MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74622dee4841085cd64da27da09c697236e5846915736d7d43200874927b6bc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74622dee4841085cd64da27da09c697236e5846915736d7d43200874927b6bc8
SHA3-384 hash: e0a159fcceb83335de8c69adae89d7a47cb70f8a2bb751cb2bc97eb7dee578ab701785ddf81c839c4681f2390a6f36e3
SHA1 hash: 52ba9972abe762315f4ae31d5ead298c43aad090
MD5 hash: ce0edd836f1ddd1a206c39b2081116eb
humanhash: mexico-india-fix-golf
File name:NewPo075.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:3'325'440 bytes
First seen:2023-10-18 16:09:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:JXghjhB3HzbPoTwu5VQTDx8u9205FbZcddPf1Zk9RUv:J6jHXZ8qvWPPGRA
Threatray 84 similar samples on MalwareBazaar
TLSH T126F5D417B6878FB2C349173AC59B1F246BADD5C27313D71A2E8E236D08CB7BA9944107
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 1f195b5a5b6f777f (12 x AgentTesla, 2 x AZORult, 2 x PureCrypter)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
NewPo075.exe
Verdict:
Malicious activity
Analysis date:
2023-10-18 18:08:19 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/509d9c56-3cf1-4bd8-bb90-620a02352ab4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Lazy.356631.18774.7364.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Setting a keyboard event handler
Reading critical registry keys
Creating a window
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6530036510dbe5fb92cddf38/reports/7845204d-9e53-4020-b304-db0f9de7a28f/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/74622dee4841085cd64da27da09c697236e5846915736d7d43200874927b6bc8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43b2814d-9be8-4c44-b685-f180c437d903
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
n/a
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1328164
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1328164 Sample: NewPo075.exe Startdate: 18/10/2023 Architecture: WINDOWS Score: 100 29 mail.logwearint.com 2->29 31 logwearint.com 2->31 33 2 other IPs or domains 2->33 49 Found malware configuration 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->53 55 6 other signatures 2->55 7 NewPo075.exe 1 5 2->7         started        11 Bedhx.exe 5 2->11         started        13 Bedhx.exe 4 2->13         started        signatures3 process4 file5 27 C:\Users\user\AppData\Roaming\Bedhx.exe, PE32 7->27 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->59 61 Contains functionality to register a low level keyboard hook 7->61 15 NewPo075.exe 15 2 7->15         started        19 NewPo075.exe 7->19         started        63 Antivirus detection for dropped file 11->63 65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 21 Bedhx.exe 14 2 11->21         started        23 Bedhx.exe 11->23         started        69 Injects a PE file into a foreign processes 13->69 25 Bedhx.exe 13->25         started        signatures6 process7 dnsIp8 35 logwearint.com 109.70.148.130, 49711, 49714, 49716 BANDWIDTH-ASGB United Kingdom 15->35 37 api4.ipify.org 104.237.62.212, 443, 49710 WEBNXUS United States 15->37 41 Installs a global keyboard hook 15->41 39 173.231.16.77, 443, 49713, 49715 WEBNXUS United States 21->39 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->43 45 Tries to steal Mail credentials (via file / registry access) 25->45 47 Tries to harvest and steal browser information (history, passwords, etc) 25->47 signatures9
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/74622dee4841085cd64da27da09c697236e5846915736d7d43200874927b6bc8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/74622dee4841085cd64da27da09c697236e5846915736d7d43200874927b6bc8/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-26 23:20:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=orrc33siieefzvsnuj62bhdjoi3olbdjcvzw27kdeaehjet3npea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0972105c3cb2d74e7cb3f00ddcc6cc96089524d5625b62f71e27d5857c6eba40
AgentTesla
436f74f3d2537685ed53a9a83ae70cc1a98e987d90ba949ca879a854e2970ed9
AgentTesla
493e3d54159cd3ebde6aa0b5216ddcb14863b4b064bb80c654353838926d191d
AgentTesla
6cc94af7278990c89ed746ebc99759dc7d847cfcdd3cd327d15988b489e3e59d
AgentTesla
88a4db278dbd7534d6e9faa9c13838cf53b251aec51e46a025012debe54bc99b
AgentTesla
a733065ba4e8987727892b1c9ff5e562624385b175ed2e80af74c1fc4579bd58
AgentTesla
a9d1f9c94b40e55b169fb37966dc8c89b0ffec5974077975e56bbda4cec452b0
AgentTesla
e579952e0a6c558c001274aa13e6ac8297a3991497f0163917e6db3a37430f83
AgentTesla
fb5a97acf9b392addd2c222672ee4d97b6d1a39e6877734db1cb012f6a356793
AgentTesla
+ 74 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:zgrat collection keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/231018-tmdm1shd48/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
6d7e993c8d52cb3d19bf4994fc3afb0afe87f55909428c8a7738e93d32234e17
MD5 hash:
ea7c65eb3b0c1855a17de565cded0053
SHA1 hash:
fdbeb77abb619b98babc67d6ccdc408371041ee2
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/e83de4ac-3a13-485c-ad15-705ac3bca00c/
SH256 hash:
79f6e1d8097860b4bec66db98ca9688afe6dda857e627a433ff22278bfc3435d
MD5 hash:
c4256de2501bfdfa5f1549054cf41c58
SHA1 hash:
a52dcbd44053aa26bd33d13fb17b291573e04bd4
Link:
https://www.unpac.me/results/e83de4ac-3a13-485c-ad15-705ac3bca00c/
SH256 hash:
be143f3a4ff62b59c2c8e3d436d2f9f86fea5c8b468116fbf44ab678e35bd660
MD5 hash:
232ddeb0ce193ea38201adc04eddcf68
SHA1 hash:
5be67628a3dd2bfd5783b6cfa2c541affc54d2e9
Link:
https://www.unpac.me/results/e83de4ac-3a13-485c-ad15-705ac3bca00c/
SH256 hash:
b1b5482ab816e47d76a2f764d91c51559becc13a988b56da2b822a268b6bdb01
MD5 hash:
78ff3e65ebe011265cc4077c871cd20b
SHA1 hash:
039ab438eb3cae33df44274d01263611cf80f695
Link:
https://www.unpac.me/results/e83de4ac-3a13-485c-ad15-705ac3bca00c/
SH256 hash:
74622dee4841085cd64da27da09c697236e5846915736d7d43200874927b6bc8
MD5 hash:
ce0edd836f1ddd1a206c39b2081116eb
SHA1 hash:
52ba9972abe762315f4ae31d5ead298c43aad090
Link:
https://www.unpac.me/results/e83de4ac-3a13-485c-ad15-705ac3bca00c/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/74622dee4841/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/74622dee4841085cd64da27da09c697236e5846915736d7d43200874927b6bc8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments