MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55a64db52aa28afdf1a222db6a0a74f92a3585d6526cbb015488978aa1992161. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55a64db52aa28afdf1a222db6a0a74f92a3585d6526cbb015488978aa1992161
SHA3-384 hash: b8cdf6f727a346657927a6a0536f9186c44c30c5a4eccab439ab8090792215c98e2614c5412fb5d522822c02bd1e2d48
SHA1 hash: 65b7bd61969bf20b15a930bc4639fa9e1fdbd866
MD5 hash: 7d48a246ff41c17119dc2b4ad1d4781e
humanhash: white-five-six-river
File name:55a64db52aa28afdf1a222db6a0a74f92a3585d6526cbb015488978aa1992161
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'825'792 bytes
First seen:2023-05-09 11:39:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:kam4/e6uCP1JNc6bMDfzS8qP6bTLpb1F6so:kam4/e6pJNi/S6p2so
Threatray 1'038 similar samples on MalwareBazaar
TLSH T11185CE3C19BCE23BD1B8C6B58FD1842BF75094AB3115AEE6ACD687554316E1238C723E
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 989c98ac2e2e1eaa (1 x RedLineStealer, 1 x AgentTesla)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
55a64db52aa28afdf1a222db6a0a74f92a3585d6526cbb015488978aa1992161
Verdict:
Malicious activity
Analysis date:
2023-05-09 11:37:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dd2701fb-dcd0-451a-970c-5ed4b6a45b6c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387815/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/645a3113d054a0b0ef843f0c/reports/1712120a-84d7-4e05-af65-d137ca2fb63e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/55a64db52aa28afdf1a222db6a0a74f92a3585d6526cbb015488978aa1992161
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f3ab2d20-cc23-49aa-b0c9-8d00c22d7405
Result
Threat name:
AgentTesla, MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1229135
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 862117 Sample: rE1ge9sZhd.exe Startdate: 09/05/2023 Architecture: WINDOWS Score: 100 113 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->113 115 Sigma detected: Scheduled temp file as task from temp location 2->115 117 Multi AV Scanner detection for submitted file 2->117 119 4 other signatures 2->119 9 rE1ge9sZhd.exe 7 2->9         started        13 JISvIAI.exe 2->13         started        16 RZWHvIBO.exe 5 2->16         started        18 JISvIAI.exe 2->18         started        process3 dnsIp4 87 C:\Users\user\AppData\Roaming\RZWHvIBO.exe, PE32 9->87 dropped 89 C:\Users\...\RZWHvIBO.exe:Zone.Identifier, ASCII 9->89 dropped 91 C:\Users\user\AppData\Local\...\tmp64C8.tmp, XML 9->91 dropped 93 C:\Users\user\AppData\...\rE1ge9sZhd.exe.log, ASCII 9->93 dropped 133 Uses schtasks.exe or at.exe to add and modify task schedules 9->133 135 Adds a directory exclusion to Windows Defender 9->135 137 Injects a PE file into a foreign processes 9->137 20 rE1ge9sZhd.exe 12 9->20         started        23 powershell.exe 19 9->23         started        25 powershell.exe 21 9->25         started        33 2 other processes 9->33 101 192.168.2.1 unknown unknown 13->101 103 mucahitaytekin.com 13->103 111 2 other IPs or domains 13->111 139 Antivirus detection for dropped file 13->139 141 Multi AV Scanner detection for dropped file 13->141 143 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->143 153 2 other signatures 13->153 145 Machine Learning detection for dropped file 16->145 27 RZWHvIBO.exe 16->27         started        29 schtasks.exe 16->29         started        31 RZWHvIBO.exe 16->31         started        105 mucahitaytekin.com 18->105 107 api4.ipify.org 18->107 109 api.ipify.org 18->109 147 Tries to steal Mail credentials (via file / registry access) 18->147 149 Tries to harvest and steal browser information (history, passwords, etc) 18->149 151 Installs a global keyboard hook 18->151 file5 signatures6 process7 file8 83 C:\Users\user\AppData\Local\Temp\poie.exe, PE32 20->83 dropped 85 C:\Users\user\AppData\Local\Temp\TEGBET.exe, PE32 20->85 dropped 35 TEGBET.exe 20->35         started        39 poie.exe 20->39         started        42 conhost.exe 23->42         started        44 conhost.exe 25->44         started        46 TEGBET.exe 27->46         started        48 conhost.exe 29->48         started        50 conhost.exe 33->50         started        process9 dnsIp10 77 C:\Users\user\AppData\Local\Temp\B.exe, PE32 35->77 dropped 79 C:\Users\user\AppData\Local\Temp\A.exe, PE32 35->79 dropped 121 Antivirus detection for dropped file 35->121 123 Multi AV Scanner detection for dropped file 35->123 52 cmd.exe 35->52         started        54 cmd.exe 35->54         started        95 api4.ipify.org 104.237.62.211, 443, 49697, 49698 WEBNXUS United States 39->95 97 mucahitaytekin.com 31.192.214.172, 49699, 49701, 49703 NETINTERNETNetinternetBilisimTeknolojileriASTR Turkey 39->97 99 api.ipify.org 39->99 81 C:\Users\user\AppData\Roaming\...