MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 718108fa6ed209c41519790279fa6e86ea7ac2de9bf48528c48f50f97602bf3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	718108fa6ed209c41519790279fa6e86ea7ac2de9bf48528c48f50f97602bf3b
SHA3-384 hash:	a9404d1d89feb112bdb83f08e268e651a6dfba25aa4e829c627afee75567987c4f121e24c76264ffe898d0410ec301b2
SHA1 hash:	6fd24a47cf184579a7bbbb14d473ee2533fe8cf4
MD5 hash:	6733d86e9f780d332834db95575cf60c
humanhash:	kitten-burger-foxtrot-batman
File name:	SecuriteInfo.com.Win32.PWSX-gen.12864.20600
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	732'672 bytes
First seen:	2022-11-24 04:34:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:J/gh/PsZ1DX/VDJQtCo887qxa6j2jmPxjqWPA6Szf3SryjnQtN:J/gh/P3Yo0xaW2j6E5Rza8nGN
Threatray	24'097 similar samples on MalwareBazaar
TLSH	T1AEF417CB2F300E84DB5F34715C8D1B8866523DA149F59CF22B35AA786D464FFA69223C
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

209

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.12864.20600

Verdict:

Malicious activity

Analysis date:

2022-11-24 04:34:31 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/189b5582-b2a8-4fb9-b6f7-872e0becf939

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/337908/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.12864.20600.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/637ef4765be128ac718e99aa/reports/c083fb73-1ec8-4b51-8683-9365d2f41d0f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/99d60be3-8fef-4cf6-980c-f6938b8bdde9

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1120266

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/718108fa6ed209c41519790279fa6e86ea7ac2de9bf48528c48f50f97602bf3b/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-11-24 04:35:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ogaqr6to2ie4ifizpebht6toq3vhvqw6tp2ikkger5ips5qcx45q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3982f95e9287b4848e04b2ae0e9b329720842a5cb221dff83f1ed48e2f7ad6fe

AgentTesla

58065e837fa1f0b7195e98af39a86a43c28a44491b5c78a97b5577c20f498c5a

AgentTesla

76551972eeedf1a86d9639e25568980c143f8872cec3c110f6c63fbd636523b1

AgentTesla

8c0726ab5d6f41c5e8d123d8c2444eb709543ee350dcecfe6e5190ddfe32e337

AgentTesla

c95b25f8ee7c2ccdc331d63a9239b4c48b06435b6a1e9dcdecf52909313639b2

AgentTesla

f26f175b6191179d1652a4be425c02968ed105891604aae297b2efc14a88c5f5

AgentTesla

fb57bf3906e35fa723bd56e5ba74138996ce7db73f1d6fd9cf18ac03f017b434

AgentTesla

+ 24'087 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla evasion keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221124-e662cacf4z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Maps connected drives based on registry

Checks BIOS information in registry

Checks computer location settings

Looks for VMWare Tools registry key

AgentTesla payload

Looks for VirtualBox Guest Additions in registry

AgentTesla

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f4d02c4f-d070-4e27-a9f6-142ea7d5f39d

Unpacked files

SH256 hash:

df0673fef96d235b9421a3e4467aa68b4df9ab1a16e0beb32d5c11f0ad65a889

MD5 hash:

a133d01da4683a6ae469170b85542824

SHA1 hash:

c3b499c42c8e25f2487b976cd619b0c2d30bd013

Link:

https://www.unpac.me/results/830d51be-804d-4352-9cc7-02b5b6fc1c13/

SH256 hash:

91f3999ebd409013d814dfad83fd74a4524f1b4ff6722102a282f8c52a555a0f

MD5 hash:

b895c4793a7a9701bfbfcec024de6cda

SHA1 hash:

bc1bb8b9277357234a8a862534354524ca4c7da1

Link:

https://www.unpac.me/results/830d51be-804d-4352-9cc7-02b5b6fc1c13/

SH256 hash:

c75ccb1a5b4a0fc08251048105696b3b7eb8d270ad1317b5277a8dd8d37472b1

MD5 hash:

29adbabd1bd6f1b4905e8fbb404c4c0a

SHA1 hash:

9f3fb1a294c11a85ced4e05d8c555dc2598ea520

Detections:

AgentTesla

Link:

https://www.unpac.me/results/830d51be-804d-4352-9cc7-02b5b6fc1c13/

Parent samples :

718108fa6ed209c41519790279fa6e86ea7ac2de9bf48528c48f50f97602bf3b
4e2bdf836d194b0403c2692bd0f6d3f113eda05b3e6925c88e0e2d7899f2a595
42c62f61b68113876875636bdae131773cb34e6c0e6e656662ec68d8b34b0c13
ac6e353a17337ed2a5b17500d60f5c74c71d479fd88ce124f256fe09b1378798
e38b4383a70321dc1aa407523474413fe583399fe638aad66fe9113096a8b203
ec84bde980efa561e8c00450fc300a499497d96d5adb5d1d3d587f1ada6549dd
460a7bca0fd3387dfb440db9676a8d784894d9e4ec35c61e4866578bac46dd51
33688ef783b3f8913608927cc25e28bb4a7097a2636d734af213956c60178784

SH256 hash:

4266003684354dcc1b96ebf61cab0d7fb2880dc4afda9bd152b8be67fb32d346

MD5 hash:

b09318824776f188b81122085a9597c7

SHA1 hash:

73121e9aaf5b66e0f2333594e49a3c52c0181a55

Link:

https://www.unpac.me/results/830d51be-804d-4352-9cc7-02b5b6fc1c13/

SH256 hash:

ab19f28c700d64814b0c55df868c30dfb94e0a1f9fb6f7bca05bac6eb78a4e52

MD5 hash:

1f2a6c02dcf9aa00a28a5039fb5b8ce0

SHA1 hash:

1ef480867d39b98368af7586a8e6ba38c0c3893a

Link:

https://www.unpac.me/results/830d51be-804d-4352-9cc7-02b5b6fc1c13/

SH256 hash:

718108fa6ed209c41519790279fa6e86ea7ac2de9bf48528c48f50f97602bf3b

MD5 hash:

6733d86e9f780d332834db95575cf60c

SHA1 hash:

6fd24a47cf184579a7bbbb14d473ee2533fe8cf4

Link:

https://www.unpac.me/results/830d51be-804d-4352-9cc7-02b5b6fc1c13/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/718108fa6ed2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/718108fa6ed209c41519790279fa6e86ea7ac2de9bf48528c48f50f97602bf3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/337908/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample