MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 357569913d9435c1c2d15c74a27d1e59dee1b91634f25a690fc26f24c578769f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 357569913d9435c1c2d15c74a27d1e59dee1b91634f25a690fc26f24c578769f
SHA3-384 hash: 5462eb47296e726fb397690707558aaad26063425229f9488c239cc212fedbcca5d97df5fd2b1070881d5afb3ec237ea
SHA1 hash: 66b2932966b674cb7945e6895d9153e52b9b8ba8
MD5 hash: 7d42534c42205e7eef0401aeb6fa91c0
humanhash: uncle-oklahoma-ink-spring
File name:357569913D9435C1C2D15C74A27D1E59DEE1B91634F25.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:622'592 bytes
First seen:2021-08-29 04:55:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f533430d4d75b063c99546057cb3c428 (1 x AgentTesla)
ssdeep 12288:HZLS2Tb7vbNjkQ9VLV5UbRQLozfds3f3:HZLS2TfSQVLV5CSLozUP
Threatray 1'155 similar samples on MalwareBazaar
TLSH T1ACD401B32AB554C0C14AD7F0DE5EA6DCC116AC3A2E49C52B7718F8EB6730DD24886763
dhash icon 8ee0daced2524080 (1 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla C2:
http://31.220.40.22/~whoizzup/west/WebPanel/api.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://31.220.40.22/~whoizzup/west/WebPanel/api.php https://threatfox.abuse.ch/ioc/201835/

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
357569913D9435C1C2D15C74A27D1E59DEE1B91634F25.exe
Verdict:
No threats detected
Analysis date:
2021-08-29 04:56:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7ca42d27-bf46-4f5f-b358-c068eab77c71

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183187/
Detection(s):
Win.Packed.Barys-7358729-0
Create hunting rule

