MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e9fb70e299a28b494b0ef9522226219e4dbf7dcf1aeae541f23eaa90ff3f28f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e9fb70e299a28b494b0ef9522226219e4dbf7dcf1aeae541f23eaa90ff3f28f
SHA3-384 hash: add8a0020979560b710a889b7811aefc46e1d0066b777f58279f3560335b2fba2857ad2b43b967fd1943a8c2612c97ae
SHA1 hash: e43e936a9b2b0ce2a586015ca54e143062eb8a61
MD5 hash: ad46efc7f1d5a27a14711c334f05ce50
humanhash: grey-charlie-pluto-zebra
File name:SecuriteInfo.com.Win32.DropperX-gen.13470.11348
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'314'816 bytes
First seen:2023-10-24 07:30:27 UTC
Last seen:2023-10-24 08:15:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b4498ed238a5d5d6510e036e3bb29986 (8 x DBatLoader, 1 x AgentTesla)
ssdeep 24576:bKuO345cRv/kabphVsJhfYPzyB+4Buxrhre0QLd/0hkEBS/:bLysS24mwe0UMkEe
TLSH T18555D016F66188B5F03B0A396B2B57DEDF1C6E2929A4284B27FD7E580E35243345D0B3
TrID 36.1% (.SCR) Windows screen saver (13097/50/3)
29.0% (.EXE) Win64 Executable (generic) (10523/12/4)
12.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 2a666013d6d253ac (12 x DBatLoader, 1 x AgentTesla, 1 x RemcosRAT)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
323
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.DropperX-gen.13470.11348
Verdict:
Malicious activity
Analysis date:
2023-10-24 07:32:17 UTC
Tags:
dbatloader stealer agenttesla
Link:
https://app.any.run/tasks/ab81c697-25ec-4352-baf5-ba19f238603e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/455909/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.13470.11348.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Query of malicious DNS domain
Sending a TCP request to an infection source
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control keylogger lolbin packed
Link:
https://www.filescan.io/uploads/653772b84678fc28dfc7e92a/reports/a3401a2f-0ff0-46b8-9bc6-ed0673c01910/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/5e9fb70e299a28b494b0ef9522226219e4dbf7dcf1aeae541f23eaa90ff3f28f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/af6e3fb7-41e2-4fed-bd4f-0234f213ae43
Result
Threat name:
AgentTesla, DBatLoader, RedLine, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331106
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected DBatLoader
Yara detected RedLine Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1331106 Sample: SecuriteInfo.com.Win32.Drop... Startdate: 24/10/2023 Architecture: WINDOWS Score: 100 66 wnvfvq.sn.files.1drv.com 2->66 68 web.fe.1drv.com 2->68 70 3 other IPs or domains 2->70 100 Found malware configuration 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 Multi AV Scanner detection for dropped file 2->104 106 9 other signatures 2->106 12 SecuriteInfo.com.Win32.DropperX-gen.13470.11348.exe 1 8 2->12         started        16 Gpjfjkqb.PIF 2->16         started        signatures3 process4 file5 58 C:\Users\Public\Libraries\netutils.dll, PE32+ 12->58 dropped 60 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 12->60 dropped 62 C:\Users\Public\Libraries\bqkjfjpG.pif, PE32 12->62 dropped 64 C:\Users\Public\Librariesbehaviorgraphpjfjkqb.PIF, PE32 12->64 dropped 118 Drops PE files with a suspicious file extension 12->118 120 Writes to foreign memory regions 12->120 122 Allocates memory in foreign processes 12->122 18 cmd.exe 1 12->18         started        21 Gpjfjkqb.PIF 