MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 276198e30803db7e1c567868cb302237b8a95b16fa2fb4e1ab607d880cf73ef4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 276198e30803db7e1c567868cb302237b8a95b16fa2fb4e1ab607d880cf73ef4
SHA3-384 hash: 44b60b7a6493adce8955372d91c76cd649b1e549724fdf6d5455967422a4eef2053936e5e57a60f2f937ffed30c09ce6
SHA1 hash: 03ac7f400a2f3546f4b0397f476e1823187c12b6
MD5 hash: 599394f1470eef8c7a63e84a7de25e49
humanhash: moon-purple-tennis-avocado
File name:httrack_x64-3.49.2.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:6'831'616 bytes
First seen:2023-10-12 01:56:08 UTC
Last seen:2023-10-12 02:44:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 98304:v0SqgwDyM8QYn+uL0yqSvXVQv9VKOerelNw7G7ToHRDzYqls6qp1a9b:v0Xgk98QYHLmiVgVKONKsExvls6oa
Threatray 46 similar samples on MalwareBazaar
TLSH T1D7663352E43E9409E409777EBCD593F0A0395799D5A3CF29830058F61D83AA7EAD28FC
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 7979790579797979 (1 x AgentTesla)
Reporter stealerkiller
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
293
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
https://transfer.sh/get/votnUdOHL7/httrack_x64-3.49.2.exe
Verdict:
Malicious activity
Analysis date:
2023-10-11 22:23:35 UTC
Tags:
evasion agenttesla stealer loader
Link:
https://app.any.run/tasks/ad91e564-08ac-4b80-8c6d-0262587516d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/453617/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1560.7117.31773.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Restart of the analyzed sample
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Moving a file to the %temp% directory
Reading critical registry keys
Launching the process to interact with network services
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Sending an HTTP GET request to an infection source
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/6527526f4a70eb0012f7baf6/reports/78e16fe8-c499-459a-b675-876749831bc2/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/276198e30803db7e1c567868cb302237b8a95b16fa2fb4e1ab607d880cf73ef4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/782f66a6-586d-4a07-a181-1e872e9f731d
Result
Threat name:
Agent Tesla, AgentTesla, Glupteba, Smoke
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1324327
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Contains functionality to capture screen (.Net source)
Detected Agent Tesla keylogger
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DNS related to crypt mining pools
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Stop multiple services
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses powercfg.exe to modify the power settings
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1324327 Sample: httrack_x64-3.49.2.exe Startdate: 12/10/2023 Architecture: WINDOWS Score: 100 121 datasheet.fun 2->121 123 checkip.dyndns.org 2->123 125 5 other IPs or domains 2->125 135 Multi AV Scanner detection for domain / URL 2->135 137 Malicious sample detected (through community Yara rule) 2->137 139 Antivirus detection for URL or domain 2->139 141 23 other signatures 2->141 13 httrack_x64-3.49.2.exe 3 2->13         started        17 audiododg.exe 2->17         started        19 audiododg.exe 14 16 2->19         started        21 9 other processes 2->21 signatures3 process4 file5 111 C:\Users\user\AppData\Local\...\SFJsWRj.exe, PE32 13->111 dropped 179 Injects a PE file into a foreign processes 13->179 23 SFJsWRj.exe 17 22 13->23         started        28 httrack_x64-3.49.2.exe 13->28         started        181 Detected Agent Tesla keylogger 17->181 183 Tries to steal Mail credentials (via file / registry access) 17->183 185 Tries to harvest and steal ftp login credentials 17->185 187 Tries to harvest and steal browser information (history, passwords, etc) 17->187 189 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->189 191 Installs a global keyboard hook 19->191 193 Uses powercfg.exe to modify the power settings 21->193 195 Modifies power options to not sleep / hibernate 21->195 30 conhost.exe 21->30         started        32 conhost.exe 21->32         started        34 sc.exe 21->34         started        36 11 other processes 21->36 signatures6 process7 dnsIp8 127 checkip.dyndns.com 132.226.8.169, 49706, 80 UTMEMUS United States 23->127 129 79.137.192.18, 49714, 80 PSKSET-ASRU Russian Federation 23->129 131 kenesrakishev.net 162.213.251.134, 443, 49712, 49713 NAMECHEAP-NETUS United States 23->131 95 C:\Users\user\AppData\...\audiododg.exe, PE32 23->95 dropped 97 C:\Users\user\AppData\...\tmpG563.tmp (copy), PE32 23->97 dropped 99 C:\Users\user\AppData\Local\...\audiododg.exe, PE32 23->99 dropped 153 Antivirus detection for dropped file 23->153 155 Detected Agent Tesla keylogger 23->155 157 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->157 159 5 other signatures 23->159 38 audiododg.exe 23->38         started        file9 signatures10 process11 file12 87 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 38->87 dropped 89 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 38->89 dropped 91 C:\Users\user\AppData\Local\Temp\kos1.exe, PE32 38->91 dropped 93 C:\...