MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 594da3885ba6766852371e812ae655b7422f6dbf76c2671ca887bbae0b07a553. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 594da3885ba6766852371e812ae655b7422f6dbf76c2671ca887bbae0b07a553
SHA3-384 hash: a6344e0cd9c6b1378dc8d267546c64e7f7c6a2ce8d0f58a2a2564b872005f7c7929d692b4aa9405cc3f93212a66adce3
SHA1 hash: 62a95c9edfba7e107dfa469524236913c6c7c442
MD5 hash: 4074331b0de5539d329aa4de8e600db1
humanhash: tennis-steak-kentucky-saturn
File name:SecuriteInfo.com.Variant.Barys.51118.23063.5266
Download: download sample
Signature AgentTesla
Create hunting rule
File size:691'712 bytes
First seen:2023-01-12 07:34:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:wdAfCDolvhIk0SUbpQoy08S0WQKrfnjZjjtoQLE2eg53XD:KtK0SUbpQZVXcrrhtXY2eK3XD
Threatray 24'240 similar samples on MalwareBazaar
TLSH T13AE4F017B29CC75FD6AB66B0E43219F08261AD63E650C6873CC67E8C39F4B10A594BD3
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f06ccc0e26586c74 (5 x AgentTesla, 4 x NanoCore)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Variant.Barys.51118.23063.5266
Verdict:
Malicious activity
Analysis date:
2023-01-12 07:40:12 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/87f151a8-e9cf-4af9-828f-152491720a02

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/352178/
Detection(s):
SecuriteInfo.com.Variant.Barys.51118.23063.5266.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63bfb828e204894241612cfd/reports/25a8557b-4afc-4d0b-b8c8-2858a468c973/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f2180c88-4603-446d-917e-cfe74c67f552
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1150126
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 782858 Sample: SecuriteInfo.com.Variant.Ba... Startdate: 12/01/2023 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->45 47 8 other signatures 2->47 7 SecuriteInfo.com.Variant.Barys.51118.23063.5266.exe 7 2->7         started        11 VaPKwOGjiH.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\VaPKwOGjiH.exe, PE32 7->31 dropped 33 C:\Users\...\VaPKwOGjiH.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp5AC6.tmp, XML 7->35 dropped 37 SecuriteInfo.com.V....23063.5266.exe.log, ASCII 7->37 dropped 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 7->53 57 2 other signatures 7->57 13 SecuriteInfo.com.Variant.Barys.51118.23063.5266.exe 3 7->13         started        17 powershell.exe 19 7->17         started        19 schtasks.exe 1 7->19         started        55 Multi AV Scanner detection for dropped file 11->55 21 VaPKwOGjiH.exe 3 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 mail.richenqtex.me 162.0.229.41, 49716, 49720, 587 NAMECHEAP-NETUS Canada 13->39 59 Installs a global keyboard hook 13->59 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->61 63 Tries to steal Mail credentials (via file / registry access) 21->63 65 Tries to harvest and steal ftp login credentials 21->65 67 Tries to harvest and steal browser information (history, passwords, etc) 21->67 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/594da3885ba6766852371e812ae655b7422f6dbf76c2671ca887bbae0b07a553/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2023-01-12 07:35:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
11 of 41 (26.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lfg2hcc3uz3gqurxd2asvzsvw5bc63n7o3bgohfiq6524cyhuvjq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0aef16a40e14a956a65402dbaa15033bf89533c285e42ad96642254197efb6ec
AgentTesla
315154cef3104ed0cacd5280a05bf546171fa20b9e090f9c83b1b6e43cdd6f1f
AgentTesla
37b0b6c8e886ba54facc53bea8f5d11ea52bb2ad186ef496bac773ba989b9e89
AgentTesla
42cb095fcf7bce147419fe87bffc91a1c0c189f731daaa819b17d371594b868f
AgentTesla
5a0893d2100052e465b5329bc5ab00bad025469b279ef9fe1ab6a4643b5e8a5e
AgentTesla
8082a20f738274d2db56e6e1ed07d2ba7b4fb84af6f6a2ed867090c1d8465523
AgentTesla
a60d60f79f7b0720d3af8b2b03a3c24da1f69daea30207a770a5f1f34c79464e
AgentTesla
d60b0841441e30f8c621ae74d82caed84a72125a8fef8669071c54617f4ce0f1
AgentTesla
d7bd6a1d419ffb47c95217fc6b1133d6d1bba50af95717087f11c2a704972f75
AgentTesla
+ 24'230 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230112-jep1zabc41/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2e617840-1c0f-43b5-ac79-b68a897a30cb
Unpacked files
SH256 hash:
37719a0c057b9df57621958c193290a09a0e549653ef3ef4f061180ab2b61114
MD5 hash:
c4c3ee8e0be595fff87db28bd75de473
SHA1 hash:
e8a40acc0c2d1ec4caf823401e077d350f4c1c50
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/7643e136-641d-422b-829c-7311e55e30df/
Parent samples :
cb5a09fbb8c760f829a4b474f381b32a3ae68ec6e82c6b3d2fd8d2ef38b40d61
d60b0841441e30f8c621ae74d82caed84a72125a8fef8669071c54617f4ce0f1
594da3885ba6766852371e812ae655b7422f6dbf76c2671ca887bbae0b07a553
SH256 hash:
105a08555c89abe2004815e2a5130f046b4933376013c011b6b87e6c41e10426
MD5 hash:
c5fe47c0b7bdd6a393be307eab5f99e3
SHA1 hash:
69c9cb8f1add33cb3a64bed13679df9921dc68fc
Link:
https://www.unpac.me/results/7643e136-641d-422b-829c-7311e55e30df/
SH256 hash:
679cf55220392fc63bfa269490ffac656471578bc79d48cbde92d28eab5a1eab
MD5 hash:
0586bef8b0063f895ed68753a09f2b21
SHA1 hash:
5804ba4822e6db91768d35b598a1fa92b296fe24
Link:
https://www.unpac.me/results/7643e136-641d-422b-829c-7311e55e30df/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/7643e136-641d-422b-829c-7311e55e30df/
SH256 hash:
6bc358e81d24d3d8f5a7431c817e4d53141b0f341e5f690b34e3e2c28316711f
MD5 hash:
866caf3d3d42b2950141d63e10c41e33
SHA1 hash:
12198bef2651b1bf88ff4bdce13cd605deb5e71f
Link:
https://www.unpac.me/results/7643e136-641d-422b-829c-7311e55e30df/
SH256 hash:
594da3885ba6766852371e812ae655b7422f6dbf76c2671ca887bbae0b07a553
MD5 hash:
4074331b0de5539d329aa4de8e600db1
SHA1 hash:
62a95c9edfba7e107dfa469524236913c6c7c442
Link:
https://www.unpac.me/results/7643e136-641d-422b-829c-7311e55e30df/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/594da3885ba6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/594da3885ba6766852371e812ae655b7422f6dbf76c2671ca887bbae0b07a553

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/352178/

Comments