12->21         started        23 bqkjfjpG.pif 2 12->23         started        124 Multi AV Scanner detection for dropped file 16->124 126 Machine Learning detection for dropped file 16->126 128 Sample uses process hollowing technique 16->128 26 bqkjfjpG.pif 16->26         started        signatures6 process7 dnsIp8 78 Uses ping.exe to sleep 18->78 80 Drops executables to the windows directory (C:\Windows) and starts them 18->80 82 Uses ping.exe to check the status of other devices and networks 18->82 28 easinvoker.exe 18->28         started        30 PING.EXE 1 18->30         started        33 xcopy.exe 2 18->33         started        39 8 other processes 18->39 84 Writes to foreign memory regions 21->84 86 Allocates memory in foreign processes 21->86 88 Sample uses process hollowing technique 21->88 90 Allocates many large memory junks 21->90 36 bqkjfjpG.pif 21->36         started        72 terminal7.veeblehosting.com 185.56.136.50, 587 SECUREDSERVERS-EU Malta 23->72 92 Detected unpacking (changes PE section rights) 23->92 94 Detected unpacking (overwrites its own PE header) 23->94 96 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->96 98 2 other signatures 23->98 signatures9 process10 dnsIp11 41 cmd.exe 1 28->41         started        74 127.0.0.1 unknown unknown 30->74 54 C:\Windows \System32\easinvoker.exe, PE32+ 33->54 dropped 108 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 36->108 110 Tries to steal Mail credentials (via file / registry access) 36->110 112 Tries to harvest and steal browser information (history, passwords, etc) 36->112 56 C:\Windows \System32\netutils.dll, PE32+ 39->56 dropped file12 signatures13 process14 signatures15 114 Adds a directory exclusion to Windows Defender 41->114 44 cmd.exe 1 41->44         started        47 conhost.exe 41->47         started        process16 signatures17 116 Adds a directory exclusion to Windows Defender 44->116 49 powershell.exe 27 44->49         started        process18 signatures19 76 DLL side loading technique detected 49->76 52 conhost.exe 49->52         started        process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5e9fb70e299a28b494b0ef9522226219e4dbf7dcf1aeae541f23eaa90ff3f28f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e9fb70e299a28b494b0ef9522226219e4dbf7dcf1aeae541f23eaa90ff3f28f/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-10-24 06:40:20 UTC
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l2p3odrjtiuljffq56kseitcdhsnx5646gxk4va7epvksd7t6khq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:modiloader family:zgrat keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/231024-jcdj6abd7w/
Behaviour
Enumerates system info in registry
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ModiLoader Second Stage
AgentTesla
Detect ZGRat V1
ModiLoader, DBatLoader
ZGRat
Unpacked files
SH256 hash:
b84daaf8a74ca536da7ec9c2a72d418ebe2db4462b99d7ee69fbc4713ffc8930
MD5 hash:
e943ba5fb84c37030c0daf907c79825c
SHA1 hash:
d393d513939c6a4b1e5fb2598ef14ed424fcb9e2
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/cbacf4ee-2750-4786-b293-b0084a16fdec/
Parent samples :
a3c849f16457f5e170e594c7ca0a2fbb12d9e144e83e51d93f4fab8d62a5de82
f95d84bd16012696182588589d691c5eaa131d28b7dc53cad85d497d61dab85f
6b390b01eb98d6376430626d51e2745f1a4f57cf89b9b6cfb81f968d44af09c8
2b9f29f475b49afdcc26e603cc6ff6508ff3bd7666cd181a1e7c5fac231f677c
e329d4fdf3557b00cfd9044dbd12048077fcb6f8cdbaf1553308e292bf6a3707
9fd26cbae8d741263a304f7532107d61d6e78b91a1e551dc2822131dc70eddc0
f76b8555effde0257cd4c22e62e7aeb3c4f055bac15cc24c46de1292fe7b034f
035f5ee40a4986872d3480fa5d5e96e4dd56c0d1b93cd77a82cadce3283243e7
c9f192e7d1592bfc56e3209da73bbf5fb8a5fbcfcc2d492dbdddfc60c77a1d20
af2a5455f4de7136e90e94e7bee5ba398d01f09ab9d01ef32bb70e560030b650
4397154fc1574bb682c055e6c5cefd36155aa07928edce3593ef38cb975b1f0f
267f54dc36591c1746dba949c776e015c9c89be7a11f4c3ebf7ab0fb4510e0e3
129a9a2dbbd1c3f8c82b66d020ec59b82878ab94a30647902d80dbeb92f74878
4b45c80c13d9143811cacdda64ac2e4cab04fe6262e16cb813836fd244ff5b9c
13a14e45ca00f015b20954bfd7eed1a9eaf0a763da1d155e673e53d31821abb1
582cf4bb7c3f703cb6bbacd2bfa8a1d2f098ca11e0d0fddb8c1d8e812ddc2d69
5e9fb70e299a28b494b0ef9522226219e4dbf7dcf1aeae541f23eaa90ff3f28f
e4fbd0f46d093579c855bf711e874a5ba4e6f3ea047ae5964a08bfb1e762d4f6
204d5541a347bee64224d392403286271bc2351c50101e89b19e896f1756b389
48b290c2bfc5741616cef2f1904acebfc3366cfc99388f075aeb26100881ea98
f45307b5999dab601bb6371d4617cb7378d352e234f1df11b5ba41d779a90564
7a79cdd88f52bd9acdbe1b312bf1583e09827d58b293f53a3d261a654dcfb1df
04f083fb8b7b8ff01c98b972859d03db4de185f81877e180317792e2361043cf
85ca618bef7b97885f9f8c83a5abcb5afcafe9b6ffc3db6893a0dcdd61f6a891
53ac3a6c6aa59e943cff071d3100d55d826268f96e2366ddad3b32fe8c9b98e2
771af3e897f1d32625cdc3cf41d76dcfd21ae27994b721ae6c7cb82bcb284789
b1ca8bbed94ba2690e722c88c1af75082b8a4abf9d7f70206f986746aaa0eae2
39b4aba5e8641981ee7c36537c71403e038895c5699f172498fb99f51f994b85
6b1c7f3b04daf1250db40b85131f39811315781ca521135b7648f453bfbe55cf
22e384543598c8f6d4b45b6d19c09f23e08429a89bb3fe580b368c8aecb9663b
f742048a48e4d17061d323b8543db4e61163d13739ab9c18e8d1c85aef2ca7ff
7e0c562b58d5c2183c98af42b5ff6b6cee6d7d82ad89e773bf0ba9c7f67c04b4
14323b6d2d712b7cd421ca1f6c0d25343fbb7cb94144e338d7a042f0f421e3b7
96df4af7b51b4a03a7014169c0862ed5820d4326d217f5ef4e099c1667a8045d
c2f8b88850fcbc4df88e6708b12a265ed133ba04702f89ae9cf1da504c11bc6e
452fa0451a2bb4c555368aec8f070a3db895414d43e089af54431ebf89d50841
d9c05e4806384074097aabfbdd8965b3767d673f9032b06bed207fda7feccbd7
3ba6ce638dcb1c82a2d3096edcc46a1d5086b9233c4e8be471ba748af9d9b41a
b2a65a2aa1c5bed21112712762ddb73f254219e8037e57c984c1bcd65ad576a7
448a8114208fbb7d2e83c81d59bc262d6857937ec0bceeebda75ad978265b5dc
9dbe21429d77afca07940928b39d0e7c9d994ea9d10a651ccd5189d4522be1cf
cf9cebd5de732b485456f6de49e70b488fb4658c48af572b16b6b2943dfadd50
214d29953c8211d48c06ce4e16239920b4ed1e148428a9165dcfe184fd6ab619
2a347e81537122aca6656bd41eab07d8abd57d85684e71c877650c96963f9123
8282976c399101d48a2f46771f768d37f4de4124d00f4ba8f01d63d6ef935c1a
c016c2649684722dc1e308e080f1739f3314927b3c022f63ad7da9caacd79a63
ea854ab77631dbf87f8a69de2f865d33751dcd3fe5b0284c38e12de2f471a9a4
1868a740c4a9ad3f6df9ee149c74de5744e3488faa33bf3c9811882fbb5d76af
c6e6d9dd75af4dd8ec008e9dc75688b0325d31c822eef311783feaffff7c0dbb
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/cbacf4ee-2750-4786-b293-b0084a16fdec/
SH256 hash:
5e9fb70e299a28b494b0ef9522226219e4dbf7dcf1aeae541f23eaa90ff3f28f
MD5 hash:
ad46efc7f1d5a27a14711c334f05ce50
SHA1 hash:
e43e936a9b2b0ce2a586015ca54e143062eb8a61
Link:
https://www.unpac.me/results/cbacf4ee-2750-4786-b293-b0084a16fdec/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5e9fb70e299a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/455909/

Comments