\d21cbe21e38b385a41a68c5e6dd32f4c.exe, PE32 38->93 dropped 145 Antivirus detection for dropped file 38->145 147 Multi AV Scanner detection for dropped file 38->147 149 Machine Learning detection for dropped file 38->149 151 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 38->151 42 kos1.exe 38->42         started        46 d21cbe21e38b385a41a68c5e6dd32f4c.exe 38->46         started        48 latestX.exe 38->48         started        50 toolspub2.exe 38->50         started        signatures13 process14 file15 103 C:\Users\user\AppData\Local\Temp\set16.exe, PE32 42->103 dropped 105 C:\Users\user\AppData\Local\Temp\kos.exe, PE32 42->105 dropped 161 Multi AV Scanner detection for dropped file 42->161 163 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 42->163 52 set16.exe 42->52         started        56 kos.exe 42->56         started        165 Antivirus detection for dropped file 46->165 167 Detected unpacking (changes PE section rights) 46->167 169 Detected unpacking (overwrites its own PE header) 46->169 177 2 other signatures 46->177 59 d21cbe21e38b385a41a68c5e6dd32f4c.exe 46->59         started        61 powershell.exe 46->61         started        107 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 48->107 dropped 109 C:\Windows\System32\drivers\etc\hosts, ASCII 48->109 dropped 171 Suspicious powershell command line found 48->171 173 Modifies the hosts file 48->173 175 Adds a directory exclusion to Windows Defender 48->175 signatures16 process17 dnsIp18 85 C:\Users\user\AppData\Local\...\is-O1EPP.tmp, PE32 52->85 dropped 143 Multi AV Scanner detection for dropped file 52->143 63 is-O1EPP.tmp 52->63         started        133 iplogger.com 148.251.234.93 HETZNER-ASDE Germany 56->133 66 WerFault.exe 56->66         started        68 powershell.exe 59->68         started        70 conhost.exe 61->70         started        file19 signatures20 process21 file22 113 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 63->113 dropped 115 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 63->115 dropped 117 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 63->117 dropped 119 7 other files (6 malicious) 63->119 dropped 72 previewer.exe 63->72         started        75 net.exe 63->75         started        77 previewer.exe 63->77         started        79 conhost.exe 68->79         started        process23 file24 101 C:\ProgramData\...\ContentDVSvc.exe, PE32 72->101 dropped 81 conhost.exe 75->81         started        83 net1.exe 75->83         started        process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/276198e30803db7e1c567868cb302237b8a95b16fa2fb4e1ab607d880cf73ef4/
Threat name:
ByteCode-MSIL.Trojan.ZulsyCrypt
Create hunting rule
Status:
Malicious
First seen:
2023-10-12 01:26:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e5qzryyiapnx4hcwpbumwmbcg64kswyw7ix3jynlmb6yqdhxh32a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c620ad9e0327c9397c2e869a45e3c24cf234f6da22df60ae7fcd802c63d0e8c
AgentTesla
2cf8ca0a1593e5ef380c8d8e9207f4257bbc4ef1ad2a5a5315f321ffecdc70ec
AgentTesla
31c5da8614998e7836aaf3c70559f7710edbd4b536b840e0c63babfdc95c5921
AgentTesla
70af1a1c350554270883747e70ff85910cb2cc2c02d3ec133b4457100a05694d
AgentTesla
96a8fc693eb17083f2fc31beffbbda57741ddec7b3ff38d29554a55bac7909a7
AgentTesla
a754eb655af6114a85fe5d32bc3a42b0038fec86c2d557fef2d3f2f92d68b942
AgentTesla
b115ad95814af3c46b71fd230d3b2a224c8a8f356b27e0367b0f98d4948b2b60
AgentTesla
d822320e69cb0ddf07bd762ddf9d56bf46bae93a37ed1abc7d37485faf56761a
AgentTesla
fdec386da63058475415d75ff5a0c1e94095cf3ca17ea25d542baf2d26f04fea
AgentTesla
+ 36 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/231012-cc9t2ahb9w/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
34dd266b2ec7f77dae04bdcd14e82b0cf977e0c6cc689a1c8a49737bb18a86be
MD5 hash:
8eb83d03ac895bfc02605ffcf4638e48
SHA1 hash:
4652248cf75128893ae1e885d0ec0217fc25a5b4
Detections:
win_agent_tesla_g1
Create hunting rule
Link:
https://www.unpac.me/results/e51269c0-8022-4e7c-8935-62cfdaf1ce17/
SH256 hash:
d55800a825792f55999abdad199dfa54f3184417215a298910f2c12cd9cc31ee
MD5 hash:
bfb160a89f4a607a60464631ed3ed9fd
SHA1 hash:
1c981ef3eea8548a30e8d7bf8d0d61f9224288dd
Link:
https://www.unpac.me/results/e51269c0-8022-4e7c-8935-62cfdaf1ce17/
SH256 hash:
4a3bd769ae9e7fd1eac77f960964ac90f74d3e04398647b8dc6868608f190bd2
MD5 hash:
f5cee86b61301a992d0f8395fbc50043
SHA1 hash:
1b3d0ad0a4c1fdf4c37223e68cfda52dbb3c828a
Link:
https://www.unpac.me/results/e51269c0-8022-4e7c-8935-62cfdaf1ce17/
SH256 hash:
276198e30803db7e1c567868cb302237b8a95b16fa2fb4e1ab607d880cf73ef4
MD5 hash:
599394f1470eef8c7a63e84a7de25e49
SHA1 hash:
03ac7f400a2f3546f4b0397f476e1823187c12b6
Link:
https://www.unpac.me/results/e51269c0-8022-4e7c-8935-62cfdaf1ce17/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/276198e30803/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/276198e30803db7e1c567868cb302237b8a95b16fa2fb4e1ab607d880cf73ef4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/453617/

Comments