Win.Dropper.LokiBot-9161245-0
Create hunting rule

Win.Trojan.Generic-9874288-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Reading critical registry keys
Creating a process from a recently created file
Unauthorized injection to a recently created process
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Moving of the original file
Stealing user critical data
Sending an HTTP POST request to an infection source
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/160ee202-a5ce-4147-88ad-fcc2ff162d88
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840941
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 473372 Sample: 357569913D9435C1C2D15C74A27... Startdate: 29/08/2021 Architecture: WINDOWS Score: 100 60 clientconfig.passport.net 2->60 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for dropped file 2->74 76 Antivirus / Scanner detection for submitted sample 2->76 78 9 other signatures 2->78 9 357569913D9435C1C2D15C74A27D1E59DEE1B91634F25.exe 1 2->9         started        12 Marriott International Inc.exe 1 2->12         started        14 Marriott International Inc.exe 1 2->14         started        signatures3 process4 signatures5 80 Detected unpacking (changes PE section rights) 9->80 82 May check the online IP address of the machine 9->82 84 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->84 16 357569913D9435C1C2D15C74A27D1E59DEE1B91634F25.exe 18 21 9->16         started        21 Marriott International Inc.exe 14 16 12->21         started        23 Marriott International Inc.exe 14->23         started        process6 dnsIp7 48 checkip.dyndns.org 16->48 50 checkip.dyndns.com 132.226.247.73, 49703, 49715, 80 UTMEMUS United States 16->50 52 31.220.40.22, 49709, 49710, 49711 AMARUTU-TECHNOLOGYNL Germany 16->52 40 C:\Users\...\Marriott International Inc.exe, PE32 16->40 dropped 42 C:\Users\user\AppData\Local\Temp42yz.exe, PE32 16->42 dropped 44 Marriott Internati...exe:Zone.Identifier, ASCII 16->44 dropped 62 Moves itself to temp directory 16->62 64 Tries to steal Mail credentials (via file access) 16->64 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->66 25 Nyz.exe 2 16->25         started        54 checkip.dyndns.org 21->54 46 C:\Users\user\AppData\Local\Temp46R2.exe, PE32 21->46 dropped 68 Tries to harvest and steal ftp login credentials 21->68 70 Tries to harvest and steal browser information (history, passwords, etc) 21->70 28 NR2.exe 21->28         started        30 NR2.exe 21->30         started        32 NR2.exe 21->32         started        56 checkip.dyndns.org 23->56 58 193.122.6.168, 49717, 80 ORACLE-BMC-31898US United States 23->58 file8 signatures9 process10 signatures11 86 Antivirus detection for dropped file 28->86 88 Multi AV Scanner detection for dropped file 28->88 90 Machine Learning detection for dropped file 28->90 34 dw20.exe 28->34         started        36 dw20.exe 30->36         started        38 dw20.exe 32->38         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/357569913d9435c1c2d15c74a27d1e59dee1b91634f25a690fc26f24c578769f/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2018-04-16 00:23:03 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gv2wtej5sq24dqwrlr2ke7i6lhpodoiwgtzfu2ipyjxsjrlyo2pq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
075811c1b041821aa0902e5035ab2177e6c97c451896ee954d98486d049face6
AgentTesla
28c85e08e2525f6d87faa5adb0982a395e165a71e21703bb0166aa5fdd72c54c
AgentTesla
34931da71c14d251f6a43f21ef98c4b67bf17535d7164f154bc6206625363140
AgentTesla
5d682001504dc58701765ca9721e4b4b9eb5b5e73469731fe787d15217cd7435
AgentTesla
908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
AgentTesla
a33b31af132d492e1eb511ed37087a9c52af1f7dd575fa63634fa9b4170daaa7
AgentTesla
a526e9dae9298bbd03ca2a8fc8a45809eac1543bbec4680182493c551d65f731
AgentTesla
a7b172d3fb0092b616e486d62a628e6fa09608d9e9a54773bc34fd37f2227a3e
AgentTesla
d8151875b740aaaa169d95c2c4593579a1d57e371b2a97602a02a5496de7fd8f
AgentTesla
f2231a4dcf6560807e5629fc587f1bc2e7dc142849b0438ddbe967273f167cd9
AgentTesla
+ 1'145 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/210829-ktft7z398j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
c2cae82e01d954e3a50feaebcd3f75de7416a851ea855d6f0e8aaac84a507ca3
MD5 hash:
f683769b947501b5a98376619d5938bb
SHA1 hash:
6a38e4acd9ade0d85697d10683ec84fa0daed11c
Link:
https://www.unpac.me/results/10b90625-a34d-4389-847b-8b4bac730084/
SH256 hash:
d55800a825792f55999abdad199dfa54f3184417215a298910f2c12cd9cc31ee
MD5 hash:
bfb160a89f4a607a60464631ed3ed9fd
SHA1 hash:
1c981ef3eea8548a30e8d7bf8d0d61f9224288dd
Link:
https://www.unpac.me/results/10b90625-a34d-4389-847b-8b4bac730084/
SH256 hash:
3ace9e4e064d77b66fcb0229cc7f522ee191ce83957e68471218ad2a681af983
MD5 hash:
662e89b876b053389c6b451a0b3d597c
SHA1 hash:
adbac31fc4cec6662d72ece186ecd25d7b64d515
Link:
https://www.unpac.me/results/10b90625-a34d-4389-847b-8b4bac730084/
SH256 hash:
cd48399f4eb3e60d4a842d006c5003802b1dd90620aa5106329376ea6b191c66
MD5 hash:
b362801553a9f768356ccf9fd9e6cc3c
SHA1 hash:
9d4bbb292b12f5e02f73eaaf81f3f3e020434171
Link:
https://www.unpac.me/results/10b90625-a34d-4389-847b-8b4bac730084/
SH256 hash:
357569913d9435c1c2d15c74a27d1e59dee1b91634f25a690fc26f24c578769f
MD5 hash:
7d42534c42205e7eef0401aeb6fa91c0
SHA1 hash:
66b2932966b674cb7945e6895d9153e52b9b8ba8
Link:
https://www.unpac.me/results/10b90625-a34d-4389-847b-8b4bac730084/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/357569913d94/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/357569913d9435c1c2d15c74a27d1e59dee1b91634f25a690fc26f24c578769f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla
Create hunting rule
Author:kevoreilly
Description:AgentTesla Payload
Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183187/

Comments