MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58873f3b0e839c017a4ae835787ad4c1f821e905184d168be6250d368f793fbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA File information Comments

SHA256 hash:	58873f3b0e839c017a4ae835787ad4c1f821e905184d168be6250d368f793fbb
SHA3-384 hash:	f2d882d993fd4f95ab7668fdfbc590da24333d7b922550edfd674b4e4fe77c1b12d04cb85f532fce54a7218c93d19db8
SHA1 hash:	6a85f7703f00aeaf741bf331f8f1443302ae67ee
MD5 hash:	d19ec5b28b5bf5ef9da2b17164abd9b2
humanhash:	snake-wyoming-yellow-mike
File name:	SecuriteInfo.com.FileRepMalware.6440.14425
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	412'778 bytes
First seen:	2022-11-24 04:34:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ab6770b0a8635b9d92a5838920cfe770 (84 x Formbook, 30 x AgentTesla, 15 x Loki)
ssdeep	6144:HBn4HAbXhtFSpHOdoox50byBZazXJRMLkwhoU9X5o7VOARKsVWqBXTS0k3cnSkAX:GHAlyQfjB6C/KaXoVHRKstjk3cjAdko
Threatray	20'572 similar samples on MalwareBazaar
TLSH	T177942315709524AFD5830FB4ACE6E358D5B3FBBA9213960BA7A62F5B321C1CBC5413C1
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e4ccd0d0f0e8fcb4 (1 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

208

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.FileRepMalware.6440.14425

Verdict:

Malicious activity

Analysis date:

2022-11-24 04:36:49 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/ddc722b7-9fa3-42be-8acd-f9308445fa9a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/337910/

Detection(s):

SecuriteInfo.com.FileRepMalware.6440.14425.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/637ef47824da1c12cfe18ebe/reports/507513dd-485a-4099-aaf5-97e694de9f4d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/614478b0-5a57-419a-abd5-f3643856e186

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1120285

Signature

.NET source code contains very large array initializations

Detected unpacking (creates a PE file in dynamic memory)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/58873f3b0e839c017a4ae835787ad4c1f821e905184d168be6250d368f793fbb/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-11-24 00:27:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 40 (60.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lcdt6oyoqooac6sk5a2xq6wuyh4cd2ifdbgrnc7geugtnd3zh65q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

45340696f311075cbef1929f4ce534aaa3b872e75f15a9d538ba7cd4f45b717d

AgentTesla

5c9c51f336a4f92821219c73a99bd5c7e4bc749967e95745b12af9c25285b314

AgentTesla

61881ceb156b1061749e30c9e396bf12e94abedaebfe0acc723666c3f58e5ada

AgentTesla

b6a7e17e7a419a7627495bda74f392db350508a36cc2a089342374e343fe0a06

AgentTesla

c05b7b394c6fd0211f67dae500bd48d89b0ce2d16ff2088ca657b1fed475599d

AgentTesla

c7a4fff1122cdbc4427cb51deb67fb1e4cfdf7013af9d7fb31c60d7ede7eb979

AgentTesla

+ 20'562 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221124-e67b4she24/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/476c1195-a0f6-4e21-9814-d17f0c31e8c4

Unpacked files

SH256 hash:

a4e8315c48c26253d7a1ee2bf3d9406a27cc68326af85334d276eb4d956389db

MD5 hash:

b420fcf7f57aed04aa5898b83622d6c9

SHA1 hash:

d5e9300ee765047b75a259ff75bb7f961cfa18fb

Detections:

AgentTesla

Link:

https://www.unpac.me/results/6064c489-8842-4d9b-b27a-0444576b7b48/

Parent samples :

330a2e6dcb89bc9d54e8535dc95b1bbea5cddfedcb148f62e2214b46911a9f91
435ce1e9404ae789d2a1a33e57f602f4bdfd6bb08c49826699ca23da5a117c70
58873f3b0e839c017a4ae835787ad4c1f821e905184d168be6250d368f793fbb
feb004eece446b55f9084f8eb1ef78f3629943b6978a7fcd1179a64d14477255

SH256 hash:

7d18a433e5b3d8eb2a0c6c9f97b8603883ed8af7a25061c5063cee0af1372da7

MD5 hash:

0ca1fae485f9815974776335124ac5d3

SHA1 hash:

06f7b36a2e024e65f2802319666469c82c5552eb

Link:

https://www.unpac.me/results/6064c489-8842-4d9b-b27a-0444576b7b48/

SH256 hash:

58873f3b0e839c017a4ae835787ad4c1f821e905184d168be6250d368f793fbb

MD5 hash:

d19ec5b28b5bf5ef9da2b17164abd9b2

SHA1 hash:

6a85f7703f00aeaf741bf331f8f1443302ae67ee

Link:

https://www.unpac.me/results/6064c489-8842-4d9b-b27a-0444576b7b48/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/58873f3b0e83/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/58873f3b0e839c017a4ae835787ad4c1f821e905184d168be6250d368f793fbb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/337910/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample