MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70a6380ac61f933eddc4cd126d95836371a933c5a311882701a5eaa1fd8b99f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70a6380ac61f933eddc4cd126d95836371a933c5a311882701a5eaa1fd8b99f7
SHA3-384 hash: e840070bf8d67bf91c0f4e3f32af023ff7a62e21eeb0ff12bb1d8598e9c5a7a46d2650188492bad1cffe724cad6ad8d2
SHA1 hash: 5f834a57a8e55f8e1738f0b3fce5bcf5467b56c4
MD5 hash: b2beecf8dc86c0777f431b254f80a713
humanhash: mockingbird-thirteen-diet-winter
File name:malware.mal
Download: download sample
Signature AgentTesla
Create hunting rule
File size:167'424 bytes
First seen:2023-01-10 14:11:20 UTC
Last seen:2023-01-10 15:36:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:ImEidxTNv+mHk1snlwVjZ2MJ1f9YBLiRjGcv4wWGjKoJwLKrlwjZ:dNv+y2klihJwB+ewrj262
Threatray 19'912 similar samples on MalwareBazaar
TLSH T11AF3292992D94E52C73D40B4C4A0315B06B2A1B2561BF7BD0FB19CF73E4A7D3362E962
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter x0rPE
Tags:.NET AgentTesla exe obfuscated

Intelligence

File Origin
# of uploads :
3
# of downloads :
331
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
malware.mal
Verdict:
Malicious activity
Analysis date:
2023-01-10 14:13:50 UTC
Tags:
trojan rat agenttesla
Link:
https://app.any.run/tasks/5e498f99-4327-4c91-8eb7-3d72ecc2fde0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/351565/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.59042.548.812.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Сreating synchronization primitives
Stealing user critical data
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
hacktool packed
Link:
https://www.filescan.io/uploads/63bd723383a5ae8cb4a85442/reports/6c92dbfe-bf48-4a5d-982f-a73073e9a188/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/37a24754-0705-487a-b0c2-7706e0200654
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1148817
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70a6380ac61f933eddc4cd126d95836371a933c5a311882701a5eaa1fd8b99f7/
Threat name:
ByteCode-MSIL.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2023-01-10 14:12:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=octdqcwgd6jt5xoezujg3fmdmny2sm6fumiyqjybuxvkd7mlth3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
26fd5960f4df473e74ae181061882322a19eab1b37f4ebc846d8634f538d43e9
AgentTesla
2b924314517e86bfece5ecc1e2a6386ac415c9db078a48e7e974a08a8c6255ed
AgentTesla
4a683b38bf8bcb7b198d4be37413033f2a015aaed075cbe81ba63e3190647dff
AgentTesla
58868fb2b2750486f4b108ade7279abe3088d01a4c7dfe459205895d89ea4322
AgentTesla
6b985b8239b575b46b57f36daaa55e30efabf08e39f2a421e12f0e6b82cb5cc4
AgentTesla
b6efd81dbe299d7f5bb1c741982a60524299d6592ab78fd83aefa79a8971af1d
AgentTesla
f2b319e1d2fdad6549ad9f56894221d7c3f8706d96012316dae1b52231a46247
AgentTesla
f8b91c3419d4afe1cd3cdb4deffa3baa3f0e8dd92f41784d99497106075267d8
AgentTesla
fa2301c017f32fbe205082b01c1608826ea7e7346739c338ff222648b0b14c89
AgentTesla
fce48b4993cc9580290c751a7cb151c06c861cf2033a9d59b00135c955cef072
AgentTesla
+ 19'902 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230110-rhtsbscb4x/
Behaviour
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/95660759-2a08-4760-a1fe-4396c6550afc
Unpacked files
SH256 hash:
70a6380ac61f933eddc4cd126d95836371a933c5a311882701a5eaa1fd8b99f7
MD5 hash:
b2beecf8dc86c0777f431b254f80a713
SHA1 hash:
5f834a57a8e55f8e1738f0b3fce5bcf5467b56c4
Link:
https://www.unpac.me/results/8b6df24b-2e87-46fe-b933-70d847e3008a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/70a6380ac61f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/70a6380ac61f933eddc4cd126d95836371a933c5a311882701a5eaa1fd8b99f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 70a6380ac61f933eddc4cd126d95836371a933c5a311882701a5eaa1fd8b99f7

(this sample)

  
Link
https://tria.ge/230110-mea4laff75
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/351565/

Comments