MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31c199d5367f91b9db1140cf3718a91c569e124d20b5a7121c877d9d19d64075. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31c199d5367f91b9db1140cf3718a91c569e124d20b5a7121c877d9d19d64075
SHA3-384 hash: 24fbc48d0732e87823e8f91c772a642f7e8ea14d6bff9bbb6341ed0ddea7e178b9c64be7bd2bcb872c4a0c0245a9a06e
SHA1 hash: 51dfe91de60bb5390fb766005657b73214192a7a
MD5 hash: 03fb76f83bae0f48c92601adcc0811d0
humanhash: texas-three-quiet-maine
File name:Gibson Advice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:668'672 bytes
First seen:2023-10-22 07:40:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:q61K1vjJGGna1ZX6/lqWchWP6kLWJ9wYdUuYwP7msg0n1POdUVYOa7q1:z1K1LJ1na1w/HP6kLWTquHPC90n1POWt
Threatray 332 similar samples on MalwareBazaar
TLSH T10AE4224033F41B27C1B9937AA4264341D7B72198AA32E729AD9DA5F63D37F8C4701E1B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0d4a26355b2ccf0 (19 x AgentTesla, 6 x Formbook, 2 x SnakeKeylogger)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Gibson Advice.exe
Verdict:
Malicious activity
Analysis date:
2023-10-22 08:48:49 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/477c7040-9ae2-4bc4-b180-04d1b6ae5b4f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen21.37872.27504.15123.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
control lolbin packed
Link:
https://www.filescan.io/uploads/6534d21a48beb17ddbc863f6/reports/353432b8-cd37-46f4-aff7-1d258eec10b9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/31c199d5367f91b9db1140cf3718a91c569e124d20b5a7121c877d9d19d64075
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a694f201-c157-4635-af0a-841ba1c1dddd
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1329967
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1329967 Sample: Gibson_Advice.exe Startdate: 22/10/2023 Architecture: WINDOWS Score: 100 69 discordapp.com 2->69 71 api4.ipify.org 2->71 73 api.ipify.org 2->73 97 Found malware configuration 2->97 99 Antivirus / Scanner detection for submitted sample 2->99 101 Sigma detected: Scheduled temp file as task from temp location 2->101 103 8 other signatures 2->103 9 sUgoFlV.exe 5 2->9         started        12 Gibson_Advice.exe 7 2->12         started        15 newapp.exe 2->15         started        signatures3 process4 file5 109 Antivirus detection for dropped file 9->109 111 Multi AV Scanner detection for dropped file 9->111 113 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->113 115 Machine Learning detection for dropped file 9->115 17 newapp.exe 9->17         started        20 sUgoFlV.exe 9->20         started        22 schtasks.exe 9->22         started        65 C:\Users\user\AppData\Roaming\sUgoFlV.exe, PE32 12->65 dropped 67 C:\Users\user\AppData\Local\...\tmp4C52.tmp, XML 12->67 dropped 117 Uses schtasks.exe or at.exe to add and modify task schedules 12->117 119 Adds a directory exclusion to Windows Defender 12->119 121 Injects a PE file into a foreign processes 12->121 24 Gibson_Advice.exe 17 5 12->24         started        28 powershell.exe 23 12->28         started        30 powershell.exe 23 12->30         started        36 3 other processes 12->36 32 newapp.exe 15->32         started        34 schtasks.exe 15->34         started        signatures6 process7 dnsIp8 81 Antivirus detection for dropped file 17->81 83 Multi AV Scanner detection for dropped file 17->83 85 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->85 95 2 other signatures 17->95 54 3 other processes 17->54 38 WerFault.exe 20->38         started        40 conhost.exe 22->40         started        75 api4.ipify.org 173.231.16.77, 443, 49716, 49720 WEBNXUS United States 24->75 77 discordapp.com 162.159.130.233, 443, 49717, 49721 CLOUDFLARENETUS United States 24->77 61 