 excel.exe 4 2->11         started        13 excel.exe 3 2->13         started        process3 file4 30 C:\Users\user\AppData\...\Hqproioxh.exe, PE32 7->30 dropped 32 C:\Users\...\Hqproioxh.exe:Zone.Identifier, ASCII 7->32 dropped 34 SecuriteInfo.com.W...et.01.24747.exe.log, ASCII 7->34 dropped 54 Creates an undocumented autostart registry key 7->54 56 Encrypted powershell cmdline option found 7->56 58 Writes to foreign memory regions 7->58 64 2 other signatures 7->64 15 InstallUtil.exe 17 4 7->15         started        20 powershell.exe 13 7->20         started        60 Document exploit detected (process start blacklist hit) 11->60 62 Injects files into Windows application 11->62 22 conhost.exe 11->22         started        24 conhost.exe 13->24         started        signatures5 process6 dnsIp7 36 193.233.187.19, 49772, 80 REDCOM-ASRedcomKhabarovskRussiaRU Russian Federation 15->36 28 C:\Users\user\AppData\Local\...\excel.exe, PE32 15->28 dropped 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->38 40 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->40 42 Tries to steal Mail credentials (via file / registry access) 15->42 44 5 other signatures 15->44 26 conhost.exe 20->26         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2447933c7bf0db3f5bdcf7c901f4dd45f08267cbb5c5e4efe5f5a118195f0f86/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-19 03:33:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=erdzgpd36dnt6w6467eqd5g5ixyiez6lwxc6j37f6wqrqgk7b6da._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
740cdbd68d1d3705021e8b857f177c39938aa485f561ec1c208264d7d4ee5927
AgentTesla
9c18f7c761ef5854d1b3dd4b3176db9def2bd4b324f15aeffe4e995a1c6d5d79
AgentTesla
a1d01c0e1a1d513991939e0a16abc25ed3927f78102a24b6af85f09fbfb27567
AgentTesla
c9ead75d0d9084665d004c3d42a3ffc3c87bb826c79d33f5852df1caddf10755
AgentTesla
dbeaed64df79acb9ca2c3020a521ffcdf044257d29f3fb35e2469015e952f438
AgentTesla
f44758774bed0b815e7620d5e8937fd98a0313d10e3334e08424df68f09dc0a7
AgentTesla
+ 19'490 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220719-d37b9shag9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
AgentTesla
suricata: ET MALWARE AgentTesla Communicating with CnC Server
Malware Config
C2 Extraction:
http://193.233.187.19/mico/inc/5f36b6ce790780.php
Unpacked files
SH256 hash:
6894e7fdccec069bb2a3d5c8620fdd625584ee08b132ef9ae6a7f1a5f2911eb4
MD5 hash:
f1bd6b20e342eba6f412ded1bac8f4d0
SHA1 hash:
7555b1262acc21e44dd46e462a7e5057a3f11441
Link:
https://www.unpac.me/results/e25c436b-d98e-4749-b7c5-0b9bb5ff4f4c/
SH256 hash:
2447933c7bf0db3f5bdcf7c901f4dd45f08267cbb5c5e4efe5f5a118195f0f86
MD5 hash:
200244edbf8e052fa0ab9f91dd6d2b19
SHA1 hash:
eb17bddc09d84b5782f301cbd09d9df612ade6fa
Link:
https://www.unpac.me/results/e25c436b-d98e-4749-b7c5-0b9bb5ff4f4c/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2447933c7bf0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/2447933c7bf0db3f5bdcf7c901f4dd45f08267cbb5c5e4efe5f5a118195f0f86

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/291742/

Comments