MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5521410a48148459362ab36b0fad3e61b1ca9b674339476eac02381ffbc04aa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5521410a48148459362ab36b0fad3e61b1ca9b674339476eac02381ffbc04aa2
SHA3-384 hash: da353432dd2ba85167bfd798daceec7ac866c235a6fdcf5f591f966d8df41af5501e7d105350985bdccbe7e425f3e12a
SHA1 hash: bb17815265e215c6de61489aca8019bb5ae473e0
MD5 hash: b8cdebc24a5ab6241373ae3bcc7d3053
humanhash: sad-echo-steak-harry
File name:09876523456789.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:948'990 bytes
First seen:2021-09-23 12:36:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (250 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 24576:m5xolYQY6e8GRuRLXI9PixwDHUiAIMb+5:hYuGyLYUxuRAta5
Threatray 6'702 similar samples on MalwareBazaar
TLSH T1B115E127B940A03EE46392F00826A6B5BA262E265F525D0F73D17F4E397111BB9F431F
File icon (PE):PE icon
dhash icon 8884c1e070b8586c (1 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
09876523456789.exe
Verdict:
Malicious activity
Analysis date:
2021-09-23 12:37:39 UTC
Tags:
evasion trojan snakekeylogger keylogger
Link:
https://app.any.run/tasks/333a5a92-4d9b-478c-8ee8-c222373698df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190745/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

Win.Malware.Swisyn-6803865-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4421db01-6430-4c34-a66b-f6550f2b8959
Result
Threat name:
CryptOne Neshta Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856745
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture screen (.Net source)
Creates an undocumented autostart registry key
Detected CryptOne packer
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sample is not signed and drops a device driver
Sigma detected: Interactive AT Job
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Neshta
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 489190 Sample: 09876523456789.exe Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 115 Malicious sample detected (through community Yara rule) 2->115 117 Antivirus detection for dropped file 2->117 119 Antivirus / Scanner detection for submitted sample 2->119 121 18 other signatures 2->121 12 svchost.com 2->12         started        16 09876523456789.exe 4 2->16         started        18 svchost.exe 2->18         started        20 svchost.exe 2->20         started        process3 file4 79 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 12->79 dropped 81 C:\...\protocolhandler.exe, PE32 12->81 dropped 83 C:\Program Files (x86)\...\misc.exe, PE32 12->83 dropped 91 99 other malicious files 12->91 dropped 145 Injects code into the Windows Explorer (explorer.exe) 12->145 147 Drops executables to the windows directory (C:\Windows) and starts them 12->147 149 Sample is not signed and drops a device driver 12->149 151 Infects executable files (exe, dll, sys, html) 12->151 22 explorer.exe 12->22         started        85 C:\Windows\svchost.com, PE32 16->85 dropped 87 C:\Users\user\AppData\Local\...\setup.exe, PE32 16->87 dropped 89 C:\Users\user\AppData\...\09876523456789.exe, PE32 16->89 dropped 93 8 other malicious files 16->93 dropped 153 Creates an undocumented autostart registry key 16->153 155 Drops PE files with a suspicious file extension 16->155 157 Drops executable to a common third party application directory 16->157 25 09876523456789.exe 1 4 16->25         started        signatures5 process6 file7 73 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 25->73 dropped 75 C:\Users\user\AppData\...\09876523456789.exe, PE32 25->75 dropped 137 Installs a global keyboard hook 25->137 28 icsys.icn.exe 3 25->28         started        32 09876523456789.exe 17 25->32         started        signatures8 process9 file10 95 C:\Windows\System\explorer.exe, PE32 28->95 dropped 159 Drops PE files with benign system names 28->159 161 Installs a global keyboard hook 28->161 34 explorer.exe 3 17 28->34         started        97 C:\Users\user\AppData\...