MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 377ecccf20a10a0f9fb02b2d614ae682826322aabdaf217b1cf0f9b0ff14ece4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 377ecccf20a10a0f9fb02b2d614ae682826322aabdaf217b1cf0f9b0ff14ece4
SHA3-384 hash: 98b1dca3d6a7cffec0117fdb773e38840fefbebb91b36368a3175631c459013f5c41e9f6a62ffe4cec65a5df097db33c
SHA1 hash: dc837b0355e75f4d578cc464dc46564fc1d5d30f
MD5 hash: e16c18a44f3206043cd36f7f0ad6c03b
humanhash: solar-iowa-carolina-fish
File name:SOA 6009832115.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:642'560 bytes
First seen:2023-06-23 07:12:06 UTC
Last seen:2023-06-23 14:49:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:92iNG4/mNUA6dIzhYHd1tfKYhKNSwpeQOL66vrX8D:91M4/QUQUvBpYB3O1vU
Threatray 11 similar samples on MalwareBazaar
TLSH T19CD4127E56900E04F53B6FF915B94040C3B6AE909A16F23B1FF961F10663F429E2276B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:AgentTesla convergentinterfreight-info exe payment

Intelligence

File Origin
# of uploads :
2
# of downloads :
282
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SOA 6009832115.exe
Verdict:
Malicious activity
Analysis date:
2023-06-23 07:17:06 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/c7c8f61d-5850-4a8d-b9c4-a7c7e48470d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/401953/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/649545fe72b30d3d8e17ed5b/reports/05a56ac1-ecb0-4462-8d43-50d7960047ea/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/377ecccf20a10a0f9fb02b2d614ae682826322aabdaf217b1cf0f9b0ff14ece4
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0aa1c424-ed3f-4e15-8789-c1d2be44b41d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1260188
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 893205 Sample: SOA_6009832115.exe Startdate: 23/06/2023 Architecture: WINDOWS Score: 100 53 Found malware configuration 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 4 other signatures 2->59 7 SOA_6009832115.exe 7 2->7         started        11 obKqjyQFivHh.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\...\obKqjyQFivHh.exe, PE32 7->33 dropped 35 C:\Users\...\obKqjyQFivHh.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp25DF.tmp, XML 7->37 dropped 39 C:\Users\user\...\SOA_6009832115.exe.log, ASCII 7->39 dropped 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->61 63 May check the online IP address of the machine 7->63 65 Uses schtasks.exe or at.exe to add and modify task schedules 7->65 67 Adds a directory exclusion to Windows Defender 7->67 13 SOA_6009832115.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        25 2 other processes 7->25 69 Multi AV Scanner detection for dropped file 11->69 71 Machine Learning detection for dropped file 11->71 73 Injects a PE file into a foreign processes 11->73 21 obKqjyQFivHh.exe 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 41 api4.ipify.org 104.237.62.211, 443, 49694 WEBNXUS United States 13->41 43 us2.smtp.mailhostbox.com 208.91.199.223, 49695, 49700, 587 PUBLIC-DOMAIN-REGISTRYUS United States 13->43 45 api.ipify.org 13->45 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        47 64.185.227.155, 443, 49696 WEBNXUS United States 21->47 49 192.168.2.1 unknown unknown 21->49 51 api.ipify.org 21->51 75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->75 77 Tries to steal Mail credentials (via file / registry access) 21->77 79 Tries to harvest and steal browser information (history, passwords, etc) 21->79 31 conhost.exe 23->31         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/377ecccf20a10a0f9fb02b2d614ae682826322aabdaf217b1cf0f9b0ff14ece4/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-23 07:12:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g57mztzauefa7h5qfmwwcsxgqkbggivkxwxsc6y46d43b7yu5tsa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3128342e14d0e3fdf92828d146cc86bc6f52520cd792b043f72e20eddb022e10
AgentTesla
40f75c27639dc3bbf3922273ebbca9da330874fa3e9d6f4c1a9b0aacc18fdf3d
AgentTesla
780c9bad9c62b35f6af3a27633c4c0e7187049b7a6e7ed7b244a8fe1ef6a240c
AgentTesla
9ab4351395cfc81d8afabb133e442989b54696cad65e22de72d58398505762bd
AgentTesla
a74174da27ad7415025fd5f70ec71f0b9d87ec0b3227b7bc7355cc0fe82269e1
AgentTesla
bbb301f4dcc603a5995bdf179b4d129f976b9ca654093e92eff080cc583b0d7b
AgentTesla
bfdba2515b2d767ebe541557f5461d5c6f9878eeaf9e5f6cc503ccf032143bfa
AgentTesla
fe304cb0925bffe7c7314fb8c4bc50c15b82e49c81fe176c8482ea1ed6f51bc8
AgentTesla
+ 1 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230623-h13zaada49/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/bef9af59-0acb-4a2e-baab-35d79ac673e2/
SH256 hash:
ecdf6b369936432c618befd64632e378446b978f4432a09249a5e1094befb865
MD5 hash:
7dd66bbcaf911a059b4a90a6286cfd35
SHA1 hash:
80c4d9478c95b0ff560ecaa6ccec5bd2817f0dbe
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/bef9af59-0acb-4a2e-baab-35d79ac673e2/
Parent samples :
40f75c27639dc3bbf3922273ebbca9da330874fa3e9d6f4c1a9b0aacc18fdf3d
377ecccf20a10a0f9fb02b2d614ae682826322aabdaf217b1cf0f9b0ff14ece4
SH256 hash:
6d0c5fcdda9041c4cede73f558de17a9e9e202adf7803a84df1dbd82036c0bcd
MD5 hash:
021e09136e6ec374d2ddf325df34d633
SHA1 hash:
3c20c8d4d178d18a8dfe3203ba513f48c597a852
Link:
https://www.unpac.me/results/bef9af59-0acb-4a2e-baab-35d79ac673e2/
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/bef9af59-0acb-4a2e-baab-35d79ac673e2/
SH256 hash:
377ecccf20a10a0f9fb02b2d614ae682826322aabdaf217b1cf0f9b0ff14ece4
MD5 hash:
e16c18a44f3206043cd36f7f0ad6c03b
SHA1 hash:
dc837b0355e75f4d578cc464dc46564fc1d5d30f
Link:
https://www.unpac.me/results/bef9af59-0acb-4a2e-baab-35d79ac673e2/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/377ecccf20a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/377ecccf20a10a0f9fb02b2d614ae682826322aabdaf217b1cf0f9b0ff14ece4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip d980e63aca1d5bca1c99005983515493948ced946e6d6f5068c58a255b966d8e

AgentTesla

Executable exe 377ecccf20a10a0f9fb02b2d614ae682826322aabdaf217b1cf0f9b0ff14ece4

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 d980e63aca1d5bca1c99005983515493948ced946e6d6f5068c58a255b966d8e
Cape
Cape
https://www.capesandbox.com/analysis/401953/
  
Dropped by
MD5 7971a58112c57216493a09a73aa7ab33

Comments