MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35a8230207c089a54d80a6b45299b23f67047eed4cb285dfb57834eb5a2be571. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35a8230207c089a54d80a6b45299b23f67047eed4cb285dfb57834eb5a2be571
SHA3-384 hash: e6992dc22adf2c86e862c85f2b7cf4e85d4541a0e6c3e036d49fb779bb4edff52729fccb119541dac30c6bc24eda6470
SHA1 hash: f0307934a7cb026b3536fbcadc2dd965fc9aeb71
MD5 hash: 61a5dc052266a9bb16020eae77b8e4c9
humanhash: grey-network-glucose-winter
File name:61a5dc052266a9bb16020eae77b8e4c9
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'110'016 bytes
First seen:2022-10-17 14:32:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:pF7nheEHvCxAFP+w7fZ6NxABIioqzRqvdwteLM1kMRDnKyGyys/yRYcJbezuy5Vk:pxnfC+IGWAS3qElO1kMRDnKfbRBo
TLSH T13535057636924906E815313584B3DEB32AE65D18606DC2C796D33F2F7CED2BEBD02246
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b270f0f0f8f07092 (19 x SnakeKeylogger, 4 x AgentTesla)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321033/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.AGQB.tr.12072.29616.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/634d679fb87ce1b32f7908e0/reports/8011ace5-bcfe-43e9-987a-df233280529c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d943e15f-c0c8-48b1-87bb-24a2c9712ca0
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1091980
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 724599 Sample: qjGJFKPnsr.exe Startdate: 17/10/2022 Architecture: WINDOWS Score: 100 62 us2.smtp.mailhostbox.com 2->62 76 Malicious sample detected (through community Yara rule) 2->76 78 Sigma detected: Scheduled temp file as task from temp location 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 5 other signatures 2->82 8 qjGJFKPnsr.exe 7 2->8         started        12 JqkEfLKaI.exe 5 2->12         started        14 sYEatj.exe 2->14         started        16 sYEatj.exe 2->16         started        signatures3 process4 dnsIp5 52 C:\Users\user\AppData\Roaming\JqkEfLKaI.exe, PE32 8->52 dropped 54 C:\Users\...\JqkEfLKaI.exe:Zone.Identifier, ASCII 8->54 dropped 56 C:\Users\user\AppData\Local\...\tmp49AB.tmp, XML 8->56 dropped 58 C:\Users\user\AppData\...\qjGJFKPnsr.exe.log, ASCII 8->58 dropped 94 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->94 96 May check the online IP address of the machine 8->96 98 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->98 104 2 other signatures 8->104 19 qjGJFKPnsr.exe 17 6 8->19         started        24 powershell.exe 20 8->24         started        26 schtasks.exe 1 8->26         started        100 Multi AV Scanner detection for dropped file 12->100 102 Injects a PE file into a foreign processes 12->102 28 JqkEfLKaI.exe 12->28         started        30 schtasks.exe 12->30         started        32 JqkEfLKaI.exe 12->32         started        34 sYEatj.exe 14->34         started        36 schtasks.exe 14->36         started        38 sYEatj.exe 14->38         started        60 192.168.2.1 unknown unknown 16->60 file6 signatures7 process8 dnsIp9 64 us2.smtp.mailhostbox.com 208.91.198.143, 49697, 49700, 587 PUBLIC-DOMAIN-REGISTRYUS United States 19->64 66 api.ipify.org.herokudns.com 3.232.242.170, 443, 49696 AMAZON-AESUS United States 19->66 68 api.ipify.org 19->68 48 C:\Users\user\AppData\Roaming\...\sYEatj.exe, PE32 19->48 dropped 50 C:\Users\user\...\sYEatj.exe:Zone.Identifier, ASCII 19->50 dropped 84 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->84 86 Tries to steal Mail credentials (via file / registry access) 19->86 88 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->88 40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        70 52.20.78.240, 443, 49698, 49699 AMAZON-AESUS United States 28->70 72 api.ipify.org 28->72 44 conhost.exe 30->44         started        74 api.ipify.org 34->74 90 Tries to harvest and steal ftp login credentials 34->90 92 Tries to harvest and steal browser information (history, passwords, etc) 34->92 46 conhost.exe 36->46         started        file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35a8230207c089a54d80a6b45299b23f67047eed4cb285dfb57834eb5a2be571/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-17 13:43:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gwucgaqhyce2ktmau22ffgnsh5tqi7xnjszilx5vpa2owwrl4vyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221017-rwvxjscccp/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
fc2cc27aa025278396cb0d29283bdbf2f37e0c39573cdd7ccd1221161d327ca0
MD5 hash:
76e812140cc05d5cbc7a708fbed2faf8
SHA1 hash:
fb3749f9bccb9de2be4a6e8810d717e0bc63c8d8
Link:
https://www.unpac.me/results/5cc8da3b-965c-4b8b-8fd5-fa48e5e4cc64/
SH256 hash:
b62aa542692ebe42d87d8d3ec1a61bf18c219ff55f1a2bfa98c5417f789ed310
MD5 hash:
0f6e78fc9eb453c3897a4589453d1d89
SHA1 hash:
de045d666e0484fb2c396373199eaf2acc5e8311
Link:
https://www.unpac.me/results/5cc8da3b-965c-4b8b-8fd5-fa48e5e4cc64/
SH256 hash:
dca6c7e686aea0ae2c150ab2aad04e74a21afaa9e177c3c7e6c481a27e18d1ff
MD5 hash:
8e4799e0c90a9a1cbbaff6af8ffc50fa
SHA1 hash:
74cdcb93c2d97644b5cb7addb402cf8cb9af1c33
Link:
https://www.unpac.me/results/5cc8da3b-965c-4b8b-8fd5-fa48e5e4cc64/
SH256 hash:
23715b3187c8c0b2293b459bc87c27d4c5f28ec4840de12f3aa6976a897dc2f6
MD5 hash:
ee6e55cffc4c44fc1f04874021b3f5a2
SHA1 hash:
460516c6d8641043d30f57a0832b6c3d0cf19c46
Link:
https://www.unpac.me/results/5cc8da3b-965c-4b8b-8fd5-fa48e5e4cc64/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/5cc8da3b-965c-4b8b-8fd5-fa48e5e4cc64/
SH256 hash:
35a8230207c089a54d80a6b45299b23f67047eed4cb285dfb57834eb5a2be571
MD5 hash:
61a5dc052266a9bb16020eae77b8e4c9
SHA1 hash:
f0307934a7cb026b3536fbcadc2dd965fc9aeb71
Link:
https://www.unpac.me/results/5cc8da3b-965c-4b8b-8fd5-fa48e5e4cc64/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/35a8230207c0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/35a8230207c089a54d80a6b45299b23f67047eed4cb285dfb57834eb5a2be571

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 35a8230207c089a54d80a6b45299b23f67047eed4cb285dfb57834eb5a2be571

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2376470/
Cape
Cape
https://www.capesandbox.com/analysis/321033/

Comments