MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74e026864737309f9d0055cd6fd0bed4fc1889f058440d5e9f21df3bb96f2b9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74e026864737309f9d0055cd6fd0bed4fc1889f058440d5e9f21df3bb96f2b9c
SHA3-384 hash: 5fc6268413cefadef773a6da31e546eb93ac080e0352d073eeab274134b555a5fbc01c3251ac72adfce460f541f69f82
SHA1 hash: 56b996cf27bc41db5f2d199a662d717c9ebae847
MD5 hash: 56999a5a3a8f365e0a33acccc374098f
humanhash: venus-spaghetti-spring-eight
File name:56999a5a3a8f365e0a33acccc374098f
Download: download sample
Signature AgentTesla
Create hunting rule
File size:671'744 bytes
First seen:2023-04-17 09:42:44 UTC
Last seen:2023-04-17 11:37:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:joRJXJTxigpYBvO40AHI+82MuCyOFE+YNO0YfaVKqgdsQ:EXNxijH38UN2vaQyQ
Threatray 2'162 similar samples on MalwareBazaar
TLSH T1CAE4E028D03AADF7E69D0779001426EDDB6462E33577CA3C4B96749AEF9F3151C8408B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
321
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
56999a5a3a8f365e0a33acccc374098f
Verdict:
Malicious activity
Analysis date:
2023-04-17 09:45:12 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/9060c3dd-6aa9-41c5-8fd2-52f576a3f243

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382754/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/643d14a848716a65fb201f70/reports/8f53c664-7305-4ed8-943a-3bd5bed16569/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/74e026864737309f9d0055cd6fd0bed4fc1889f058440d5e9f21df3bb96f2b9c
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e41a9387-b53d-4f63-b90b-4d88b50e753e
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1215074
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 848002 Sample: vnXXLRnNxi.exe Startdate: 17/04/2023 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 4 other signatures 2->52 7 vnXXLRnNxi.exe 4 2->7         started        11 TYpjaL.exe 3 2->11         started        13 TYpjaL.exe 2 2->13         started        process3 file4 32 C:\Users\user\AppData\...\vnXXLRnNxi.exe.log, CSV 7->32 dropped 54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->54 56 Adds a directory exclusion to Windows Defender 7->56 15 vnXXLRnNxi.exe 17 10 7->15         started        20 powershell.exe 21 7->20         started        58 Multi AV Scanner detection for dropped file 11->58 60 Machine Learning detection for dropped file 11->60 22 TYpjaL.exe 14 7 11->22         started        24 TYpjaL.exe 13->24         started        signatures5 process6 dnsIp7 34 royal-arois.com 103.147.154.47, 21, 49696, 49697 IDNIC-DENEVA-AS-IDPTDenevaID unknown 15->34 28 C:\Users\user\AppData\Roaming\...\TYpjaL.exe, PE32 15->28 dropped 30 C:\Users\user\...\TYpjaL.exe:Zone.Identifier, ASCII 15->30 dropped 36 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->36 38 Tries to steal Mail credentials (via file / registry access) 15->38 40 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->40 26 conhost.exe 20->26         started        42 Tries to harvest and steal browser information (history, passwords, etc) 24->42 44 Installs a global keyboard hook 24->44 file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74e026864737309f9d0055cd6fd0bed4fc1889f058440d5e9f21df3bb96f2b9c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-04-17 09:43:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=otqcnbshg4yj7hiakxgw7uf62t6brcpqlbca2xu7ehptxolpfooa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07191de70521a8e76624cfafc6eba3edd19d7784c4c4c683b55f3fd16e377b38
AgentTesla
2a890802046e55c856e2a6be5a2268fb8ba4410c15ac51415a1c30b0cd2336b2
AgentTesla
2e88105d979bfbe65b2ed9322114fc21ef9e1fdb324a63d6198defd1e976d36e
AgentTesla
462b121f72bc42fcefcfc67174e4de53083b977458c7ed3d4009eec6bddd3f1b
AgentTesla
aadd267ebc7dde803f8d0486df95ad9eb6db7f1600fb7fcc0bbba70cd26bfcd2
AgentTesla
aeea171571e3b606d0ef657b0c23b5cd5d48137f028eb39c4a4bbfe9fada48ec
AgentTesla
b88695eda4138138c90c9b490a7bb10a1dc8e9ee3ac9b8502855b138914154ba
AgentTesla
c442b854fb104644d2c9097e2b702de55797f1ccc23a651027de71d01bc693d3
AgentTesla
ed62018b45dbd359db4010e4728f21cc158edf5bf23b302a7a3d86d9eb9b06f1
AgentTesla
f3341ea77e5c8f5e57ee22b1842656ff8225d0fef647bef19d0b0fcc6b87200d
AgentTesla
+ 2'152 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230417-lpw85sdf79/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
4b6032d534116ce239649e9ca3ceea757854be41f752f35fdf74d62ba5892733
MD5 hash:
f0bd22005b30d49ba7733f7e8ac374d3
SHA1 hash:
ee4c0b39e4bbd20f8a38ed308638a2ae77f24da5
Link:
https://www.unpac.me/results/dd098593-cb51-4fd2-a096-261795bb4131/
SH256 hash:
21f0154b51a09767f94922b81f5fcd15cf4a6390ab7314e40d0e17b2dcdfe6ba
MD5 hash:
c926563698de3a89ad20474c85122f73
SHA1 hash:
ed1a3b2527ace111e6f39880c7ee3965f301330d
Link:
https://www.unpac.me/results/dd098593-cb51-4fd2-a096-261795bb4131/
SH256 hash:
0fd1f00d94aff36ad8f02077efb33ddf269985ea37038aae554ff6202fdc020f
MD5 hash:
8dfd8e44c82066f4aeeff652fa2a33c5
SHA1 hash:
b844952e48ecab0e7ab2e3d5e38a20629399f94c
Link:
https://www.unpac.me/results/dd098593-cb51-4fd2-a096-261795bb4131/
SH256 hash:
508dbddbcc942296c503d344bd132309d3b8d7201227cf1a74704796db9ce1db
MD5 hash:
6f4dc3812b6f008b4e871fb1492a65d8
SHA1 hash:
762eae9f39d263fa9eac5d4b5b568492558bf6f2
Link:
https://www.unpac.me/results/dd098593-cb51-4fd2-a096-261795bb4131/
SH256 hash:
fa3ce4c53fb8e8e922f6ad0fc6617774ad43adf2fd099a149c952127e1e650d3
MD5 hash:
44c64a316ef0894a291fa521ef0a48bb
SHA1 hash:
7233fbebea24982f0bc5ee1fe16a75cd360a272e
Link:
https://www.unpac.me/results/dd098593-cb51-4fd2-a096-261795bb4131/
SH256 hash:
74e026864737309f9d0055cd6fd0bed4fc1889f058440d5e9f21df3bb96f2b9c
MD5 hash:
56999a5a3a8f365e0a33acccc374098f
SHA1 hash:
56b996cf27bc41db5f2d199a662d717c9ebae847
Link:
https://www.unpac.me/results/dd098593-cb51-4fd2-a096-261795bb4131/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/74e026864737/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/74e026864737309f9d0055cd6fd0bed4fc1889f058440d5e9f21df3bb96f2b9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 74e026864737309f9d0055cd6fd0bed4fc1889f058440d5e9f21df3bb96f2b9c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2611637/
Cape
Cape
https://www.capesandbox.com/analysis/382754/

Comments


Avatar
zbet commented on 2023-04-17 09:42:47 UTC

url : hxxps://edmine.net/games/htmll.exe