MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28912c7805fc5f8db5b59d7b9b83c286c297355a53d5204bbe11cb05ab11a0ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28912c7805fc5f8db5b59d7b9b83c286c297355a53d5204bbe11cb05ab11a0ec
SHA3-384 hash: 23383571eafa7f52e7b9b96dd1f6a284222ccf5cb91a7deea438ca0760f308c9fbc718e6493837fecf43c39d049c391c
SHA1 hash: 521197a9492e262d5a987d217978369884fb25b7
MD5 hash: 670909f644ce1f67294054c96ed22d9e
humanhash: single-robert-sweet-nebraska
File name:SecuriteInfo.com.Win32.PWSX-gen.32656.4667
Download: download sample
Signature AgentTesla
Create hunting rule
File size:823'808 bytes
First seen:2023-03-15 04:33:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Jiz2LWjiJGRTwd3a72RlMJr1pLSDXTdtC5l218JLfd/mFoeBfGaV11sxa8U:ti+JTxa72HUhSDXptCy1mLa1Qa
Threatray 1'380 similar samples on MalwareBazaar
TLSH T11D05124C627A97A2CE3C33FB84652864437266259241F36D2EC968F71FF1BC4C454E9B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon f8ec96b2b296ccf0 (8 x AgentTesla, 4 x SnakeKeylogger, 3 x Formbook)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
317
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.32656.4667
Verdict:
Malicious activity
Analysis date:
2023-03-15 04:36:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8bfed81b-f67f-41cc-9bad-478d40ca771d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374464/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.32656.4667.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64114abb949a950538ed3381/reports/001313b7-e7f1-465b-8d9b-ea93543d1282/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/28912c7805fc5f8db5b59d7b9b83c286c297355a53d5204bbe11cb05ab11a0ec
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/064ee56f-8833-4027-8435-b16c2ebaff23
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1193909
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28912c7805fc5f8db5b59d7b9b83c286c297355a53d5204bbe11cb05ab11a0ec/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-15 03:52:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
19 of 39 (48.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fcisy6af7rpy3nnvtv5zxa6cq3bjonk2kpksas56chfqlkyrudwa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
060b6aed68cd9ef0612aa56a5c714ac31485c56c048c42b38ad01f40eef9bac0
AgentTesla
1c83206073dde5d3a78ec0cd98f52c764f520737a88c2f3e255326c9b328aa76
AgentTesla
539840e15e55f759d60f982d75e6a1aaf4b0a1159fbd4dfb096344569476cd54
AgentTesla
60756600b313edbba5f10915507ae6f7e1fe22bb7dc34e7efa2c1503441f8736
AgentTesla
60d1370a6be9757d7c17dde38c1b092d70fa3bfc4d26a2f9548b095a2c714fb7
AgentTesla
6ae9e95178fbe3f0b8d2495b927ebbba4edf143d9d703170d6a309bce7e8aad8
AgentTesla
6e8160f23b32743ffdcd853036d351c0ec4410d61f28254854b0ec6abdfb4fc3
AgentTesla
918057f4d236bf49e9efaceb3c4aaab580baf9960ac45d2fe8d97c5d98111f73
AgentTesla
b7cdc5d7eee046fb090cee2dc703e8b68e84927dbf5b49e787c97e2dcf61777b
AgentTesla
+ 1'370 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230315-e64afsdd7s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
0b12a20b5eb4953d5e808f6fc7e5c72a2effcc6a9fd96a20b1b63b29742efc36
MD5 hash:
155f2d152326fa279e204c7d88b8c148
SHA1 hash:
eeac76c49a39d668965bca3cdc43a7495bcea1df
Link:
https://www.unpac.me/results/51a887da-50b5-4f1d-a951-95d94eed75eb/
SH256 hash:
2639f9feaa474e591cd541602b87be2f6ca77372d345b2a5672c5c978d6a50c2
MD5 hash:
500e69f744a7b4d4c893c5570e95b771
SHA1 hash:
cae6912b49b7f696bf9765e7fa537e71915c7c45
Link:
https://www.unpac.me/results/51a887da-50b5-4f1d-a951-95d94eed75eb/
SH256 hash:
b8fb836ca7187eb08192b790fe42a12c47785fd47df90875f061c0cca9957b6e
MD5 hash:
63a704d9cfeee17fae8aec3e96b3e144
SHA1 hash:
b7ee0adc1956cc2f9e791599ffbaf70b6a512eb9
Link:
https://www.unpac.me/results/51a887da-50b5-4f1d-a951-95d94eed75eb/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/51a887da-50b5-4f1d-a951-95d94eed75eb/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
b816e40675c6a59eda867e767e51d3752799a32dea90da10e3ebf9a72fb9b62a
MD5 hash:
9e061792b9a15445a5745bc6798f9b5d
SHA1 hash:
766e0e4efa1b7790ffa47eca83d71a4bc9ab774c
Link:
https://www.unpac.me/results/51a887da-50b5-4f1d-a951-95d94eed75eb/
SH256 hash:
28912c7805fc5f8db5b59d7b9b83c286c297355a53d5204bbe11cb05ab11a0ec
MD5 hash:
670909f644ce1f67294054c96ed22d9e
SHA1 hash:
521197a9492e262d5a987d217978369884fb25b7
Link:
https://www.unpac.me/results/51a887da-50b5-4f1d-a951-95d94eed75eb/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/28912c7805fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/28912c7805fc5f8db5b59d7b9b83c286c297355a53d5204bbe11cb05ab11a0ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/374464/

Comments