MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59e009667dbb1344d0639b171763fe0d79b27e4419df4ee9829b7789197cc6e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59e009667dbb1344d0639b171763fe0d79b27e4419df4ee9829b7789197cc6e4
SHA3-384 hash: f6e8a02550d59be351d45746e73d354197a3bd21f18a039c9ded7c74742cb6ae8f925eea89f9e6e2d8aafd87b11d0009
SHA1 hash: b7867985ca8a61d942e82a021e27b9dbea5c0b42
MD5 hash: 9bd1c9256c64814f6c83e3a76f60c42c
humanhash: five-red-mockingbird-nuts
File name:PO_4500003061 signed copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:901'120 bytes
First seen:2022-12-07 07:15:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:mvH2Mj6pEyFxCUVZHp24gBxIKH9zPlESv:mvWMu6yFVVxp24gBzRP+Sv
Threatray 6'126 similar samples on MalwareBazaar
TLSH T1DA15F82F8ED3A5D4ED7747F872559BB93DA2B3C1A8A51C0568A09033004C43EB76FEA5
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO_4500003061 signed copy.exe
Verdict:
Malicious activity
Analysis date:
2022-12-07 07:21:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ac7d339e-4570-44b0-bf15-8bbae0833139

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/343747/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.46272.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63903db6d4d7598ad904a820/reports/1d999b79-f1c0-42d6-bb4d-61035b486370/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/813b0c98-caaa-4599-be9e-51120d79d66f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1129660
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 762384 Sample: PO_4500003061 signed copy.exe Startdate: 07/12/2022 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 11 other signatures 2->57 7 hCAyCw.exe 5 2->7         started        10 PO_4500003061 signed copy.exe 7 2->10         started        process3 file4 59 Multi AV Scanner detection for dropped file 7->59 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->61 63 Machine Learning detection for dropped file 7->63 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->65 13 hCAyCw.exe 3 7->13         started        17 schtasks.exe 1 7->17         started        19 hCAyCw.exe 7->19         started        33 C:\Users\user\AppData\Roaming\hCAyCw.exe, PE32 10->33 dropped 35 C:\Users\user\...\hCAyCw.exe:Zone.Identifier, ASCII 10->35 dropped 37 C:\Users\user\AppData\Local\...\tmp1F4A.tmp, XML 10->37 dropped 39 C:\...\PO_4500003061 signed copy.exe.log, ASCII 10->39 dropped 67 Adds a directory exclusion to Windows Defender 10->67 69 Injects a PE file into a foreign processes 10->69 21 PO_4500003061 signed copy.exe 3 10->21         started        23 powershell.exe 21 10->23         started        25 schtasks.exe 1 10->25         started        signatures5 process6 dnsIp7 41 208.91.198.143, 25, 49768 PUBLIC-DOMAIN-REGISTRYUS United States 13->41 43 smtp.saudlunion.com 13->43 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->71 73 Tries to steal Mail credentials (via file / registry access) 13->73 75 Tries to harvest and steal ftp login credentials 13->75 77 Tries to harvest and steal browser information (history, passwords, etc) 13->77 27 conhost.exe 17->27         started        45 smtp.saudlunion.com 21->45 47 us2.smtp.mailhostbox.com 208.91.199.224, 25, 49734 PUBLIC-DOMAIN-REGISTRYUS United States 21->47 49 192.168.2.1 unknown unknown 21->49 29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59e009667dbb1344d0639b171763fe0d79b27e4419df4ee9829b7789197cc6e4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-12-07 03:10:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lhqaszt5xmjujuddtmlroy76bv43e7sedhpu52mctn3ysgl4y3sa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1077d3daea82b7cb84943204ccfc70ee040676a305d7027c7980512b3da80f53
