MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 704e5626e3a5c8b1b3dbefbeabca7488e77758c9aed89d0dc7e30d18da1b6bd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA 13 File information Comments

SHA256 hash:	704e5626e3a5c8b1b3dbefbeabca7488e77758c9aed89d0dc7e30d18da1b6bd9
SHA3-384 hash:	fca4dac5cd8fdb36b55c995bb22d8a6622d3bb8944a162ebe3be7474741f6f0fb39a62344f6b5d9160cf8eb4222a8288
SHA1 hash:	a6f7a1d5e04a167e5a5ce160094d5da5b89036b2
MD5 hash:	d5288b1e9b08397e2ac89405c34b749f
humanhash:	kilo-one-uniform-fanta
File name:	SecuriteInfo.com.Win32.PWSX-gen.21504.18984
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	707'072 bytes
First seen:	2023-12-11 06:27:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:b3IU8S6eUdNw9V18pt2FDKXSn6B8SKWRKL2ZIezvJBAhvRlCP5:rItSAdWrqiedtrYLjSxBATw5
Threatray	4'375 similar samples on MalwareBazaar
TLSH	T17EE412A47775AB85CC731BFA58681CF32BB2FCB16071C21DADDD31855A733229812A63
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	71d496b2a296dc71 (11 x zgRAT, 7 x AgentTesla, 3 x Formbook)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

284

Origin country :

Vendor Threat Intelligence

Detection:

zgRAT

Link:

https://www.capesandbox.com/analysis/464945/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

SecuriteInfo.com.Win32.PWSX-gen.21504.18984.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Reading critical registry keys

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6576abf356f85d0de4165bb1/reports/afd829f9-9c30-47a9-b22a-e1283fdb38e8/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/704e5626e3a5c8b1b3dbefbeabca7488e77758c9aed89d0dc7e30d18da1b6bd9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f1059686-97b0-4b18-a0e1-8a58dc70b0cd

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1358138

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/704e5626e3a5c8b1b3dbefbeabca7488e77758c9aed89d0dc7e30d18da1b6bd9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/704e5626e3a5c8b1b3dbefbeabca7488e77758c9aed89d0dc7e30d18da1b6bd9/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-12-11 02:43:57 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 23 (69.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=obhfmjxduxeldm63567kxsturdtxowgjv3mj2doh4mgrrwq3npmq._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

AgentTesla

1100b4580e6299445e00a5c268060f3ae748fe19e3879b84a39cd35f5fce8626

AgentTesla

545e2d4bcafcfebab9664792284b2783e65a355b70f09965832ce161c7d6659c

AgentTesla

6a5c9a20549cf4dcbd4453faaadfebdccd4b7114b962afee485c658d18b2a1b6

AgentTesla

704e5626e3a5c8b1b3dbefbeabca7488e77758c9aed89d0dc7e30d18da1b6bd9

AgentTesla

+ 4'365 additional samples on MalwareBazaar

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:agenttesla family:zgrat keylogger rat spyware stealer trojan

Link:

https://tria.ge/reports/231211-g8bdkafdeq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Detect ZGRat V1

ZGRat

AgentTesla

Unpacked files

SH256 hash:

797e57bd74a68f7b4808a213f5c319ee4f4b023bc73088175d4393dfee9fe329

MD5 hash:

3c927935fbd608e7628cc2c5ad7d52fd

SHA1 hash:

ee0c880c0614ac960fd641f7d479233584aed1d8

Link:

https://www.unpac.me/results/af8dfd24-6493-48bb-b935-af0b2e856fcd/

SH256 hash:

99cf672bb5efbefd6a013fbcb95ee30c3cf66265e1aedc8bdd81f50cbe9ef449

MD5 hash:

0c74f56fe4f499c658c3962f436c99d4

SHA1 hash:

862a7ee2704f1cd349295f45a22ccd1f7b9c94ec

Detections:

AgentTesla

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/af8dfd24-6493-48bb-b935-af0b2e856fcd/

Parent samples :

066b80f163774df79a3f3da5fcea27fd1b2b8edc54da2be90aca5b53abe0c590
116471f0d1acaf2e16533a66e0f53eb4c281e5a58a20533724ee6eab2a355f8f
704e5626e3a5c8b1b3dbefbeabca7488e77758c9aed89d0dc7e30d18da1b6bd9
1c1ffe1a97f66ee3f36058ba41beda34fe52b2a4ff3e10dbf487d3ead8ca8432

SH256 hash:

b2f2977e586722bb814c254a6858c85c01ef6f5511714013ecf3c7f6113424be

MD5 hash:

58bdf622527cd656d209f10e1ee2690d

SHA1 hash:

299408ecc56aa0f4035800781c8cd813774031a5

Link:

https://www.unpac.me/results/af8dfd24-6493-48bb-b935-af0b2e856fcd/

SH256 hash:

7d968ee2ec1bf4c1bf9228f8f2794675de987ac83bac5f8c608963526a435ed3

MD5 hash:

1845455753429aeee7c7762ef407d8ea

SHA1 hash:

050f55f9458f419c8fec7b31cf80542849d33a76

Link:

https://www.unpac.me/results/af8dfd24-6493-48bb-b935-af0b2e856fcd/

SH256 hash:

704e5626e3a5c8b1b3dbefbeabca7488e77758c9aed89d0dc7e30d18da1b6bd9

MD5 hash:

d5288b1e9b08397e2ac89405c34b749f

SHA1 hash:

a6f7a1d5e04a167e5a5ce160094d5da5b89036b2

Link:

https://www.unpac.me/results/af8dfd24-6493-48bb-b935-af0b2e856fcd/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/704e5626e3a5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.85

Link:

https://yomi.yoroi.company/submissions/704e5626e3a5c8b1b3dbefbeabca7488e77758c9aed89d0dc7e30d18da1b6bd9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Windows vault credential objects. Observed in infostealers

Rule name:	malware_Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/464945/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample