MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35d0ebd1aeba54167215c5414cebcd9ca2ad2ac67545d4090a8657b0d4b59c61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35d0ebd1aeba54167215c5414cebcd9ca2ad2ac67545d4090a8657b0d4b59c61
SHA3-384 hash: 9acd4619e3928ddc2e07c1bee8dfe39497044d67010b255126c667a6166506605785892025772b9cfbbd65d4770b4c0f
SHA1 hash: 1524101b30dd399e96171e80a37a2c34ff3960c0
MD5 hash: d027252964a2876a6725e40129243c4e
humanhash: michigan-beryllium-autumn-winter
File name:SecuriteInfo.com.Win32.PWSX-gen.7213.18298
Download: download sample
Signature AgentTesla
Create hunting rule
File size:641'024 bytes
First seen:2023-07-17 05:27:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'481 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:QSU/GQIut7DRWmhKImT1dMStENbyoy/c079WA/mS:tU/z7VrhpmmZ0/cA+
Threatray 4'900 similar samples on MalwareBazaar
TLSH T1DBD43B1B3AD02957E42E427E107C6A6CEAEEE61D427FD924342CC293B2F664C0D5D74B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.7213.18298
Verdict:
Malicious activity
Analysis date:
2023-07-17 05:29:47 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/c2aeb790-7ccd-475d-9d3a-d31285ca2b38

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/422105/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.7213.18298.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed replace
Link:
https://www.filescan.io/uploads/64b4d163fd9e198dc114d008/reports/d7837a15-088e-4b65-89d0-48de7570f7f9/overview
Verdict:
Malicious
Labled as:
MSIL/Kryptik_AGeneric.BBQ trojan
Link:
https://www.hybrid-analysis.com/sample/35d0ebd1aeba54167215c5414cebcd9ca2ad2ac67545d4090a8657b0d4b59c61
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3f328e12-2e4b-4e0f-bde6-d7b6c03205b8
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1274199
Signature
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1274199 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 17/07/2023 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Sigma detected: Scheduled temp file as task from temp location 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 3 other signatures 2->48 7 SecuriteInfo.com.Win32.PWSX-gen.7213.18298.exe 6 2->7         started        11 rVqnPDw.exe 2 2->11         started        13 iCZJxYSQIxNjPT.exe 2 2->13         started        15 rVqnPDw.exe 2 2->15         started        process3 file4 30 C:\Users\user\AppData\...\iCZJxYSQIxNjPT.exe, PE32 7->30 dropped 32 C:\Users\user\AppData\Local\...\tmpBFA7.tmp, XML 7->32 dropped 34 SecuriteInfo.com.W....7213.18298.exe.log, ASCII 7->34 dropped 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->58 60 May check the online IP address of the machine 7->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 7->62 64 Injects a PE file into a foreign processes 7->64 17 SecuriteInfo.com.Win32.PWSX-gen.7213.18298.exe 17 10 7->17         started        22 schtasks.exe 1 7->22         started        66 Multi AV Scanner detection for dropped file 11->66 68 Machine Learning detection for dropped file 11->68 signatures5 process6 dnsIp7 36 wongpowah.com.hk 103.13.51.82, 49698, 49699, 587 SGC-CAL-ASSGC-CloudAllianceLimitedHK Hong Kong 17->36 38 mail.wongpowah.com.hk 17->38 40 2 other IPs or domains 17->40 26 C:\Users\user\AppData\Roaming\...\rVqnPDw.exe, PE32 17->26 dropped 28 C:\Users\user\...\rVqnPDw.exe:Zone.Identifier, ASCII 17->28 dropped 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->50 52 Tries to steal Mail credentials (via file / registry access) 17->52 54 Tries to harvest and steal browser information (history, passwords, etc) 17->54 56 2 other signatures 17->56 24 conhost.exe 22->24         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/35d0ebd1aeba54167215c5414cebcd9ca2ad2ac67545d4090a8657b0d4b59c61/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-17 02:49:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gxioxunoxjkbm4qvyvauz26ntsrk2kwgovc5icikqzl3bvfvtrqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3cfb4f3c28821b32a5d0904657b78a98ab8ec59d6a3c6230e9e44598cd3d6904
AgentTesla
41fa3f12b132569bfa21259f8880b11be191db8c820f0505e0128d0fa9df48a7
AgentTesla
7e781f414da0e2f65ca8c1a8a103a9b88d2d8e4d6c53998642f271e40b29ff68
AgentTesla
8dd7c62102a24ddff6447492b5981e7284ab841454e3f906bb0303eb4ec99c93
AgentTesla
9e7910da0fdefe5822be59e1084d1dffe2f4bcbd670d2bab6da75718653c69c0
AgentTesla
d52f10a09796e91680cb8a8c25abcce09303c4044e31344dbda417b34ec5815e
AgentTesla
d78480d58e19a9732187f4764a747c23c9572d6b7e18b420254756173e9bbcbf
AgentTesla
ef4dabd36f9807e3a556cd505515d60a09737d6314a7a09090075bc28261b27c
AgentTesla
f4ab856bd56b75b7ebb8925ba5f880a539b398c9286a47c45ba0ff1a220a2f5a
AgentTesla
+ 4'890 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230717-f5z23sad26/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209
MD5 hash:
e7709a907be0cdb6ff7eb99daee97c6c
SHA1 hash:
bb3f6871c40f54070b53947bf6958d410ea8bac1
Link:
https://www.unpac.me/results/f7dae84c-d5b1-4068-b916-994dbb7b10ae/
SH256 hash:
8aa6ac0c0f3713689adb70d54ed8bc83f50616d01891314005d5366e43c4aef7
MD5 hash:
4f519e42baf208066358c1252ede8003
SHA1 hash:
76d18866f301eac7298bcdcc87cbc7ffc4a2acb5
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/f7dae84c-d5b1-4068-b916-994dbb7b10ae/
Parent samples :
35d0ebd1aeba54167215c5414cebcd9ca2ad2ac67545d4090a8657b0d4b59c61
8aa6ac0c0f3713689adb70d54ed8bc83f50616d01891314005d5366e43c4aef7
ed9b32173b779e331be0019ed97ce6a3ed4e651c4660e1825605043d18addbc6
SH256 hash:
b6d876351135dfff164319520db5ad3655d6d3a14c2a02ea2be8b1d401d95878
MD5 hash:
72a867e61434a01cf9c0e53770f76d99
SHA1 hash:
6b52b83ccb9c7cab4768ab526baa57f49f3e3529
Link:
https://www.unpac.me/results/f7dae84c-d5b1-4068-b916-994dbb7b10ae/
SH256 hash:
35d0ebd1aeba54167215c5414cebcd9ca2ad2ac67545d4090a8657b0d4b59c61
MD5 hash:
d027252964a2876a6725e40129243c4e
SHA1 hash:
1524101b30dd399e96171e80a37a2c34ff3960c0
Link:
https://www.unpac.me/results/f7dae84c-d5b1-4068-b916-994dbb7b10ae/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV4
Create hunting rule
Author:Rony (r0ny_123)
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/422105/

Comments