MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42b0ccbc2545a60b0aefdce149c1d3e766293ba645afb3d1ba905be1dc765fe9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42b0ccbc2545a60b0aefdce149c1d3e766293ba645afb3d1ba905be1dc765fe9
SHA3-384 hash: 600b98d528dcd5a86f5735009042b398c0e97231791c71bf7192253cb3c7ebfbbc3aafbbacf4a495c789bdeb8791b4ac
SHA1 hash: e350fad16be9b393e8090131ea695a720afd8b3f
MD5 hash: c5b70288bd516499898a544e8adc4903
humanhash: freddie-indigo-harry-mirror
File name:SecuriteInfo.com.W32.AIDetectNet.01.29802.878
Download: download sample
Signature AgentTesla
Create hunting rule
File size:804'864 bytes
First seen:2022-06-27 12:47:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:QD+P+Vyujv+quKIETKlzUE5Q0K6e8/T4m15OR5n:+5bvW/ta0Xr4eOR5n
TLSH T16F05194CD9938E0DF4B731BA92093E5A53933F97112E819FB2FAB18A1DB79C50052D36
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 92b2b613252533ae (2 x AgentTesla)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/283582/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62b9a705e88d6da4ffcc29d2/reports/345cbbfe-a484-4cfa-b588-d7e0452ced72/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/de825605-ca06-475f-a134-7d23db5ffd9f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1020446
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 652940 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 27/06/2022 Architecture: WINDOWS Score: 100 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for dropped file 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 8 other signatures 2->41 7 SecuriteInfo.com.W32.AIDetectNet.01.29802.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\...\VmqIxpPvKR.exe, PE32 7->23 dropped 25 C:\Users\...\VmqIxpPvKR.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp4DAE.tmp, XML 7->27 dropped 29 SecuriteInfo.com.W...et.01.29802.exe.log, ASCII 7->29 dropped 43 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->43 45 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->45 47 Uses schtasks.exe or at.exe to add and modify task schedules 7->47 49 2 other signatures 7->49 11 SecuriteInfo.com.W32.AIDetectNet.01.29802.exe 2 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 raphaellasia.com 103.11.189.110, 49775, 587 VODIEN-AS-AP-LOC2VodienInternetSolutionsPteLtdSG Singapore 11->31 33 192.168.2.1 unknown unknown 11->33 51 Tries to steal Mail credentials (via file / registry access) 11->51 53 Tries to harvest and steal browser information (history, passwords, etc) 11->53 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/42b0ccbc2545a60b0aefdce149c1d3e766293ba645afb3d1ba905be1dc765fe9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-27 09:43:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ikymzpbfiwtawcxp3tqutqot45tcso5giwx3hun2sbn6dxdwl7uq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220627-p1rpksbbdp/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
0aa8ea56f670ef5041fe87ee1a27b6623c2cf7996ed489214aa076996ca40cac
MD5 hash:
faf84cab64260654988db2f9157f8f89
SHA1 hash:
e1e6ebeaf252c78e74c1355cdefc6a2c52cfab70
Link:
https://www.unpac.me/results/91e63f17-f8c4-44bd-bdf2-82a0dd731eae/
SH256 hash:
0cb6aef1fa57d11408e47ae071485ef8f48c2982997b8d74b47a4151d85b978c
MD5 hash:
843aa6edf83bff7b61c6a5369ef41e95
SHA1 hash:
d1bfeec8eaac9a1dacf2f7062ce964d8e7d77085
Link:
https://www.unpac.me/results/91e63f17-f8c4-44bd-bdf2-82a0dd731eae/
SH256 hash:
93bd6703c7b1fff28510bf49b29e82056f5be367f8b7b21b5f2e6c1a5bcdb1fd
MD5 hash:
a50c031e25fc601a28344979a576afa6
SHA1 hash:
76301abbbc246fce912d1cd4ebc8d260283e2a85
Link:
https://www.unpac.me/results/91e63f17-f8c4-44bd-bdf2-82a0dd731eae/
SH256 hash:
4e7a122900dbf139479b55785c48516c11a7faa4f1b378c85df1583d5532affd
MD5 hash:
43cd62e56760d9868dfc193d76c4b439
SHA1 hash:
6a5f17e22e3fc7a052672d8fde7812fe3d119d36
Link:
https://www.unpac.me/results/91e63f17-f8c4-44bd-bdf2-82a0dd731eae/
SH256 hash:
4000f849ce6d8a9a292219d90b674b658214eeca7c97e7f3f19ec70cafd5ecd5
MD5 hash:
458260ed2f82dd30cbd26b5c7e0b1bdb
SHA1 hash:
4bf8c615f09e2c7005b5459d3892f915392c2787
Link:
https://www.unpac.me/results/91e63f17-f8c4-44bd-bdf2-82a0dd731eae/
SH256 hash:
42b0ccbc2545a60b0aefdce149c1d3e766293ba645afb3d1ba905be1dc765fe9
MD5 hash:
c5b70288bd516499898a544e8adc4903
SHA1 hash:
e350fad16be9b393e8090131ea695a720afd8b3f
Link:
https://www.unpac.me/results/91e63f17-f8c4-44bd-bdf2-82a0dd731eae/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42b0ccbc2545a60b0aefdce149c1d3e766293ba645afb3d1ba905be1dc765fe9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/283582/

Comments