MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67694aa8ad851eae7f51b1e7067470d051f773f7d8ece3e0866290290556e06b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67694aa8ad851eae7f51b1e7067470d051f773f7d8ece3e0866290290556e06b
SHA3-384 hash: 9715a6849ee05a8c4f7edf2fe60f0df43717ea78d665a9c09566bbe296f70ae825bcf54ad03d74672758115c3b5b8f2f
SHA1 hash: 434a6b55f306ad1b55de328663b49d42db831b1c
MD5 hash: fc153e34133cfa02c80ebb1599e8d63e
humanhash: lactose-oxygen-beryllium-maryland
File name:Awb# 8457108962.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'202'176 bytes
First seen:2023-02-28 07:46:31 UTC
Last seen:2023-02-28 13:48:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:ifgme6uCA2zNUvghyCzHa8PQksEELBwUecTLED/+o9x/6qW:+gme6uLvyywHIkuLB1u+W1B
Threatray 970 similar samples on MalwareBazaar
TLSH T10B45AE4853B344B2FBDB12A51865228C4EB472CB3585F61B4F673751A522AFFB29F103
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 004c4d4d69694c00 (12 x AgentTesla, 5 x SnakeKeylogger, 1 x Loki)
Reporter 0xToxin
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
205
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Awb# 8457108962.exe
Verdict:
Malicious activity
Analysis date:
2023-02-28 07:47:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/282511c3-c0bd-48cc-83a6-a40e00c3e09e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/370535/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63fdb17b2ea6b369662ffa97/reports/aa4d00e1-b5c8-48c4-9504-dc56509ad20b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/67694aa8ad851eae7f51b1e7067470d051f773f7d8ece3e0866290290556e06b
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5085044f-f0a5-4211-952c-77cce7102101
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1183986
Signature
Contains functionality to register a low level keyboard hook
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 816819 Sample: Awb# 8457108962.exe Startdate: 28/02/2023 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected AgentTesla 2->49 51 5 other signatures 2->51 6 Skype.exe 3 2->6         started        9 Awb# 8457108962.exe 3 2->9         started        12 Skype.exe 2 2->12         started        process3 file4 53 Multi AV Scanner detection for dropped file 6->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->55 57 May check the online IP address of the machine 6->57 61 2 other signatures 6->61 14 Skype.exe 14 7 6->14         started        29 C:\Users\user\...\Awb# 8457108962.exe.log, ASCII 9->29 dropped 59 Injects a PE file into a foreign processes 9->59 18 Awb# 8457108962.exe 17 10 9->18         started        21 Awb# 8457108962.exe 9->21         started        23 Skype.exe 12->23         started        signatures5 process6 dnsIp7 31 162.159.128.233, 443, 49704, 49705 CLOUDFLARENETUS United States 14->31 33 104.237.62.211, 443, 49701 WEBNXUS United States 14->33 35 api.ipify.org 14->35 37 discord.com 162.159.138.232, 443, 49699, 49706 CLOUDFLARENETUS United States 18->37 43 3 other IPs or domains 18->43 25 C:\Users\user\AppData\Roaming\...\Skype.exe, PE32 18->25 dropped 27 C:\Users\user\...