\JISvIAI.exe, PE32 39->81 dropped 125 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->125 127 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 39->127 129 May check the online IP address of the machine 39->129 131 4 other signatures 39->131 56 cmd.exe 46->56         started        58 cmd.exe 46->58         started        file11 signatures12 process13 process14 60 B.exe 52->60         started        63 conhost.exe 52->63         started        65 A.exe 54->65         started        67 conhost.exe 54->67         started        69 B.exe 56->69         started        71 conhost.exe 56->71         started        73 A.exe 58->73         started        75 conhost.exe 58->75         started        signatures15 155 Antivirus detection for dropped file 60->155 157 Multi AV Scanner detection for dropped file 60->157 159 Tries to steal Instant Messenger accounts or passwords 60->159 161 Machine Learning detection for dropped file 65->161 163 Tries to steal Mail credentials (via file / registry access) 69->163 165 Tries to harvest and steal browser information (history, passwords, etc) 73->165
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55a64db52aa28afdf1a222db6a0a74f92a3585d6526cbb015488978aa1992161/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-04-27 08:47:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kwte3njkukfp34ncelnwuctu7evdlbowkjwlwakurclyvimzefqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2d1646dc9d65c34be77a34bbedf4a7d0c14df7d3a3b0544e4a70e912467995a5
AgentTesla
351c0e2125e4a520bbe97ba66e4596f6a95fe1f52e2fafb7baef5cc0034aeb19
AgentTesla
3a4a199fb9796ce914f2b483e367190289a0a7586650b22cda8e7ba631cb11c6
AgentTesla
86dcc7e6f6823b793907989be56679cbd0e40cf78353601b001548311be0434b
AgentTesla
9e9271e281e82549c613d3aba4a0603536a63c960bf42c16302f6b7668de0d78
AgentTesla
bc6f73a3805a709752228323fa42bf2806fe584f479496f6647db7ca05136299
AgentTesla
bce664433cf5bc9dd22b054ddb25edd926ba0b6124c2f5d0f99dcdcef356a715
AgentTesla
c7b06e2840e703c98fbe1fbfd9f33f5478e58840112d85c1e94c27a34474c95f
AgentTesla
e6c7bf9f389f560ec25ba1808468c5d334cf75d2142face3704aac05af8c024b
AgentTesla
fa7d933860e3500a28e659fcdf620b877bc3ddf20b8b99ccadfd261219492d4a
AgentTesla
+ 1'028 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/230509-nsvwlaff33/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
AutoIT Executable
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
AgentTesla
Unpacked files
SH256 hash:
253a64cf308bd50724f69cc6ce4a138e8e980b1414e02cd56e89f60c839a8919
MD5 hash:
c5abbc1e774181733908eddafc0d0ace
SHA1 hash:
9dc27a699fff3c5a926d8c8ef49dffb9d44ab95c
Link:
https://www.unpac.me/results/e8d74c7c-b528-4e0f-91f8-5e2ff2bf994e/
SH256 hash:
14b654ba9d68e4a0ad8293a359dc4c382899cebf246ae7e6504d21e54437c009
MD5 hash:
3d4e1ba5dff5595ef8e0d54a27f14099
SHA1 hash:
9abecbe019c452afbe02bca27c013586746971df
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/e8d74c7c-b528-4e0f-91f8-5e2ff2bf994e/
SH256 hash:
58d2780bac07a53fa9ef0099c386ad23c2c5b83df99e18bbcca9895f829ef5d8
MD5 hash:
3a6ac846fbf56df68c3cb61cd18c7623
SHA1 hash:
e5b7f4e47b357f330b33330663ff5739a02d442f
Link:
https://www.unpac.me/results/e8d74c7c-b528-4e0f-91f8-5e2ff2bf994e/
SH256 hash:
f8b928207c13cd486550f37dd7e59104d31b9c09fd2b6f307cb68ead72815321
MD5 hash:
5551845a2335566694f7c0e6e3ae411a
SHA1 hash:
cba33e49bc9994118edd993b29ac00c7251c4d9d
Link:
https://www.unpac.me/results/e8d74c7c-b528-4e0f-91f8-5e2ff2bf994e/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/e8d74c7c-b528-4e0f-91f8-5e2ff2bf994e/
SH256 hash:
a5ffec87cfd76d4ce25f7b829e0a8e43774db74d3075ae8f8883ad7ca6ead08b
MD5 hash:
54d28d5cdf395da5ca674d0833c260ee
SHA1 hash:
4e607a2a81c63e4376d3e0e29d47abc00a6d1fa6
Link:
https://www.unpac.me/results/e8d74c7c-b528-4e0f-91f8-5e2ff2bf994e/
SH256 hash:
fb4acea2a7132e101aaba2fdb735e7350f71c04a151a25dcd865ed493ce53bcd
MD5 hash:
4292b2d31a7f8ac80d1807e85c599c5a
SHA1 hash:
107e5ba72413db93d8738d4885d928e0a187e87f
Link:
https://www.unpac.me/results/e8d74c7c-b528-4e0f-91f8-5e2ff2bf994e/
SH256 hash:
55a64db52aa28afdf1a222db6a0a74f92a3585d6526cbb015488978aa1992161
MD5 hash:
7d48a246ff41c17119dc2b4ad1d4781e
SHA1 hash:
65b7bd61969bf20b15a930bc4639fa9e1fdbd866
Link:
https://www.unpac.me/results/e8d74c7c-b528-4e0f-91f8-5e2ff2bf994e/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/55a64db52aa2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55a64db52aa28afdf1a222db6a0a74f92a3585d6526cbb015488978aa1992161

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/387815/

Comments