MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 576a17172b6d30950fec9fbf882297f3e7e058a57b8e871fffc983fa5b173bd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 576a17172b6d30950fec9fbf882297f3e7e058a57b8e871fffc983fa5b173bd5
SHA3-384 hash: 33fe2016c66de30e7ddb8a888605b94971b16fbea6a78b61577285b5623417e7fd20aaee5d5e7db36e2e4aade0549c44
SHA1 hash: c95dce6fd49c1136fbe89d34060144e291fa0a66
MD5 hash: 9a3a227ef532baf1791aeaca22147507
humanhash: thirteen-august-nebraska-victor
File name:IV-2303-0081.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'042'432 bytes
First seen:2023-04-04 20:57:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:jTq62kUM8p2cPl6UuIheNWhHSlF44K4OA6+uadVeyU7v07TU477LihTymZBJ4Aw2:jO62kep2cPl1uImWhHSH4F4OA6+HdVcU
TLSH T11D25026AB3478C66EABF0631F0E5663883F4774726A5E66E3CDC1AC50471788E8161CF
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 646466eaf6726264 (9 x Loki, 9 x AgentTesla, 8 x SnakeKeylogger)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IV-2303-0081.scr
Verdict:
Malicious activity
Analysis date:
2023-04-04 21:01:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ec620207-9d3b-483c-984c-9d5e8e5ee215

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/380132/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

PUA.Win.Packed.ConfuserEx-6391397-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/642c8f5b7dc0445b2388f92f/reports/35c7ed8f-ba66-4fd4-9544-1616f0c17fdd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/576a17172b6d30950fec9fbf882297f3e7e058a57b8e871fffc983fa5b173bd5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/926a8327-6d2f-4bb2-93c1-90447d065c16
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1208454
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/576a17172b6d30950fec9fbf882297f3e7e058a57b8e871fffc983fa5b173bd5/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-30 03:17:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k5vbofzlnuyjkd7mt67yqiux6pt6awffpohioh77zgb7uwyxhpkq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230404-zr56qaaa47/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
6de65853fa529a5c023ddbc8a841c24e42cf9d78e27eb2d46d1dcee699c9d511
MD5 hash:
3b2bc025309c7b8ad273c2e54a82f0bd
SHA1 hash:
6885cb01068a7b88cef87e0eef45ece0ad078a7d
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/a3826a1c-5f2f-48a0-a9e5-2f7dea67c3c7/
Parent samples :
231a82ded923d41465ce13e21138c2e15eaf3f2b4c41d9c4da1caebb1fca08f9
01f8e351ce7ac28d0dcd75701dc8a55a7efa31d5d5c4915ce96505ebbc36a966
576a17172b6d30950fec9fbf882297f3e7e058a57b8e871fffc983fa5b173bd5
3978001ee5d6b75a65ba8f881ec75caca178dc690bd1e55b90a977b1d23fbd2d
cad87d2ba2f829cef46aa8195561a9feb19e96c559e8dcb707a68778cecd13e5
26ec84d86c07a621e86269544e8e4018d40bfe4c19a3ced4ee3749155bc4acc8
SH256 hash:
ab7bba714f70698a16b3924f3569e7e9dad5e8dccc588e4ffa6ca3cf25824ca7
MD5 hash:
ad8b4413011886d5f94ade75cdf05fc6
SHA1 hash:
228c71eca3113eb9fcc4886d437a6e105db19a7f
Link:
https://www.unpac.me/results/a3826a1c-5f2f-48a0-a9e5-2f7dea67c3c7/
SH256 hash:
5062f99a5460cbd448d7f9c35d5c05aafa3ce36357be73268367d779dd92396e
MD5 hash:
c499b0e057f46db9f5ad9f0e9181830e
SHA1 hash:
fda2b448e6c7a411e1baed2a8bca7050b9b769ef
Link:
https://www.unpac.me/results/a3826a1c-5f2f-48a0-a9e5-2f7dea67c3c7/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/a3826a1c-5f2f-48a0-a9e5-2f7dea67c3c7/
SH256 hash:
f05530ffeb77ddb4f6c5ae29daec19bfc4df3b3b086173fbed4014095f06ba7d
MD5 hash:
0a605b640b9b5b1036b41fd8ca1bb324
SHA1 hash:
3d27b1e7889f14675940dca86fd2d7ef03dbc7c3
Link:
https://www.unpac.me/results/a3826a1c-5f2f-48a0-a9e5-2f7dea67c3c7/
SH256 hash:
576a17172b6d30950fec9fbf882297f3e7e058a57b8e871fffc983fa5b173bd5
MD5 hash:
9a3a227ef532baf1791aeaca22147507
SHA1 hash:
c95dce6fd49c1136fbe89d34060144e291fa0a66
Link:
https://www.unpac.me/results/a3826a1c-5f2f-48a0-a9e5-2f7dea67c3c7/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/576a17172b6d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/576a17172b6d30950fec9fbf882297f3e7e058a57b8e871fffc983fa5b173bd5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 576a17172b6d30950fec9fbf882297f3e7e058a57b8e871fffc983fa5b173bd5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/380132/

Comments