AgentTesla
28da4dc581a7a99fddff8eef31876687c6c64a0564c35f1b9bab984fc9c9160c
AgentTesla
3f08f63c3f336f3823c710a40e674421bbc6316e0088e0989d1ac06085bc5b62
AgentTesla
5e63926b7ce5fb0d4bc1363397c655d0c3b29114497308db183b124b048c033f
AgentTesla
624986bf92ce4a3301888ca62e5e20b19d4b662862fb2289d87865a3d67b206d
AgentTesla
8b2b130f783c2c3d56658c2fb5d282b70edbd828d76faae5c44027c2f2a017bd
AgentTesla
a0ff80b35d216e7d45a53f69f961f1d52a8d5c5f74786bae368168e53d6ff073
AgentTesla
b7394e25936c4fd44716fcdcce914a35c0cdb0980e4527035681df4f800520e7
AgentTesla
ba9013c23988b787a28abf3dc0c0f1599372967e4bd9b7abd24280180d5843ba
AgentTesla
c1f9f8a6133d2f6f01574b1a8dafabae2376448bc7a6727a66b8070b66ff15dd
AgentTesla
+ 6'116 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221207-h3s7vseh53/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0aa13318-bc9d-4ada-bbf6-a8e6e0e88a73
Unpacked files
SH256 hash:
509567b7ff1fe8a4f690297f9767633dad8f48588d02f9429dbd32090774e6a0
MD5 hash:
b80935d19fad50a348f8148d38b8a2ee
SHA1 hash:
ff30e011d1bebd0d8cf3e32a6ecc66447c7a2c21
Link:
https://www.unpac.me/results/60b12d2d-2589-40d5-bdad-e76257273784/
SH256 hash:
e2136e8416f19e49872c8fd3fc55facb1fc8ec90d07089b030d559cab89c12ba
MD5 hash:
804dd8d93161e059ff7a4365e98a4f2f
SHA1 hash:
ee4f76c62fcb02a45c7360cb9a1596ba8f68778f
Link:
https://www.unpac.me/results/60b12d2d-2589-40d5-bdad-e76257273784/
SH256 hash:
239d0fe10b1a7347bc1d8a41fb541cb877be2477bfd8d92e03640703214c706a
MD5 hash:
0dd7880c7c1b6506e31d78d90905dd19
SHA1 hash:
c49d95f0ad399cf4fe450fa4e991f12b78224733
Link:
https://www.unpac.me/results/60b12d2d-2589-40d5-bdad-e76257273784/
SH256 hash:
2e8d3d9acc423c8b0738fe4b1002209f6a73ee44221b3fec23b0783e6043243a
MD5 hash:
a49769d6b57140ecf0bd5b98707f2ecb
SHA1 hash:
3a6a30ce0d2d6c3a6e6efcd1ed209e2bc4458977
Link:
https://www.unpac.me/results/60b12d2d-2589-40d5-bdad-e76257273784/
SH256 hash:
9c605b0d4b2c3ba0701e0daa6d040c94c02d6d76793dea88191bbc98d671dea5
MD5 hash:
530dc7045e4618c4ee202d831ab3fc77
SHA1 hash:
240c14100a9c2e99ead0cfffd198cb7beb62ba40
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/60b12d2d-2589-40d5-bdad-e76257273784/
Parent samples :
59e009667dbb1344d0639b171763fe0d79b27e4419df4ee9829b7789197cc6e4
837ee4fe1bd6e6226f7e033a89bbdd0f45ab18273d314c16cf1d723e258c5613
SH256 hash:
59e009667dbb1344d0639b171763fe0d79b27e4419df4ee9829b7789197cc6e4
MD5 hash:
9bd1c9256c64814f6c83e3a76f60c42c
SHA1 hash:
b7867985ca8a61d942e82a021e27b9dbea5c0b42
Link:
https://www.unpac.me/results/60b12d2d-2589-40d5-bdad-e76257273784/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/59e009667dbb1344d0639b171763fe0d79b27e4419df4ee9829b7789197cc6e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 59e009667dbb1344d0639b171763fe0d79b27e4419df4ee9829b7789197cc6e4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/343747/

Comments