MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44e70f14e20d43e59bee945d443ba00adc352d38a22b1a6b82731a83bc02ebfe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44e70f14e20d43e59bee945d443ba00adc352d38a22b1a6b82731a83bc02ebfe
SHA3-384 hash: 4e1153b0c919e84effec41d2d4a4e8d469ee9a2ca0f628bfe66d2a9c066e892b122486dc2e6c153eb9421c073d42b2ed
SHA1 hash: 7100635b89f1ef19675dde191ad8bb243caf8f2e
MD5 hash: 9d94a212f95e471b07d9636e538e8271
humanhash: washington-jersey-alpha-seventeen
File name:SecuriteInfo.com.Win64.PWSX-gen.22197.18997
Download: download sample
Signature AgentTesla
Create hunting rule
File size:3'415'552 bytes
First seen:2022-10-31 00:16:18 UTC
Last seen:2022-10-31 01:04:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:e+xbz7tKhZ3G36B78JqP9BGeP6lnYx/9r7jeLKe+Cl3dH:ZN83G3sYJql0eipAlr3eLHPrH
Threatray 524 similar samples on MalwareBazaar
TLSH T1E3F56577DFB23EECFBAAAC5C26AA8167730016551C8D01AB9D8FCB74D0C0B583944A57
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win64.PWSX-gen.22197.18997
Verdict:
No threats detected
Analysis date:
2022-10-31 00:19:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ba6025ce-edaa-4640-9c9e-373fdab0a5ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/326221/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.22197.18997.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/635f13fe762855ef2d76e429/reports/bb5bf21b-c062-4340-acfd-b92edaa8f06f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6ec12731-7fb5-4763-852a-5bb77908d1f3
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
expl.evad.troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1101380
Signature
.NET source code contains very large array initializations
Creates autostart registry keys with suspicious names
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44e70f14e20d43e59bee945d443ba00adc352d38a22b1a6b82731a83bc02ebfe/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-10-30 21:33:34 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
19 of 40 (47.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ittq6fhcbvb6lg7osrouio5ablodkljyuivru24comnihpac5p7a._file
Verdict:
unknown
Similar samples:
1bd3fa491c5de8cb9189ff8f86fd1a7e27a8140e3578f8fa9ebb23931550cc5b
AgentTesla
7b2a751a9af69cdc119755601ee27693dd105aa1702fd5f5cd6fcf697ac47bb6
AgentTesla
9316de8b3697c6a6f1fba5bc0b653cfb6202aa7429b5d203523a9768e9a772e9
AgentTesla
9d0cd2b1f470af7bba55345850c4f2b24ba96b9c4c361e4ff75c14a72bb3e7de
AgentTesla
b0e9ac1486908cd1351af5f5cb102d16ed197dee031f9f07d996f62248fdd481
AgentTesla
b24c75d9e1a26e070994807153641fa82130db5b166dfa2ac79412a7c36e37f6
AgentTesla
b613f08a0063de54e6ee9b6d3beb3ad93c1cfeb277304de7491321276d5ddc45
AgentTesla
bb06bf5d8b68991bf2545a1b560b535d35ec17f870f4b53f62c31dc3d1148408
AgentTesla
ea22f746189bf2d6ad50b7e04bf79cc153ce431f04dd2c5437632949d7eb66d0
AgentTesla
+ 514 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221031-ak2ghsgag5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5705602282:AAFcwBeX9coGMKJeokPZOq06CS7N1H2rCJI/
Unpacked files
SH256 hash:
44e70f14e20d43e59bee945d443ba00adc352d38a22b1a6b82731a83bc02ebfe
MD5 hash:
9d94a212f95e471b07d9636e538e8271
SHA1 hash:
7100635b89f1ef19675dde191ad8bb243caf8f2e
Link:
https://www.unpac.me/results/cfb5d7e3-8ebc-4b92-a9e1-8ce9175604fb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/44e70f14e20d43e59bee945d443ba00adc352d38a22b1a6b82731a83bc02ebfe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/326221/

Comments