\Skype.exe:Zone.Identifier, ASCII 18->27 dropped 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->63 65 Tries to steal Mail credentials (via file / registry access) 18->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->67 39 173.231.16.76, 443, 49703 WEBNXUS United States 23->39 41 api.ipify.org 23->41 69 Tries to harvest and steal browser information (history, passwords, etc) 23->69 71 Installs a global keyboard hook 23->71 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/67694aa8ad851eae7f51b1e7067470d051f773f7d8ece3e0866290290556e06b/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-28 05:50:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m5uuvkfnqupk472rwhtqm5dq2bi7o47x3dwohyegmkicsbkw4bvq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0056220f99ba416ddf1be2d7f17315e2f26c441ec7591dee99153ba1683788b9
AgentTesla
3191fe463f8c9a91ccf9ed9a81daef803f9c184fcb093b24ffafa1f2f318eb64
AgentTesla
4727f0ec89919b2ccbc3d29a9f4ccc59d65d01a57730ba0582a6ccbf34e2abf0
AgentTesla
5d8be46b4470316ef7c2b9c230b997598a6b8a0eb49d334c87e6fece01b9f460
AgentTesla
6fdccf8fc50e57a15c14660871cfb0553bec062cf7a1b33f50393c82cd753eaa
AgentTesla
7ea54a151d7340d97ccc3d53dbf82900b2205f0df10b0571a12501ecaad5359d
AgentTesla
966cfb695adaa54a40c5306273de74f5de0924a7e874ee498591818c5a963b35
AgentTesla
9d8720d03350b0737e0a315bdf24d79a1344d87c1027a7f01b9971a3e000d01c
AgentTesla
a9f645191afe5a816749280ee777e840a940077ee62e30cfcf83063cab2741f3
AgentTesla
f873aff34af07e0be6364498ef313f9e21454ba6fcab0a24c5da2a438de2770c
AgentTesla
+ 960 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230228-jmjh6aaa4v/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1077318420246315151/Vh9LblP4IYhONe297fdZDyxjOOQBGRDY4S5bXVWoSQZyiT-o8U-eZ2t6GqVVsbQvy8w0
Unpacked files
SH256 hash:
2cd5ed1d1029a10a996030621c2ecb4fb55242b5bbb317633499906bb9fd228d
MD5 hash:
314b1b92fc84f789337f22793ba66027
SHA1 hash:
ef4ee32ba56c6f6911bf7dffe24b0e86b154edde
Link:
https://www.unpac.me/results/ce33d521-e69e-41f5-8ae7-ac65e917af33/
SH256 hash:
c07b3a808a6036221e8427e3f4e3867c2b280ff26de073ac396bb42fb71f0c47
MD5 hash:
39f4a7fc3dad33a2a3af74f8612cb394
SHA1 hash:
d8394d8e4bd118a320477bd074639edb1143eca9
Link:
https://www.unpac.me/results/ce33d521-e69e-41f5-8ae7-ac65e917af33/
SH256 hash:
c6e704bc2fc0f38952347a2d4a0ba1d23edcbfab36b793d9ba1412ad0b8558cf
MD5 hash:
06dc7f31999f92e527b6add15e6ee547
SHA1 hash:
80e7c90370b3011d1b192b525b3077c2ea635fc7
Link:
https://www.unpac.me/results/ce33d521-e69e-41f5-8ae7-ac65e917af33/
SH256 hash:
36c8948fa9b21ad5722af3e6f68474e8d5f82bb687770228ba402f2a7a04fdd3
MD5 hash:
fbad22ee4fa74101bd8b4fd7a325b100
SHA1 hash:
4192c217a2090e3b8befeefc39bc72381cb31fb3
Link:
https://www.unpac.me/results/ce33d521-e69e-41f5-8ae7-ac65e917af33/
SH256 hash:
22bf79cc5f637cf433162937c2c0a982f759712717ff496a275f9f449b7f572a
MD5 hash:
f7fd1edaad3be2fdd02a11b1077e2704
SHA1 hash:
08f5e8993a5f685f7ad7f4c92b1cbf8ac91c6c94
Link:
https://www.unpac.me/results/ce33d521-e69e-41f5-8ae7-ac65e917af33/
SH256 hash:
67694aa8ad851eae7f51b1e7067470d051f773f7d8ece3e0866290290556e06b
MD5 hash:
fc153e34133cfa02c80ebb1599e8d63e
SHA1 hash:
434a6b55f306ad1b55de328663b49d42db831b1c
Link:
https://www.unpac.me/results/ce33d521-e69e-41f5-8ae7-ac65e917af33/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/67694aa8ad85/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/67694aa8ad851eae7f51b1e7067470d051f773f7d8ece3e0866290290556e06b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/370535/

Comments