MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58a3370efce2b3045579760da0365b5c7b7a54361d0350b7d1aa3d1b1ed1cfc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA File information Comments

SHA256 hash:	58a3370efce2b3045579760da0365b5c7b7a54361d0350b7d1aa3d1b1ed1cfc3
SHA3-384 hash:	21c4a0c6f1e6108e79c1411cbc430a3de0263f9bb9c8c7a982536b4db5aa315cd2e5254822fb66abd59d69cc5cf79fe1
SHA1 hash:	6924ce084fc8e45878989f447d1cf3cad9850483
MD5 hash:	17e31cd9435247ad7d3416785dc62501
humanhash:	johnny-single-nevada-north
File name:	IMG-20221108-WA000000000093.jp..exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	319'905 bytes
First seen:	2022-11-10 19:57:25 UTC
Last seen:	2022-11-10 21:44:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep	6144:MEa0Nok7l7BYw+Ez2ihYo3zWkah9sGP+FYvs/q25PLRU5YIsNs7IccIgF7dza/qk:Xok7luw7y8Yo3zWddHEieP0zsPccf+Sk
Threatray	21'356 similar samples on MalwareBazaar
TLSH	T1DF641202A7D5D04BD197E6375421B775CBBACF444246B65B0BD28EABAF692038F0C229
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	GovCERT_CH
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

230

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

IMG-20221108-WA000000000043.r02

Verdict:

Malicious activity

Analysis date:

2022-11-09 05:58:11 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/02b7ec59-2863-4435-82a8-9c68efaac85b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/332114/

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25.22055.9598.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a window

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process by context flags manipulation

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/51080/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook lokibot nemesis overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/636d57cc82dd9f2e265365ae/reports/6fb24e39-0d06-4890-9fd1-511687099b99/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c2cbddea-1b1c-49ae-8d49-403463c8a904

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1110751

Signature

.NET source code contains very large array initializations

Detected unpacking (creates a PE file in dynamic memory)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/58a3370efce2b3045579760da0365b5c7b7a54361d0350b7d1aa3d1b1ed1cfc3/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-11-09 04:45:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lcrtodx44kzqivlzoyg2ans3lr5xuvbwdubvbn6rvi6rwhwrz7bq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

7282a0070079e267fb63452996a56c4824dee88e3895084d4ebab27fb5d9adb4

AgentTesla

a7476e06722a6f84ed1d2bd6a3143f6657bcfaf989dd88125222121b7886800d

AgentTesla

b6a7e17e7a419a7627495bda74f392db350508a36cc2a089342374e343fe0a06

AgentTesla

f0306ebebd6f2c0f44a9e025224d64e6f253c3282a3ab6ffc8a4fa852e2703a4

AgentTesla

fdd7e0f9333f886e5052154e6d8ec604e99318c806f4cea7449843b8bb71db07

AgentTesla

+ 21'346 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221110-yptjgadda2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla payload

AgentTesla

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/242072de-da1a-45b7-b437-089fbb214d90

Unpacked files

SH256 hash:

51e87cd01ca6e33d089cf41cc8a0434ad409ce8a992a8b0a8207b5e29b2ff734

MD5 hash:

956e5d888900d905d52762140772cf5c

SHA1 hash:

e5ab0db86fce448e149204a8bca89e141cd92c48

Link:

https://www.unpac.me/results/40d3675a-d1d9-48df-9ac3-a9847323fe77/

SH256 hash:

9735eb3db3bb8e63249cdc5659de544ff6fac0f9e9987b1c7b0ccac8c2aadb69

MD5 hash:

c094f82f282257c7d88030e3bc561729

SHA1 hash:

e09147f7b9874bcfbebda13c7ab6ced7d6c6ae17

Link:

https://www.unpac.me/results/40d3675a-d1d9-48df-9ac3-a9847323fe77/

Parent samples :

f0da229cd56486cb27d1465410147676261d663a62aa9e95f27fda1b2ee5a662
b78040849f2b58f1cf44d65b15df6aa282b0958cda4445f691633e39b2c644ea
7eb652a8ae8849d8b7fb0f2cc9a0b6a591874c564c7ab275fe519ba37895a43f
830259122e9c75a4977848c7a340c7a13efb927302035bf9f3460530c5f4d7dd
b506dc9b1bc7904f4e8abc8a14d0b44ccc1c0a7ca687761349d38a425baa1348
fd2ddd6b33014512158a83661ab481547e2b7b34a80d2c32ef05ae37826c4e42
6fe8c589727c61797e7f1be599e1b8d19d5ba37bd71d7223f866c6d94dfbaf1c
4e07c4b00b345ceb00f859475df5179802164912527f8feae6820a8ef50bb15f
ffdf5ac834d24512efa206781e9555b3a4ec7de8e27733de0b1187cf3b26fbf4
b9eef3caa6be71a2a745055198dd0243a792b8faf6314554e050c037733c7588
62dc73beb92c72827a3408e42c9220f5d33258258ff03bfc7285d02f7372eee8
df4f3740e1876d09c3d045fdcc6a6245576994091fcc7cafe4c6b7fc76428b95

SH256 hash:

112567f0fcf0f0dc4953d7d656bbd95c2cced351fbe0134a82a5793c376dc0ce

MD5 hash:

20ba1749a2d2acbb2476bcdcddabdd6d

SHA1 hash:

a1ea0922b72a37ea9efb97a1bc10da9cedd8ce40

Link:

https://www.unpac.me/results/40d3675a-d1d9-48df-9ac3-a9847323fe77/

SH256 hash:

58a3370efce2b3045579760da0365b5c7b7a54361d0350b7d1aa3d1b1ed1cfc3

MD5 hash:

17e31cd9435247ad7d3416785dc62501

SHA1 hash:

6924ce084fc8e45878989f447d1cf3cad9850483

Link:

https://www.unpac.me/results/40d3675a-d1d9-48df-9ac3-a9847323fe77/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/58a3370efce2b3045579760da0365b5c7b7a54361d0350b7d1aa3d1b1ed1cfc3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 58a3370efce2b3045579760da0365b5c7b7a54361d0350b7d1aa3d1b1ed1cfc3

(this sample)

Dropped by

agenttesla

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/332114/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample