MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 583386abc9773ac12925445d15a5ba0a92b66c4cedbbb466b08afa215ecc9104. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 583386abc9773ac12925445d15a5ba0a92b66c4cedbbb466b08afa215ecc9104
SHA3-384 hash: 65764b2d03948530fd895fb7869262f0313f6c49c9fb2c18a967e28fbf930a3bc15f9290dc9bb7be63d26cb049b06710
SHA1 hash: 0a88d5dcdbdfd838e03cec0a46f239a8de6d05d6
MD5 hash: 6c7a0d98c395e4db12ed83e6cbae5204
humanhash: alaska-beryllium-magnesium-undress
File name:listed items.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:634'368 bytes
First seen:2023-04-04 09:30:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:5qtzLwrXHCxOS5eX03CLZv8Y+5WBV/IppvyeG8GNQBAZ:DOgS5J3CbV/IpJyJNuA
Threatray 56 similar samples on MalwareBazaar
TLSH T1F1D41249335C963FC87D46FF80316649437A5532BB15D7CB1CD8A8BAAAF2B94C502AC3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:AgentTesla exe scr


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.endeavourgroup.co.in:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
listed items.scr
Verdict:
Malicious activity
Analysis date:
2023-04-04 09:31:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/17152bd3-a467-4c2d-99c4-bb53a0f131f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/379933/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/642bee58497fb6f23efd4b36/reports/a8f4401a-4d57-4c27-89ff-c56ab4ca8ce5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/583386abc9773ac12925445d15a5ba0a92b66c4cedbbb466b08afa215ecc9104
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2a646ae7-371e-4e62-8bcc-19a10fe6ddd3
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1207895
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 840812 Sample: listed_items.scr.exe Startdate: 04/04/2023 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Sigma detected: Scheduled temp file as task from temp location 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 3 other signatures 2->48 7 listed_items.scr.exe 7 2->7         started        11 ldrlKycSDDnx.exe 5 2->11         started        process3 file4 34 C:\Users\user\AppData\...\ldrlKycSDDnx.exe, PE32 7->34 dropped 36 C:\Users\...\ldrlKycSDDnx.exe:Zone.Identifier, ASCII 7->36 dropped 38 C:\Users\user\AppData\Local\...\tmpB3E0.tmp, XML 7->38 dropped 40 C:\Users\user\...\listed_items.scr.exe.log, CSV 7->40 dropped 50 Uses schtasks.exe or at.exe to add and modify task schedules 7->50 52 Writes to foreign memory regions 7->52 54 Allocates memory in foreign processes 7->54 56 Adds a directory exclusion to Windows Defender 7->56 13 MSBuild.exe 2 7->13         started        16 powershell.exe 19 7->16         started        18 powershell.exe 21 7->18         started        20 schtasks.exe 1 7->20         started        58 Multi AV Scanner detection for dropped file 11->58 60 Machine Learning detection for dropped file 11->60 62 Injects a PE file into a foreign processes 11->62 22 MSBuild.exe 11->22         started        24 schtasks.exe 11->24         started        signatures5 process6 signatures7 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->64 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->66 68 Tries to steal Mail credentials (via file / registry access) 13->68 70 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->70 26 conhost.exe 16->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        72 Tries to harvest and steal browser information (history, passwords, etc) 22->72 32 conhost.exe 24->32         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/583386abc9773ac12925445d15a5ba0a92b66c4cedbbb466b08afa215ecc9104/
Threat name:
ByteCode-MSIL.Spyware.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-04-03 06:17:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
16 of 23 (69.57%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lazynk6jo45mckjfirorljn2bkjlm3cm5w53izvqrl5ccxwmseca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
24740eec512c214af4e012f2ec3bc79fdfd9912abd32b6d54b7e9ca1115407d0
AgentTesla
2876998fe70b951757cb3a2394b271009228b83c58ddf201ab1cc41b6b96e741
AgentTesla
33a8bb74d0ef4be5a6f3845bf87f406a2b9757535a09d65e34d1c73a4b133429
AgentTesla
69efd675ee6737f614a8ea14f4b125b25c9b3d80ab901d2dd0024837e0e5ac29
AgentTesla
8aad378acd6bb2912809751007cc762facf7eefcc867b5fd8ace1e1728329c08
AgentTesla
8e067a63005c0cb62a0db614acafc9e1964bfd5520c13075d04879fb2aa90451
AgentTesla
9072096046bf04b2f07da98d57dea07374aeb85294ba21404dd81176839737e6
AgentTesla
c3c4281831f463d7ee622d35ea584b893b99400c0dc7dda327557d48f10ec564
AgentTesla
d5fc5fba51a492858f45d0f86b010ac6ab2bc68be94fc2c8a776b7eaf3acaac3
AgentTesla
d79b67e9e7380e870103acd7b29951d0a4cb5f6da18c28a21070463aad65be45
AgentTesla
+ 46 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230404-lg25esfh5w/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
5884cc1f4335076bb2a8c9d14a6d5f00d8bbb70d3caacf30ef4674ab06699fe1
MD5 hash:
9391f97ae9dbcfbfabcd611cd3f8383f
SHA1 hash:
f2941a79606cc652bb8d5b5e5df9a7d84ed6606f
Link:
https://www.unpac.me/results/a747e84b-79f4-42c1-b0b3-c9188c877d27/
SH256 hash:
585e3d4afc2f03d3db7529c16702a5769aadc0dfce1d16345fa1131af34adbc2
MD5 hash:
9f526285e47db67eb0879cdcf2fdf6d8
SHA1 hash:
c110e7e0ad41075f30c15bcdb799bebddff19143
Link:
https://www.unpac.me/results/a747e84b-79f4-42c1-b0b3-c9188c877d27/
SH256 hash:
943374cdfc0359444ef6502cb7d9399ad19e0896f53a4a2d05ca59359ab8519f
MD5 hash:
6461c7602fd2331a0b96ea712c95c341
SHA1 hash:
9038255a1b5b7c69157bb93b736ff4bad709f8ec
Link:
https://www.unpac.me/results/a747e84b-79f4-42c1-b0b3-c9188c877d27/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/a747e84b-79f4-42c1-b0b3-c9188c877d27/
SH256 hash:
5c0d1b9b76ac05e8599cecf91e4144d27ebac8164c2311070b64d87f41caaa10
MD5 hash:
6c7b1d6a741c5cf06a9728485116a071
SHA1 hash:
534e55707223e55c99af9c7d63747dbf792166ea
Link:
https://www.unpac.me/results/a747e84b-79f4-42c1-b0b3-c9188c877d27/
SH256 hash:
583386abc9773ac12925445d15a5ba0a92b66c4cedbbb466b08afa215ecc9104
MD5 hash:
6c7a0d98c395e4db12ed83e6cbae5204
SHA1 hash:
0a88d5dcdbdfd838e03cec0a46f239a8de6d05d6
Link:
https://www.unpac.me/results/a747e84b-79f4-42c1-b0b3-c9188c877d27/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/583386abc977/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/583386abc9773ac12925445d15a5ba0a92b66c4cedbbb466b08afa215ecc9104

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 583386abc9773ac12925445d15a5ba0a92b66c4cedbbb466b08afa215ecc9104

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/379933/

Comments