MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 674a748111a6ce0179d7282aec3a9b3da359f024c4206f61876a78261e65c19d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 674a748111a6ce0179d7282aec3a9b3da359f024c4206f61876a78261e65c19d
SHA3-384 hash: 5c1045ef93488268d8f9c909228410e96a242371c44f75ff08e5f2ea118e1f69a71c9949129ddd891dbe15daff564706
SHA1 hash: 9423d423f055a13a81283dd3301fd1f4a015a765
MD5 hash: b495d7349aef2717e86fd2e9dac1d4a0
humanhash: nuts-tennis-shade-mountain
File name:THEMETAL NEW ORDERFOB$ _KORIA PORT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:629'760 bytes
First seen:2023-09-27 07:12:20 UTC
Last seen:2023-09-28 06:20:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:7hn+Uw+MMMDMMMWOieuvCHT4qozt1NQsgn0YNn+PCU:5MMMDMMMWOi9vWTKtrzUrN+PC
Threatray 5'771 similar samples on MalwareBazaar
TLSH T170D4AE1571EF1816E777EBBB87ABF941C7BEF2A1226B721A406603C685D2D02F702534
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter cocaman
Tags:AgentTesla exe Shipping

Intelligence

File Origin
# of uploads :
2
# of downloads :
283
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
THEMETAL NEW ORDERFOB$ _KORIA PORT.exe
Verdict:
Malicious activity
Analysis date:
2023-09-27 07:17:20 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/74484cd1-1f3b-4398-b73a-ced6e42446ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/451480/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.6703.12216.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin masquerade packed
Link:
https://www.filescan.io/uploads/6513d60032ffdb7a7a15bf97/reports/64645320-eefa-49d4-a23c-2ac53027758e/overview
Verdict:
Malicious
Labled as:
Trojan.Olock.Generic
Link:
https://www.hybrid-analysis.com/sample/674a748111a6ce0179d7282aec3a9b3da359f024c4206f61876a78261e65c19d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6706152b-1fb2-41bf-9b33-2f43a3af32bc
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1315028
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/674a748111a6ce0179d7282aec3a9b3da359f024c4206f61876a78261e65c19d/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-27 07:12:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m5fhjairu3hac6oxfavoyou3hwrvt4beyqqg6ymhnj4cmhtfygoq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
37126cf9380ef51cfd3edd6718f68995776eb13df819ebae3d1ac974148ec3cb
AgentTesla
727a759fed6228f9794f4fdf08fd351705631e2a32bdb4ad60230cace276adf3
AgentTesla
7576e8a511b554c10cbb9af84a0e764f2c22e05bbeb04747ffc773aa39e0590d
AgentTesla
83748a5ac66d6a53d6c71eafa0bc7da28546bb58b60fd27bedd158730844a6dc
AgentTesla
83e202c299d139b909d80f39e81487515d2f21a9a0b6546f42dbd194088e07e7
AgentTesla
8ceb54467845b5f7b8d94495e26b7d734502fe75aae49ab69157eec471a262f4
AgentTesla
974ca7ad435352579a6080a0437db8fb96a3cc0627799820cbe3aac2fd0a6a0f
AgentTesla
db44e1da719b971f2fb5919d535170aab2779e13ab8db9e04e054c6efd4dff65
AgentTesla
+ 5'761 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230927-h13nhsgg7w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
77d0a15aa311d024d9bc81854b8f0125e22b03e3310d09efe9c69f86300b48c1
MD5 hash:
7325134f63db58cb2d63f66ff88a7a0e
SHA1 hash:
8466563fd947299f1fbd9947898ad0657021ae51
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/c90f171c-a1b7-40d8-8156-aa5e3aa2ae87/
Parent samples :
83748a5ac66d6a53d6c71eafa0bc7da28546bb58b60fd27bedd158730844a6dc
7576e8a511b554c10cbb9af84a0e764f2c22e05bbeb04747ffc773aa39e0590d
674a748111a6ce0179d7282aec3a9b3da359f024c4206f61876a78261e65c19d
91a10a6ddbdd84c582c2cd618a659bee55d9da5f6b8a4b94241069958a710951
SH256 hash:
82285a575ea205476be5bf48340be52a19296fb6afff6183e6602ac8fc9a449a
MD5 hash:
4c963ce10be216472a5cc89e6866e241
SHA1 hash:
21a9a24908f421fee6a1d4b6041bd5871cffbd2f
Link:
https://www.unpac.me/results/c90f171c-a1b7-40d8-8156-aa5e3aa2ae87/
SH256 hash:
4d14fc732441e97cebd4251c7bf2413b6a645bc3fe88850740a59b546c070a8b
MD5 hash:
a859536710b9974de8a73f98d709ec64
SHA1 hash:
16ce1e03d01d44247e2e1dc0992a0f7a5adea03a
Link:
https://www.unpac.me/results/c90f171c-a1b7-40d8-8156-aa5e3aa2ae87/
SH256 hash:
674a748111a6ce0179d7282aec3a9b3da359f024c4206f61876a78261e65c19d
MD5 hash:
b495d7349aef2717e86fd2e9dac1d4a0
SHA1 hash:
9423d423f055a13a81283dd3301fd1f4a015a765
Link:
https://www.unpac.me/results/c90f171c-a1b7-40d8-8156-aa5e3aa2ae87/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/674a748111a6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/674a748111a6ce0179d7282aec3a9b3da359f024c4206f61876a78261e65c19d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar fcc51316cec66e2d67480c4b19e859f670aaf2e69d665931ba6a14c3a2b12783

AgentTesla

Executable exe 674a748111a6ce0179d7282aec3a9b3da359f024c4206f61876a78261e65c19d

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 fcc51316cec66e2d67480c4b19e859f670aaf2e69d665931ba6a14c3a2b12783
Cape
Cape
https://www.capesandbox.com/analysis/451480/
  
Dropped by
SHA256 6b43ab5c7a314a931c426ba3548b3b568786966d19632d29638f279dfb609950
  
Dropped by
MD5 2a557ff9e8d956e1f04115d9457a9659
  
Dropped by
MD5 2eb13ba7d1d4b5af2d1f720ae7575858

Comments