MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58b9c3875b2fafaa35de0274096e8d9a6367cc4be83e19f72cb825124ec86c5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58b9c3875b2fafaa35de0274096e8d9a6367cc4be83e19f72cb825124ec86c5d
SHA3-384 hash: 56b6664e1dda5152ee5c31cd1b2715f8d86625c68875060eac0ce4a714486680a8a0f1ab4c2b0f2b158733742b357d50
SHA1 hash: 10921cf2ebb7813b6bfba0d4ff0c49eb9a596682
MD5 hash: 590b106f3fd63be54da9e830adfd44d1
humanhash: steak-victor-robin-berlin
File name:Detailed RFQ3.xll
Download: download sample
Signature AgentTesla
Create hunting rule
File size:3'072 bytes
First seen:2024-05-02 02:52:49 UTC
Last seen:Never
File type:Excel file xll
MIME type:application/x-dosexec
ssdeep 24:ZHGStUOs8vt0mWilFBEqDA1xnoYZOwtB9kz/bxMFRxtIB:ZvtUOs8zVlPA16etBLZO
Threatray 4 similar samples on MalwareBazaar
TLSH T17D51429A37D211E9C754C2750EB2E321E17A3A340773C92107F045796CA9E30279DEA7
TrID 33.4% (.EXE) OS/2 Executable (generic) (2029/13)
33.0% (.EXE) Generic Win/DOS Executable (2002/3)
33.0% (.EXE) DOS Executable Generic (2000/1)
0.4% (.VXD) VXD Driver (29/21)
Reporter abuse_ch
Tags:AgentTesla xll

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
58b9c3875b2fafaa35de0274096e8d9a6367cc4be83e19f72cb825124ec86c5d.xll
Verdict:
Malicious activity
Analysis date:
2024-05-02 02:58:45 UTC
Tags:
opendir loader telegram exfiltration stealer agenttesla
Link:
https://app.any.run/tasks/4969ceab-10ba-4f3b-9e5c-05c8db97ebec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Downloader-9939983-0
Create hunting rule

Result
Verdict:
Malicious
File Type:
Office Add-Ins - Suspicious
Link:
https://app.docguard.net/58b9c3875b2fafaa35de0274096e8d9a6367cc4be83e19f72cb825124ec86c5d/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed persistence
Link:
https://www.filescan.io/uploads/663300109cdc03b57ab9c8df/reports/1db7be6e-0873-4fde-a6fa-8ff851fa1655/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/58b9c3875b2fafaa35de0274096e8d9a6367cc4be83e19f72cb825124ec86c5d
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1435096
Signature
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1435096 Sample: Detailed RFQ3.xll Startdate: 02/05/2024 Architecture: WINDOWS Score: 52 15 Multi AV Scanner detection for submitted file 2->15 17 Initial sample is a PE file and has a suspicious name 2->17 7 cmd.exe 3 2 2->7         started        process3 process4 9 EXCEL.EXE 129 59 7->9         started        11 conhost.exe 7->11         started        process5 13 splwow64.exe 9->13         started       
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/58b9c3875b2fafaa35de0274096e8d9a6367cc4be83e19f72cb825124ec86c5d
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/58b9c3875b2fafaa35de0274096e8d9a6367cc4be83e19f72cb825124ec86c5d/
Threat name:
Win64.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-05-01 13:23:00 UTC
File Type:
PE+ (Dll)
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lc44hb23f6x2uno6aj2as3untjrwptcl5a7bt5zmxasretwinroq._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
58b9c3875b2fafaa35de0274096e8d9a6367cc4be83e19f72cb825124ec86c5d
AgentTesla
72ddcbe3b2e8d2dba87b8bb2a925f50209610f3e74876cd82234c35c6f6eb217
AgentTesla
94b146aebc29c43c227467947ab95df41ffe9795d131c0e16ec54edf232a685a
AgentTesla
a9fa442c7e56486753d03f2420e970df0abd9914e4686a24eeb3e55feb458d08
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240502-ddaxrseh71/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
AgentTesla
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/58b9c3875b2f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/58b9c3875b2fafaa35de0274096e8d9a6367cc4be83e19f72cb825124ec86c5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:SUSP_ENV_Folder_Root_File_Jan23_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious file path pointing to the root of a folder easily accessible via environment variables
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments