MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2deb6ee58cf11a940854730c33d0af2c0e36f5f1ab8d25e6a28961464eababbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2deb6ee58cf11a940854730c33d0af2c0e36f5f1ab8d25e6a28961464eababbb
SHA3-384 hash: cb2b41f76a98a60a1951438553fa2b7964b639214caa70721fef8a18204afa5b38eccdd1c28981f8171e638ac51d7733
SHA1 hash: fef77e0e1c8b5695b23c14b713f65f70e315a19f
MD5 hash: 9c23381c2a5470f2d025fc1add1c8d03
humanhash: sad-fifteen-tango-wolfram
File name:Inquiry_EC8112KW3.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:868'352 bytes
First seen:2023-07-22 08:35:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:iWc/bUYIsYolnOBr1GzgzHJfSjPAHaq3i9hwFwbdppG2HVfx0:xiXrYowfGmJfS8H1ADpsI
Threatray 412 similar samples on MalwareBazaar
TLSH T1E80501116BA49552C36B69B64C60D1350370AF377C26EE898CE13DC33CF9B44AAD7A93
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon c4aa82baa696e000 (2 x AgentTesla, 1 x SnakeKeylogger)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Inquiry_EC8112KW3.exe
Verdict:
Malicious activity
Analysis date:
2023-07-22 08:46:25 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/98fd3e39-2912-452b-ad7c-97eee743fd8d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/428446/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68273809.14539.22720.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/2deb6ee58cf11a940854730c33d0af2c0e36f5f1ab8d25e6a28961464eababbb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/49f83828-32b0-4706-b7c7-6569c9ca5439
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277729
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1277729 Sample: Inquiry_EC8112KW3.exe Startdate: 22/07/2023 Architecture: WINDOWS Score: 100 45 Sigma detected: Scheduled temp file as task from temp location 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected AgentTesla 2->49 51 Machine Learning detection for sample 2->51 7 Inquiry_EC8112KW3.exe 7 2->7         started        11 XtqUjeeJwQ.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\XtqUjeeJwQ.exe, PE32 7->35 dropped 37 C:\Users\...\XtqUjeeJwQ.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmp6C1A.tmp, XML 7->39 dropped 41 C:\Users\user\...\Inquiry_EC8112KW3.exe.log, ASCII 7->41 dropped 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->53 55 Uses schtasks.exe or at.exe to add and modify task schedules 7->55 57 Adds a directory exclusion to Windows Defender 7->57 13 Inquiry_EC8112KW3.exe 7 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 17 7->19         started        21 schtasks.exe 1 7->21         started        59 Multi AV Scanner detection for dropped file 11->59 61 Machine Learning detection for dropped file 11->61 63 Injects a PE file into a foreign processes 11->63 23 XtqUjeeJwQ.exe 11->23         started        25 schtasks.exe 11->25         started        signatures5 process6 dnsIp7 43 mail.icdanismanlik.com 78.135.107.25, 49714, 49715, 49716 PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR Turkey 13->43 65 Installs a global keyboard hook 13->65 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->67 69 Tries to steal Mail credentials (via file / registry access) 23->69 71 Tries to harvest and steal browser information (history, passwords, etc) 23->71 33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2deb6ee58cf11a940854730c33d0af2c0e36f5f1ab8d25e6a28961464eababbb/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-07-20 14:52:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
21 of 25 (84.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fxvw5zmm6enjiccuomgdhufpfqhdn5prvogslzvcrfqumtvlvo5q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1a40316f6c5b2edf199b2ea9d5b00cc4ae5547a29b6aa08caadd5ed53a007521
AgentTesla
45bebb479e4a722bfb0c85d398ff1c0372e1dc28acf05ecd21cf3a548cb4b79b
AgentTesla
5516bb55a913a6b1603ef303e563b22ede0bf361be46f37f3b22f66670079790
AgentTesla
62b09bf1931ef9545b10b0bae3eb45a9896fec6add45690ddf95074378e71528
AgentTesla
830b93cdc24c1d75ee7ba0afcaddb58690f9d3ff96ded60ea5657768b188d301
AgentTesla
9d31c9cc465643be87d49f2b8be2a4500e8f5ab048e6327f407942fd8f02da53
AgentTesla
b5f3864d432f788ff976f1430cae362e82e906e2e3260c2d4fa3ab3d8bf04152
AgentTesla
b9cecf45cfc96014113cba345c3f917d598fb372f7b86e23d36f3ff3851d504a
AgentTesla
bfde4e4d95b159f2567c39229e702fc4bba9c53dbd579855ce487794a6759aa0
AgentTesla
fd36434871eb55ee3d9f78ee0fd63f26c915f8d5a7d3848ef6ffddcac75893cc
AgentTesla
+ 402 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230722-khk2vsac47/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
3e0eb979f1dcd068db2a2b66a5af64c6276c81230a8d36365a06f07a1174061a
MD5 hash:
566e43f1c8174baca65af37cb22d659b
SHA1 hash:
adde5e8512087ec4f38270e24b1bc289615ed32c
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/d0ba94a0-0279-4192-8839-d86f0d8f44b0/
Parent samples :
2deb6ee58cf11a940854730c33d0af2c0e36f5f1ab8d25e6a28961464eababbb
363b5b951382bb7c9af26fadf9a61541d5a2d4e733adcb40fbc87e18579fd69f
afbe25240ff930618be99be2ac711c4a9f6e1610873a22cffedf33eae5245259
dd6d6790b18937e7f2ca0a99e4a7dca9a4f268aa3245ef319ba943d2f432a0fd
f85606df4b72e97d27d10edac888f969bd3dc01500a3318100cdd048c6e790e9
SH256 hash:
7c743d979549f931d7101d1a14c14841ff47c848a3f30e31882d0d958bf5f941
MD5 hash:
508ba12479b3d78edb93f63b40ab3b7f
SHA1 hash:
d72b842c46546e4e494c9338b530e305dae1d5d2
Link:
https://www.unpac.me/results/d0ba94a0-0279-4192-8839-d86f0d8f44b0/
SH256 hash:
6cc9ff37f5c5910f476ba7229c7630fc85104b7388d96b144ba636cac5f0ac26
MD5 hash:
019a3a0dc701af7997908e7f6c882f2a
SHA1 hash:
347889244b82aa9b4448649409de969b68b7f0e3
Link:
https://www.unpac.me/results/d0ba94a0-0279-4192-8839-d86f0d8f44b0/
SH256 hash:
bb125151d73bf07210b6552c086edd951497700732d5f7d0bf66ba7f29ec62d0
MD5 hash:
274a19eea5137d2c8b8575b46dd7e937
SHA1 hash:
33626e022960379e57eb3153832807052b71ce7e
Link:
https://www.unpac.me/results/d0ba94a0-0279-4192-8839-d86f0d8f44b0/
SH256 hash:
2deb6ee58cf11a940854730c33d0af2c0e36f5f1ab8d25e6a28961464eababbb
MD5 hash:
9c23381c2a5470f2d025fc1add1c8d03
SHA1 hash:
fef77e0e1c8b5695b23c14b713f65f70e315a19f
Link:
https://www.unpac.me/results/d0ba94a0-0279-4192-8839-d86f0d8f44b0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2deb6ee58cf11a940854730c33d0af2c0e36f5f1ab8d25e6a28961464eababbb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/428446/

Comments