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 24->61 dropped 63 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 24->63 dropped 87 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->87 89 Tries to steal Mail credentials (via file / registry access) 24->89 91 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->91 42 WerFault.exe 24->42         started        44 conhost.exe 28->44         started        46 conhost.exe 30->46         started        79 104.237.62.212, 443, 49728 WEBNXUS United States 32->79 93 Tries to harvest and steal browser information (history, passwords, etc) 32->93 48 WerFault.exe 32->48         started        50 conhost.exe 34->50         started        52 conhost.exe 36->52         started        file9 signatures10 process11 signatures12 105 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 54->105 107 Tries to steal Mail credentials (via file / registry access) 54->107 57 conhost.exe 54->57         started        59 WerFault.exe 54->59         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/31c199d5367f91b9db1140cf3718a91c569e124d20b5a7121c877d9d19d64075
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/31c199d5367f91b9db1140cf3718a91c569e124d20b5a7121c877d9d19d64075/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-10-09 02:34:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ghaztvjwp6i3twyridhtogfjdrlj4esnec22oeq4q56z2gowib2q._file
Verdict:
malicious
Similar samples:
164d54f565cb9285f383bd2bf702123d8db4f32262bac2ab6324ad1975920cb2
AgentTesla
4343245f1db76214093c4adefb0b167327c7bd49fa66608eccb2c4faadc3e32d
AgentTesla
76f7e2ea6dc4dccb78c4d28107d8b9c83ca352a4bb977fd7ed17341a7ca126ca
AgentTesla
7896b4cfc3a0bc24a6833164c934053575628c00473e3af848d361a6b8b02ca4
AgentTesla
7c040173f644c80b101c2dd035b9a95de5e9505bac8608c4710739e6a3facd65
AgentTesla
87dcdd3f1671bc564055e160fe0a4cf12033f6b430d2a5520e5a92adaf85e4d2
AgentTesla
b4897fb2b7450804ea184f77c7661b1af8c022c294d69f127e8c1ee47f37ca68
AgentTesla
eff0a14165d70f613fe5c71186dd7bd9cd6c69e409811167a7c97a97debc572f
AgentTesla
+ 322 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/231022-jh5wlafh99/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://discordapp.com/api/webhooks/1153700699834691685/M5gCinKbgwx1y0Un3wShojVYyovSobKStS9hh3xaGpbehVxd9J0PoL95zLfmRDpOlFyJ
Unpacked files
SH256 hash:
b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63
MD5 hash:
5c904da8528cfb1b87b15a6aa7c059cd
SHA1 hash:
f0a192969485d1bc34bf52adf37d9c20176d6b85
Link:
https://www.unpac.me/results/6de806d3-f57e-4cc8-9fc6-53e6e875558c/
SH256 hash:
9c4ca0fb7f05e3a12574a65ac2bc51ce1f3f46794efcada112f526da890c0ac4
MD5 hash:
10732f3824833dfe7de4bc00a5788eab
SHA1 hash:
c9a4890ebdfa0d8a7b97ba3ea6d74123680d4668
Link:
https://www.unpac.me/results/6de806d3-f57e-4cc8-9fc6-53e6e875558c/
SH256 hash:
7a49f373d65715c23a6394f7670c27341adc254a24a7cdc0bbfcd30045e8ba95
MD5 hash:
54d2392c39350e222513ddf104a4d9c4
SHA1 hash:
ab1eabb8f5e915b179d4142d4b65b049c007bb3f
Link:
https://www.unpac.me/results/6de806d3-f57e-4cc8-9fc6-53e6e875558c/
SH256 hash:
9cba9132e8cf51608dee0dfecbfcfb8568427dca79c1d0457e12cb554d859092
MD5 hash:
325978b66a3889c432c76b51b4fbaf98
SHA1 hash:
0fdf8862ecb3be129b8d6a5d4d951e8db9967de7
Link:
https://www.unpac.me/results/6de806d3-f57e-4cc8-9fc6-53e6e875558c/
SH256 hash:
31c199d5367f91b9db1140cf3718a91c569e124d20b5a7121c877d9d19d64075
MD5 hash:
03fb76f83bae0f48c92601adcc0811d0
SHA1 hash:
51dfe91de60bb5390fb766005657b73214192a7a
Link:
https://www.unpac.me/results/6de806d3-f57e-4cc8-9fc6-53e6e875558c/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/31c199d5367f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/31c199d5367f91b9db1140cf3718a91c569e124d20b5a7121c877d9d19d64075

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments