MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 633732fb9207dfc4671f1b6da4f78913e6a4301462af3f6f6d74144142cb371f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 633732fb9207dfc4671f1b6da4f78913e6a4301462af3f6f6d74144142cb371f
SHA3-384 hash: 8925b3ec9654ea45252ab5d619f6d12d16d5044986f5facdbd19d7f8f06b9a5cfb109f70fa2e0451cba3f86d5d6ae2e5
SHA1 hash: b0410f2d34727645cf104cfa7065a15c1a892321
MD5 hash: b6f06228d26e3a5b3b8fc1988e35b926
humanhash: beer-sink-xray-victor
File name:633732fb9207dfc4671f1b6da4f78913e6a4301462af3f6f6d74144142cb371f
Download: download sample
Signature AgentTesla
Create hunting rule
File size:173'056 bytes
First seen:2023-10-11 13:46:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:STLRDzHbYtK7k9Q6yb67UgyPFTsVBkCSzteMagSYRkVzwv1ma8c2D:STLRDzHctv9RxkFT8kCatcYwzcYh
Threatray 357 similar samples on MalwareBazaar
TLSH T1E70418142BC9A725C5CE4276F4B107144FF1C203AB46BB67A9B6F9F21C8778299232B5
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
633732fb9207dfc4671f1b6da4f78913e6a4301462af3f6f6d74144142cb371f
Verdict:
Suspicious activity
Analysis date:
2023-10-11 13:47:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c6149eb8-4c8d-4ba3-9718-f5e00e7208ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/453270/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.17992.26997.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %AppData% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin packed replace
Link:
https://www.filescan.io/uploads/6526a757426c8727d6f99a6b/reports/b5724a9a-4f08-4af1-b571-a8853914fac2/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/633732fb9207dfc4671f1b6da4f78913e6a4301462af3f6f6d74144142cb371f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cfc4ace5-87b9-4164-bd19-f7319e560d25
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1323771
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1323771 Sample: nwRwTFwuCJ.exe Startdate: 11/10/2023 Architecture: WINDOWS Score: 100 29 web.fe.1drv.com 2->29 31 onedrive.live.com 2->31 33 4 other IPs or domains 2->33 47 Found malware configuration 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected AgentTesla 2->51 53 5 other signatures 2->53 7 nwRwTFwuCJ.exe 16 5 2->7         started        11 Mgkvowure.exe 14 5 2->11         started        13 Mgkvowure.exe 4 2->13         started        signatures3 process4 file5 27 C:\Users\user\AppData\Roaming\Mgkvowure.exe, PE32 7->27 dropped 55 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->55 57 Writes to foreign memory regions 7->57 59 Allocates memory in foreign processes 7->59 15 aspnet_compiler.exe 14 2 7->15         started        19 aspnet_compiler.exe 7->19         started        61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 65 Injects a PE file into a foreign processes 11->65 21 aspnet_compiler.exe 11->21         started        23 aspnet_compiler.exe 11->23         started        25 aspnet_compiler.exe 13->25         started        signatures6 process7 dnsIp8 35 api4.ipify.org 104.237.62.212, 443, 49717, 49725 WEBNXUS United States 15->35 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->37 39 Contains functionality to register a low level keyboard hook 19->39 41 Tries to steal Mail credentials (via file / registry access) 25->41 43 Tries to harvest and steal browser information (history, passwords, etc) 25->43 45 Installs a global keyboard hook 25->45 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/633732fb9207dfc4671f1b6da4f78913e6a4301462af3f6f6d74144142cb371f/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-09-26 09:55:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mm3tf64sa7p4izy7dnw2j54jcptkimaumkxt633noqkecqwlg4pq._file
Verdict:
malicious
Similar samples:
4343245f1db76214093c4adefb0b167327c7bd49fa66608eccb2c4faadc3e32d
AgentTesla
4571baeca67cf5bdbf435a6c65112b6fe2a2d2f36e5da65ce6150faae407f841
AgentTesla
4a699a693c63228aebd3e0bc98d92fe2d8bb7ae487992e81cfee767f0b9ed1bf
AgentTesla
7e5e3c49e0bcb2e16b86e870f591feca75b0d7007ed5851ecdfb70fa3d06976c
AgentTesla
861858ded7f88ccc9998eb6286cf9376fe7509a04901808bc5a3d35b076412a6
AgentTesla
89bc9fdb7d1d93a49c7cf3ccfff8ec5c174a44dd580e63e3cb47de448e9daefc
AgentTesla
b4897fb2b7450804ea184f77c7661b1af8c022c294d69f127e8c1ee47f37ca68
AgentTesla
b93fab56242eb11d31992191aa2a57f93c8f9b77d1041b4c97e830f2b4ff5045
AgentTesla
c22334a30489c310ccebd2eb69b289bf3f01461a72a4da146a59cdaa06283e04
AgentTesla
e146c10d13f2ed30acbf8733bf5b3ae1e75572fd917d8b6749b69c54676e9923
AgentTesla
+ 347 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/231011-q3jbnace92/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
633732fb9207dfc4671f1b6da4f78913e6a4301462af3f6f6d74144142cb371f
MD5 hash:
b6f06228d26e3a5b3b8fc1988e35b926
SHA1 hash:
b0410f2d34727645cf104cfa7065a15c1a892321
Link:
https://www.unpac.me/results/6af041af-a6b2-4437-8485-3cf8e242ddf7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/633732fb9207dfc4671f1b6da4f78913e6a4301462af3f6f6d74144142cb371f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/453270/

Comments