MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 553678dd0310daff936d1ee685d4e85949ea5b11b051882e9e8d63b5cfeedcd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	553678dd0310daff936d1ee685d4e85949ea5b11b051882e9e8d63b5cfeedcd9
SHA3-384 hash:	108bade6c1eebc2c454adebb5c42c8d3f1c86488671e078ed1c6fb5cb24153a60bf139a6eef006642a745f2fac7143e2
SHA1 hash:	bb431721da8479192749cf19ddc550f55d5afa94
MD5 hash:	2b5007acbd10b85a5c0ce4400a61f933
humanhash:	virginia-undress-pennsylvania-triple
File name:	SecuriteInfo.com.Win32.MalwareX-gen.27283.25061
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	967'168 bytes
First seen:	2023-01-12 03:30:21 UTC
Last seen:	2023-01-12 14:34:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:MnKzULOFlOfc7QRdlPMGxsGBvJrYTSKIKTn6ALTx:eKfFyYQdMGp7
Threatray	24'861 similar samples on MalwareBazaar
TLSH	T17125BE9237F0D477F4CE133D462827D82DAA6266B2B4F23B5F232D9092949FF7285149
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

171

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.MalwareX-gen.27283.25061

Verdict:

Malicious activity

Analysis date:

2023-01-12 03:31:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/793ea291-406a-44f3-b809-f74d476d8a78

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/352140/

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.27283.25061.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Searching for the window

Creating a window

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63bf7efcdde391056ac28cb9/reports/a96c6513-2fbc-4a47-b9b9-0c77c8a9abc2/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5a427ef3-4584-4da4-b0c3-93a5b7524215

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1150049

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/553678dd0310daff936d1ee685d4e85949ea5b11b051882e9e8d63b5cfeedcd9/

Threat name:

ByteCode-MSIL.Spyware.SnakeLogger

Status:

Malicious

First seen:

2023-01-12 03:31:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 40 (67.50%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ku3hrxidcdnp7e3nd3tilvhilfe6uwyrwbiyqlu6rvr3lt7o3tmq._file

Verdict:

malicious

AgentTesla

2b834fed267b4b47d6d783eb00cf7c770bbb85bdeec9fd008786fa55483cff65

AgentTesla

2b924314517e86bfece5ecc1e2a6386ac415c9db078a48e7e974a08a8c6255ed

AgentTesla

2cc6b260d75009a42a07d74973fd648b25d120b7f93d6203f7cf6e8a9daae4cc

AgentTesla

c4c1b70602f58b2f42190cd69dc5e3061da0ff44e27f771b3aa456d8789fea72

AgentTesla

d896aeab1ada4fc3029f6b8ce8f9852775e3b0e30d7b13582208c052f8e8e20c

AgentTesla

f2b319e1d2fdad6549ad9f56894221d7c3f8706d96012316dae1b52231a46247

AgentTesla

fce48b4993cc9580290c751a7cb151c06c861cf2033a9d59b00135c955cef072

AgentTesla

ffb64f4d42dd2de275cbf4ae7b334ffdd8920ff8fec95aca9900493472603d16

AgentTesla

+ 24'851 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

collection spyware stealer

Link:

https://tria.ge/reports/230112-d22qdsfa82/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d9d398b3-77a4-4599-9004-86b431156528

Unpacked files

SH256 hash:

1c0072bd0c8fbf0e27d145a0ee7e34428936c2ddeba929d3f60e352891e7e0c6

MD5 hash:

b2d0625c46714e40a6a38238659ea9ed

SHA1 hash:

dc43d5d539eab67b7e3109d0e4894e099a1a18f8

Link:

https://www.unpac.me/results/4c7b86fb-2f02-4262-bcf4-ecf776ed9879/

SH256 hash:

601bf1b444d01e516e2df2ca115a714ff9ee6cc50642daf36d197334745179f4

MD5 hash:

8451e9b188dc6f92688e97652f4fa253

SHA1 hash:

8837c45b36ae78687dd7636e19c82b01c1b59989

Link:

https://www.unpac.me/results/4c7b86fb-2f02-4262-bcf4-ecf776ed9879/

SH256 hash:

253d50ea9133c72f1c3b2d54017d47d0f118598c78042350324c856ee0e208d7

MD5 hash:

674d98eea7222ffe1cd62362cca0d512

SHA1 hash:

8814f6b22e03812e7fa86295c3a0bf6c36733dd4

Link:

https://www.unpac.me/results/4c7b86fb-2f02-4262-bcf4-ecf776ed9879/

SH256 hash:

27fd829c4c55fed51bcaa2c97976da762e18bb0eeff5581a3573d359805a76dc

MD5 hash:

9fc6593a60d0fffdae821b6469882f04

SHA1 hash:

7493e8e03f3f8676c50a0c121e0828a8ef019a73

Link:

https://www.unpac.me/results/4c7b86fb-2f02-4262-bcf4-ecf776ed9879/

SH256 hash:

ab2f8dbc2b147528cecac6ea1a8886951c424be0b2026743b39d97f0cbabb04c

MD5 hash:

77ab42f4bbbf4565846eb8953192d71f

SHA1 hash:

3c662c756cc31867c0473716a74e777a65ced550

Link:

https://www.unpac.me/results/4c7b86fb-2f02-4262-bcf4-ecf776ed9879/

SH256 hash:

553678dd0310daff936d1ee685d4e85949ea5b11b051882e9e8d63b5cfeedcd9

MD5 hash:

2b5007acbd10b85a5c0ce4400a61f933

SHA1 hash:

bb431721da8479192749cf19ddc550f55d5afa94

Link:

https://www.unpac.me/results/4c7b86fb-2f02-4262-bcf4-ecf776ed9879/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/553678dd0310/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/553678dd0310daff936d1ee685d4e85949ea5b11b051882e9e8d63b5cfeedcd9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/352140/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample