MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 672f129436328ef22b40863bd0158d013bb4925cbbd4d6b7d5b031a9d56bbd53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 672f129436328ef22b40863bd0158d013bb4925cbbd4d6b7d5b031a9d56bbd53
SHA3-384 hash: fc760c97a6e82215b02e5fcb3b5ad58d34635fe1ead00cdc91dc3ace29b46f6c2af30cdd1cbade27389f3e1af7ac3530
SHA1 hash: cec2f2aa3fdcc02815e397c5758d823fb0fc8e10
MD5 hash: 59768886645ce9dba798464bcb6a0fde
humanhash: queen-november-freddie-pasta
File name:SecuriteInfo.com.W32.AIDetectNet.01.18585.23422
Download: download sample
Signature AgentTesla
Create hunting rule
File size:749'056 bytes
First seen:2022-07-19 12:50:17 UTC
Last seen:2022-07-19 13:40:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:8NYlBo5VOuDpZ29alSQ7upNBP2RGsSHbPWb2gb3IU3ScaFlSNS:8s9c2YlbuzBu1EPO9VaQS
Threatray 17'855 similar samples on MalwareBazaar
TLSH T128F4237333B5A708E67D07BB5878946153F0A7463161D79D9F80A2CF1A22B868752F33
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/291870/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.18585.23422.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62d6a8bc0e298a94f3de311a/reports/7b5f44df-45fa-4eb9-8301-3ecb0e699251/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8e341b53-c284-4529-8957-6ac43e7ecc78
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1036508
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 669002 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 19/07/2022 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected AgentTesla 2->45 47 6 other signatures 2->47 7 SecuriteInfo.com.W32.AIDetectNet.01.18585.exe 7 2->7         started        process3 file4 27 C:\Users\user\AppData\...\AURWghlROj.exe, PE32 7->27 dropped 29 C:\Users\...\AURWghlROj.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmpDAB7.tmp, XML 7->31 dropped 33 SecuriteInfo.com.W...et.01.18585.exe.log, ASCII 7->33 dropped 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 7->53 55 2 other signatures 7->55 11 SecuriteInfo.com.W32.AIDetectNet.01.18585.exe 7->11         started        15 powershell.exe 22 7->15         started        17 powershell.exe 25 7->17         started        19 schtasks.exe 7->19         started        signatures5 process6 dnsIp7 35 smtp-msa.hostinger.com 34.117.234.7, 49772, 49773, 587 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 11->35 37 192.168.2.1 unknown unknown 11->37 39 smtp.hostinger.com 11->39 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->57 59 Tries to steal Mail credentials (via file / registry access) 11->59 61 Tries to harvest and steal ftp login credentials 11->61 63 2 other signatures 11->63 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/672f129436328ef22b40863bd0158d013bb4925cbbd4d6b7d5b031a9d56bbd53/
Threat name:
ByteCode-MSIL.Trojan.RemLoader
Create hunting rule
Status:
Malicious
First seen:
2022-07-19 12:51:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
56
AV detection:
25 of 39 (64.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m4xrffbwgkhpek2aqy55afmnae53jes4xpknnn6vway2tvllxvjq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2839842caf794b0f23e7c08b8dd16365d51fb29c9ca77eb62788b22500abb529
AgentTesla
416f95fa60681b85d328c5612f410650825908b3e1fb58af634b60bb35ac1969
AgentTesla
5cd5e38a27f98e7f6576bb0b26e97d9fac24388fd048d68f2114a4b3c7ed04fd
AgentTesla
5e06fec23859ec0d327ed84a9b536a03ca52204cedf4887149150cf7d02db8e7
AgentTesla
8126addf40ee416e253cf5b46048633dc836856575e92ce271854417a1ddf9f7
AgentTesla
8c0726ab5d6f41c5e8d123d8c2444eb709543ee350dcecfe6e5190ddfe32e337
AgentTesla
96f58f7de3586db2204d85ddce02f7ef5c72b92fd9ab314b590752ddca7cf941
AgentTesla
abd0a804168a65ceb8827d34d11b58601eb5d947637ee9fdd2dffa3a4afc9961
AgentTesla
cfe8883503f6c675d58b8d30c1d0a9064da329fc82bf4f5cd4230783d53a5c6c
AgentTesla
f6ce1d99d9d0e92d05d77b291837804b33b31f16f4a79bedc1c27aac8d54dcf1
AgentTesla
+ 17'845 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220719-p3gmdsdaer/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/dbaa26d7-68ab-45ef-a6b1-9f6691ecc9e7/
SH256 hash:
6d8387cb33257a8d86d59b0c952203cabb70ac4133c572fd771a8b780f49779a
MD5 hash:
2b61a22a35a9c5196d69d9aa545e0fde
SHA1 hash:
ded042e785b62f3a338735c7cce1edeec06dab55
Link:
https://www.unpac.me/results/dbaa26d7-68ab-45ef-a6b1-9f6691ecc9e7/
SH256 hash:
f6d1cda2efe2622064025631b2a1ee8e5bdc057798de203ed5841916e662b4a1
MD5 hash:
fb7cc194309b03e66b160fe20f371762
SHA1 hash:
7b6fe95b9b6af1328d43ef9fff27919d807b9c47
Link:
https://www.unpac.me/results/dbaa26d7-68ab-45ef-a6b1-9f6691ecc9e7/
SH256 hash:
5029c32d188574a182cf1832cf73e54857806c4f63aada05487a5223c353e6cd
MD5 hash:
7a627c173a725b046e01c4a2d5b48f84
SHA1 hash:
6c7bcd729779ab2a683633b8aca550bcc857272f
Link:
https://www.unpac.me/results/dbaa26d7-68ab-45ef-a6b1-9f6691ecc9e7/
SH256 hash:
bb690693bb3aeeae0dffcd4ff1309c16ceea1e10bb131458459d61c3977d1bc8
MD5 hash:
ee61d8ad01be7b7663cf68c3da44d1fa
SHA1 hash:
09286fd7a2091cc7a0f83452196ad0c5daf8f0af
Link:
https://www.unpac.me/results/dbaa26d7-68ab-45ef-a6b1-9f6691ecc9e7/
SH256 hash:
672f129436328ef22b40863bd0158d013bb4925cbbd4d6b7d5b031a9d56bbd53
MD5 hash:
59768886645ce9dba798464bcb6a0fde
SHA1 hash:
cec2f2aa3fdcc02815e397c5758d823fb0fc8e10
Link:
https://www.unpac.me/results/dbaa26d7-68ab-45ef-a6b1-9f6691ecc9e7/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/672f12943632/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/672f129436328ef22b40863bd0158d013bb4925cbbd4d6b7d5b031a9d56bbd53

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/291870/

Comments