\shbtviyozv.dll, PE32 32->97 dropped 163 Injects a PE file into a foreign processes 32->163 39 09876523456789.exe 15 6 32->39         started        signatures11 process12 dnsIp13 101 vccmd01.t35.com 34->101 103 googlecode.l.googleusercontent.com 142.250.145.82, 49745, 49746, 49747 GOOGLEUS United States 34->103 111 4 other IPs or domains 34->111 71 C:\Windows\System\spoolsv.exe, PE32 34->71 dropped 125 System process connects to network (likely due to code injection or exploit) 34->125 127 Drops PE files with benign system names 34->127 129 Installs a global keyboard hook 34->129 41 spoolsv.exe 34->41         started        105 checkip.dyndns.com 193.122.6.168, 49743, 80 ORACLE-BMC-31898US United States 39->105 107 freegeoip.app 104.21.19.200, 443, 49744 CLOUDFLARENETUS United States 39->107 109 checkip.dyndns.org 39->109 131 Tries to steal Mail credentials (via file access) 39->131 133 Tries to harvest and steal ftp login credentials 39->133 135 Tries to harvest and steal browser information (history, passwords, etc) 39->135 file14 signatures15 process16 file17 77 C:\Windows\System\svchost.exe, PE32 41->77 dropped 139 Drops executables to the windows directory (C:\Windows) and starts them 41->139 141 Drops PE files with benign system names 41->141 143 Installs a global keyboard hook 41->143 45 svchost.exe 41->45         started        signatures18 process19 dnsIp20 113 192.168.2.1 unknown unknown 45->113 99 C:\Users\user\AppData\Local\stsys.exe, PE32 45->99 dropped 165 Detected CryptOne packer 45->165 167 Drops executables to the windows directory (C:\Windows) and starts them 45->167 169 Uses schtasks.exe or at.exe to add and modify task schedules 45->169 171 Installs a global keyboard hook 45->171 50 spoolsv.exe 45->50         started        53 at.exe 45->53         started        55 at.exe 45->55         started        57 10 other processes 45->57 file21 signatures22 process23 signatures24 123 Installs a global keyboard hook 50->123 59 conhost.exe 53->59         started        61 conhost.exe 55->61         started        63 conhost.exe 57->63         started        65 conhost.exe 57->65         started        67 conhost.exe 57->67         started        69 6 other processes 57->69 process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5521410a48148459362ab36b0fad3e61b1ca9b674339476eac02381ffbc04aa2/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 11:04:02 UTC
AV detection:
43 of 45 (95.56%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kuquccsicscfsnrkwnvq7lj6mgy4vg3him4uo3vmai4b766ajkra._file
Verdict:
malicious
Similar samples:
44447e8ee66daa872048fcca50842694d35a78e77cf9d6ac8e8e4979958d46e7
AgentTesla
769e6e12a5443217fd8c5ce510846775b714eb221cc11974969b5ff7442b5484
AgentTesla
926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea
AgentTesla
a0baff0515a6ff0a42b19248dd7823063a25118963fc396c25f5e5cd6af3d59e
AgentTesla
a2c6a9d6809c3cf2ea1108aae86677aaba31ef7e2f10017331716bedd2a8f91c
AgentTesla
a7c09392aa26962b20d2fc58398b6425ebd062187b2923fbbb7b1866523f1e26
AgentTesla
b56e7b2be2bb194db6e8e7c95e9477c49863e0eb8d2818f266f69e8e1a09647b
AgentTesla
+ 6'692 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:neshta family:xmrig evasion miner persistence spyware stealer
Link:
https://tria.ge/reports/210923-ptg7kaecej/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops desktop.ini file(s)
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Modifies Installed Components in the registry
Detect Neshta Payload
Modifies WinLogon for persistence
Modifies system executable filetype association
Modifies visiblity of hidden/system files in Explorer
Neshta
xmrig
Unpacked files
SH256 hash:
cafee273cd6e818a86fee6c668fc9438dc1149d38876cc0db3c50b0da6626e34
MD5 hash:
38c03704876a87cac5a93ae16c3bb5e9
SHA1 hash:
cd1b57c03f69f50bf7d09a2f58a5bbf9e0190bc3
Link:
https://www.unpac.me/results/92c03126-7ed6-4f28-9ea9-50cf008913a4/
SH256 hash:
7970170708b1fb4998321bc0f03b1048d3c4334dce5287dbbc36c09229877694
MD5 hash:
f95b9b8dd77291466927ccc48b17869d
SHA1 hash:
7d9f4f11a160fec68988cc32e0f2b7733388a423
Link:
https://www.unpac.me/results/92c03126-7ed6-4f28-9ea9-50cf008913a4/
SH256 hash:
f07cacd056c85d05466f52c9ad3409ec0b472c578746aa4f70f96a474b2fa589
MD5 hash:
db637940d534f6134ddf722253ddc5c4
SHA1 hash:
987962b5d10d7727113e642a73012144eac6b0e9
Link:
https://www.unpac.me/results/92c03126-7ed6-4f28-9ea9-50cf008913a4/
SH256 hash:
9d966bcd71cb634dffc60c13c0c70a6d068260992ce12f070f77e2faa88637af
MD5 hash:
dd660b192d9b21695c4de76413651395
SHA1 hash:
1e2ce836d34abb0c9c2186654edcd50a783f7cf1
Link:
https://www.unpac.me/results/92c03126-7ed6-4f28-9ea9-50cf008913a4/
SH256 hash:
02c239888f9280bd8634154f8388e802c913c60cc1916c50e6dec8806b29f4e3
MD5 hash:
336c87c3c152cef36e5eec9920933726
SHA1 hash:
4cb293833628fe4733a0e27c9f805ef267acfcdc
Link:
https://www.unpac.me/results/92c03126-7ed6-4f28-9ea9-50cf008913a4/
SH256 hash:
5521410a48148459362ab36b0fad3e61b1ca9b674339476eac02381ffbc04aa2
MD5 hash:
b8cdebc24a5ab6241373ae3bcc7d3053
SHA1 hash:
bb17815265e215c6de61489aca8019bb5ae473e0
Link:
https://www.unpac.me/results/92c03126-7ed6-4f28-9ea9-50cf008913a4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5521410a48148459362ab36b0fad3e61b1ca9b674339476eac02381ffbc04aa2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190745/

Comments