MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 312a01b589aea6e8dfc11fdd5a362228970074eeec1a97d36f23f99b48b586f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 312a01b589aea6e8dfc11fdd5a362228970074eeec1a97d36f23f99b48b586f0
SHA3-384 hash: 20c054ed4bcd7174cdd041e853c9c40fc2903b56861ba3e4b5991be8d2de1af6802bf400f7408ace2eb5cb2129d5885e
SHA1 hash: 66bc490fc63261ae0323841d78fe623359f4189e
MD5 hash: afe9a29aebb1d81c76245d7485ec6238
humanhash: single-robert-salami-orange
File name:MiladGroupLoader.ps1
Download: download sample
Signature AgentTesla
Create hunting rule
File size:468 bytes
First seen:2023-07-01 23:19:26 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12:s8AdjL4sT27L87HGrdvhIW+4WWHF7vQnD5j+CrBiAWIMUI:WosT27LmGrdB+4XF7vmD4GBTmJ
Threatray 16 similar samples on MalwareBazaar
TLSH T13BF0DC135DD16165C209C61AF4AFC3176892DD08A8D6B5D2AEE48807EC4324A95B9E12
Reporter Anonymous
Tags:AgentTesla ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
CA CA
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Heur.BZC.PZQ.Boxter.928.9C6F61B5.31455.10005.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/64a0b4a31a035eeff9b3aac9/reports/4ae1b707-f6ae-4260-8094-b4ad2a521cd7/overview
Verdict:
Malicious
Labled as:
BZC.PZQ.Boxter.928
Link:
https://www.hybrid-analysis.com/sample/312a01b589aea6e8dfc11fdd5a362228970074eeec1a97d36f23f99b48b586f0
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1264690
Signature
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 897721 Sample: MiladGroupLoader.ps1 Startdate: 02/07/2023 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Antivirus detection for URL or domain 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 3 other signatures 2->46 7 powershell.exe 14 20 2->7         started        process3 dnsIp4 36 107.175.113.210, 49698, 80 AS-COLOCROSSINGUS United States 7->36 30 C:\nmcn.exe, PE32+ 7->30 dropped 56 Powershell drops PE file 7->56 12 nmcn.exe 14 3 7->12         started        16 powershell.exe 2 7->16         started        18 conhost.exe 7->18         started        file5 signatures6 process7 dnsIp8 38 kyliansuperm92139124.sbs 188.114.96.7, 443, 49699 CLOUDFLARENETUS European Union 12->38 58 Multi AV Scanner detection for dropped file 12->58 60 Machine Learning detection for dropped file 12->60 62 Writes to foreign memory regions 12->62 64 Injects a PE file into a foreign processes 12->64 20 AddInProcess32.exe 15 2 12->20         started        24 ngen.exe 12->24         started        26 aspnet_wp.exe 12->26         started        28 12 other processes 12->28 signatures9 process10 dnsIp11 32 api4.ipify.org 173.231.16.76, 443, 49700 WEBNXUS United States 20->32 34 api.ipify.org 20->34 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->48 50 May check the online IP address of the machine 20->50 52 Tries to steal Mail credentials (via file / registry access) 20->52 54 2 other signatures 20->54 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/312a01b589aea6e8dfc11fdd5a362228970074eeec1a97d36f23f99b48b586f0/
Threat name:
Script-PowerShell.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2023-07-01 23:20:05 UTC
File Type:
Text (PowerShell)
AV detection:
5 of 37 (13.51%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gevadnmjv2torx6bd7ovunrcfclqa5ho5qnjpu3pep4zwsfvq3ya._file
Verdict:
malicious
Similar samples:
1201be819db6d09ce9bd23656c5bbd7430e0420f30c39afe37b3a4662581f143
AgentTesla
65831b6a853bb664e7f189003da9cdda832e5bcf647c1e262b3bc80acb715814
AgentTesla
66c869949719a64950f5aaf24a687b04bdc73d8690264cad8861716129f3c216
AgentTesla
8182fd64aabdf1d67f00c87fe9d90fa7d52be56284738995446f82890205dc93
AgentTesla
838ce5b36c1e435c66278140a5ba8c1468f5e844f8cd8dd4aa330c5640b56053
AgentTesla
877dcc901ba5abacac399a8f33ccaffa321eb4306a3a10f16fa9a2d183374cd7
AgentTesla
ab8674f0baf9cc51bdb639626664be6917a3682aa7ea25b7c233b673800513b0
AgentTesla
b82291de6b50625fbe64293024d4b7d3f1bc874e14d8a6c613b56cf4c5854d30
AgentTesla
fbbad7f1ea80336f2d11ec3df5d547fedcca56d3def4eb369f605122b02f3f34
AgentTesla
+ 6 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230701-3beklshh85/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6186587654:AAGCfYz_-Ywr0jS403I82r-XCvl_CsLT1L0/
Dropper Extraction:
http://107.175.113.210/976/nmcn.exe
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/312a01b589ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/312a01b589aea6e8dfc11fdd5a362228970074eeec1a97d36f23f99b48b586f0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AgentTesla

PowerShell (PS) ps1 312a01b589aea6e8dfc11fdd5a362228970074eeec1a97d36f23f99b48b586f0

(this sample)

AgentTesla

Executable exe 8182fd64aabdf1d67f00c87fe9d90fa7d52be56284738995446f82890205dc93

  
URLhaus
https://urlhaus.abuse.ch/url/2674880/
  
Dropping
SHA256 8182fd64aabdf1d67f00c87fe9d90fa7d52be56284738995446f82890205dc93

Comments