MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65ea7c521264d69a5e044a2fa7aa5a330385e733b1cefbff31cb805abaf067fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA 27 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65ea7c521264d69a5e044a2fa7aa5a330385e733b1cefbff31cb805abaf067fa
SHA3-384 hash: 58d6be580b088788e1304d94fbc0568b592b10392eafba0b3c6f308c8b99149cd66faf53e0dad230caaed6365c7db28f
SHA1 hash: 20514ac586fb6847057be18ecf00b84cda7e948f
MD5 hash: d61526463472da19dd8869f484a8f4ef
humanhash: nine-hawaii-cold-winter
File name:65ea7c521264d69a5e044a2fa7aa5a330385e733b1cefbff31cb805abaf067fa
Download: download sample
Signature AgentTesla
Create hunting rule
File size:335'872 bytes
First seen:2024-11-25 14:27:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 009023b6b22e202aa54365d2270f6f95 (2 x DarkComet, 1 x LimeRAT, 1 x AgentTesla)
ssdeep 3072:7+2Lmlx1JlKiSBTxbBGiz64tlyz5X0JdYA4TQTnDrGdQo9bFxYo9OtVa2M:7+2Lmlx1JldSVxbBF643yOdxBDrGVbHR
Threatray 3'896 similar samples on MalwareBazaar
TLSH T17C6472027F88EB11E1A93E3782EF2D2413B2B0C71633D20F6F499B6514516869D7EB6D
TrID 46.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
6.7% (.EXE) Win64 Executable (generic) (10522/11/4)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
Reporter JAMESWT_WT
Tags:89-40-31-232 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
418
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
65ea7c521264d69a5e044a2fa7aa5a330385e733b1cefbff31cb805abaf067fa.exe
Verdict:
Malicious activity
Analysis date:
2024-11-25 14:30:54 UTC
Tags:
evasion telegram stealer agenttesla exfiltration remote xworm crypto-regex ims-api generic smtp
Link:
https://app.any.run/tasks/3c1813bd-d62e-4d96-8ac3-35fdd1e2c189

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Msilperseus-9956591-0
Create hunting rule

Win.Packed.njRAT-10002074-1
Create hunting rule

Win.Packed.Generic-10003641-0
Create hunting rule

Win.Packed.Generic-10011753-0
Create hunting rule

Win.Packed.Msilzilla-10019837-0
Create hunting rule

Win.Packed.Loveletter-10023052-0
Create hunting rule

Win.Packed.Loveletter-10024677-0
Create hunting rule

Win.Packed.Msilzilla-10026193-0
Create hunting rule

Win.Malware.Deepscan-10028866-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.XWorm.UNOFFICIAL
Create hunting rule

Win.Trojan.Agent-427541
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67448976d0583382434b0e4e
Tags:
agenttesla asyncrat lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Stealing user critical data
Connection attempt to an infection source
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
agenttesla anti-vm asyncrat azorult backdoor clipbanker coinminer darkkomet evasive fingerprint hacktool hook infostealer keylogger lolbin microsoft_visual_cc njrat obfuscated packed rat remote stealer stealer windows
Link:
https://www.filescan.io/uploads/67448980fcae1d619b4ec2a2/reports/b7e890c5-b359-4591-8b07-d1459b463135/overview
Verdict:
Malicious
Labled as:
Backdoor.Generic
Link:
https://www.hybrid-analysis.com/sample/65ea7c521264d69a5e044a2fa7aa5a330385e733b1cefbff31cb805abaf067fa
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e7a8e294-7043-4bed-83ae-dcb4deae7c6e
Result
Threat name:
AgentTesla, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1562433
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562433 Sample: DJ5PhUwOsM.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 20 api.telegram.org 2->20 22 api.ipify.org 2->22 32 Suricata IDS alerts for network traffic 2->32 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 40 14 other signatures 2->40 7 DJ5PhUwOsM.exe 1 5 2->7         started        signatures3 38 Uses the Telegram API (likely for C&C communication) 20->38 process4 file5 16 C:\Users\user\AppData\...\FB_7D21.tmp.exe, PE32 7->16 dropped 18 C:\Users\user\AppData\...\FB_7BD8.tmp.exe, PE32 7->18 dropped 10 FB_7BD8.tmp.exe 15 2 7->10         started        14 FB_7D21.tmp.exe 14 2 7->14         started        process6 dnsIp7 24 162.254.34.31, 49705, 587 VIVIDHOSTINGUS United States 10->24 26 api.ipify.org 104.26.13.205, 443, 49704 CLOUDFLARENETUS United States 10->26 42 Antivirus detection for dropped file 10->42 44 Multi AV Scanner detection for dropped file 10->44 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->46 54 4 other signatures 10->54 28 89.40.31.232, 1717, 49707, 49753 TELEMEDIA-ASRO Romania 14->28 30 api.telegram.org 149.154.167.220, 443, 49706 TELEGRAMRU United Kingdom 14->30 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->48 50 Protects its processes via BreakOnTermination flag 14->50 52 Machine Learning detection for dropped file 14->52 signatures8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/65ea7c521264d69a5e044a2fa7aa5a330385e733b1cefbff31cb805abaf067fa
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/65ea7c521264d69a5e044a2fa7aa5a330385e733b1cefbff31cb805abaf067fa/
Threat name:
Win32.Backdoor.Fynloski
Create hunting rule
Status:
Malicious
First seen:
2024-11-21 12:36:58 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mxvhyuqsmtljuxqejix2pks2gmbylzztwhhpx7zrzoafvoxqm75a._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
xworm
Create hunting rule
Similar samples:
1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b
AgentTesla
2a34fdbd85ede8fa71f6c5133c3b38ce86334a0ec30cec9081b7b5d33cb6edf3
AgentTesla
5e7a31b88c9972678a7f64c36f42d7a0172e3f1672db3aeccc5c7e5c575524c0
AgentTesla
65ea7c521264d69a5e044a2fa7aa5a330385e733b1cefbff31cb805abaf067fa
AgentTesla
8b8d68a47897fc7f8612ad932aec65de7e5523d2ed7619dadb686f1c1adeab80
AgentTesla
be5ca82d327d53fc7eb8719289394cf37cc1f45d39429b8e527d600193b706e0
AgentTesla
error
AgentTesla
+ 3'886 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:xworm discovery keylogger rat spyware stealer trojan
Link:
https://tria.ge/reports/241125-rszfkaxnbq/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Agenttesla family
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
89.40.31.232:1717
Verdict:
Malicious
Tags:
rat xworm trojan stealer agent_tesla External_IP_Lookup Win.Packed.Msilperseus-9956591-0
YARA:
win_mal_XWorm MALWARE_Win_XWorm Windows_Generic_Threat_9f4a80b2 Agenttesla_type2 AgentTeslaV3 AgentTeslaV5 Windows_Trojan_AgentTesla_ebf431a8 JPCERTCC_Agenttesla_Type2
Link:
https://app.threat.zone/submission/25f8c2d3-91b1-4399-a4ce-8684db96c395
Unpacked files
SH256 hash:
e9434c0bf7be5e39cfad4fe44bb996b09c1283de5706a8721a33363080e9d016
MD5 hash:
068c99328320caaa7c5f2d31b0ff214b
SHA1 hash:
e18b1e08e7f256602be60e1d75b15c2c73284ca2
Detections:
XWorm
Create hunting rule
win_xworm_w0
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
win_xworm_bytestring
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/2d74c746-9094-440b-ab3d-b6d6278d8fb7/
Parent samples :
e9434c0bf7be5e39cfad4fe44bb996b09c1283de5706a8721a33363080e9d016
65ea7c521264d69a5e044a2fa7aa5a330385e733b1cefbff31cb805abaf067fa
SH256 hash:
fb247f5397ba1b2d9328d1acc2fd322181a91ced1953853abb41718dc21198ae
MD5 hash:
a21df2c0cca131eb534f520fd641adb5
SHA1 hash:
cd39e12e326191888b836c3419ac2cb71c2b5b11
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/2d74c746-9094-440b-ab3d-b6d6278d8fb7/
Parent samples :
0f176b21404c995d449d4abfa9ac7c9614c2ee2f3a204efffa3783dd16832c58
4d7489c7f5c86e43100b25314f49f3577d43ae47e090b0916578da82ec3d59e6
65ea7c521264d69a5e044a2fa7aa5a330385e733b1cefbff31cb805abaf067fa
fb247f5397ba1b2d9328d1acc2fd322181a91ced1953853abb41718dc21198ae
8ad905fc93383ead3be4caa578a8b1fd7cc59ba217fc86a2c2eca8997c0db8aa
1601868b52e7858aadf8f37a26d720fcd2ce0697cdefee537bf17c12879d6245
8e7ea1546b86935573d6ebcb6017b10557cedf8bc168243fdfcecf84b02f15d3
02114391e08d4e5e5f201dfc840af578b93f344e6a7edfd3632799ab353a4a88
a10431e043b70db47e5617767f04f8565b7c5af7de0e76256190d56565fc06b1
b46c2cb0bca50540123bbde92aa6f434b0d587a7de93916dd5a03682563b1141
2f4e209c6f1f1f5eedab708b4d6eb2af6767eed3e391d93972b38b3261627b6f
ead3cd3ddf7138948dcbdcdef2ba5759b87d2693c726ce16af3d673a651a28b4
82f25cda7187cea3cfd35a12235584e35922fbfbe3ac6f5bc702a40fa337deb5
SH256 hash:
65ea7c521264d69a5e044a2fa7aa5a330385e733b1cefbff31cb805abaf067fa
MD5 hash:
d61526463472da19dd8869f484a8f4ef
SHA1 hash:
20514ac586fb6847057be18ecf00b84cda7e948f
Detections:
win_agent_tesla_g2
Create hunting rule
win_xworm_w0
Create hunting rule
Link:
https://www.unpac.me/results/2d74c746-9094-440b-ab3d-b6d6278d8fb7/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/65ea7c521264/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65ea7c521264d69a5e044a2fa7aa5a330385e733b1cefbff31cb805abaf067fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:Windows_Generic_Threat_9f4a80b2
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla
Rule name:win_xworm_w0
Create hunting rule
Author:jeFF0Falltrades
Description:Detects win.xworm.
Rule name:XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:xworm
Create hunting rule
Author:jeFF0Falltrades
Rule name:xworm_kingrat
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::GetTempFileNameA
KERNEL32.dll::GetTempPathA

Comments