MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74f0cd3a4b819ccc977a778fccba82e096dec880a6dba59641fedbdcfb4f7292. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74f0cd3a4b819ccc977a778fccba82e096dec880a6dba59641fedbdcfb4f7292
SHA3-384 hash: c154be0100d28f9cb1ffd8613161e87b79e55b6cf0dfe96a2abbbd6ab0eba6563bf5f0f9264dc660977485cbb1d70e89
SHA1 hash: f3b2cd5e7552c800653c35080034b0597ff9be16
MD5 hash: d9279aaabf04653b63bb553c36f2598e
humanhash: utah-alabama-foxtrot-vermont
File name:문의의 건_Rev.A.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:556'032 bytes
First seen:2023-04-14 06:11:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:kbFrQLqplOva13dtAGiLBh7OxB2ocMsIUFurMy2yhy:klQLqN1teGcBDocMsIGSo
Threatray 2'066 similar samples on MalwareBazaar
TLSH T1D2C42263779CCA2BE1FA17F6102B941107BF5D07E572EB5C2C4B60CB1666B011A9AF83
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
문의의 건_Rev.A.exe
Verdict:
No threats detected
Analysis date:
2023-04-14 06:21:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3885b63d-4f3c-42bd-88de-518bec820bc8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382182/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo packed
Link:
https://www.filescan.io/uploads/6438eebab4ec50bace6021c6/reports/67bec8fb-5502-4434-8d6d-04b1a483dbe3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/74f0cd3a4b819ccc977a778fccba82e096dec880a6dba59641fedbdcfb4f7292
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/846c4ad2-6290-42d5-8575-4dfdccfe479e
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213668
Signature
.NET source code contains potential unpacker
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74f0cd3a4b819ccc977a778fccba82e096dec880a6dba59641fedbdcfb4f7292/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=otym2oslqgomzf32o6h4zouc4cln5seau3n2lfsb73n5z62pokja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
15521c63c4acf711edeacb072031aaf7c8eec1b8dfdaf364ffd3e9f71fa66cff
AgentTesla
1ca3575bdfb30ebbb970d00611808d9de9816763aa135d2e22a5b208cd4d3b23
AgentTesla
54d2d443952347ccc724a8f39806ff9fca252511b2fca91e2fd6c9998612ed32
AgentTesla
58c82c6759d1284e35311a76db2c5c81db938ac0722ab97ee5c56ac75caefe13
AgentTesla
6afb80ce0f8163b83cf83124fa71b192233af267bd7089cfa4a9a2ff47abd854
AgentTesla
8382a6ee4216faec05fbd17a082a85a05c4878ba1dbc440744439a5011eea035
AgentTesla
851f52d27f15eb052fdaef1c0cdf91c9642d5b3c170a62a56c67d5b1b24d0c9f
AgentTesla
8a737bbbfd9a311f50f79ce1c47f6f86a40dcf3372e801e669e5fe9568bad3fe
AgentTesla
94c89d127587016abb2f7926c8eb23c10665787301fc7f5ca711b6bc02e60a88
AgentTesla
bf71bd90c11bb97f08391a42466582b08c5089cf47ea9075dc7e1a24d1b97016
AgentTesla
+ 2'056 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230414-gx7ydsgf25/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/33bda0e8-59a0-44d2-9dc4-4cd91e04db51/
SH256 hash:
00d07f0fcbb52c3855ca08a14539f28bfa5ab2e7071692fe833c1f0e60595a5f
MD5 hash:
ed554c5b8f515bd321de9d8ebefc87dd
SHA1 hash:
8c557d0f80cb09e671f46c81baa1123ce6f8c9dd
Link:
https://www.unpac.me/results/33bda0e8-59a0-44d2-9dc4-4cd91e04db51/
SH256 hash:
e23d41788dc254286f9ee9658b07e4c2fd6663402996ae12975b1d8a1fd5239b
MD5 hash:
11ffbdae25bb40f125a0db90c3ebfb61
SHA1 hash:
749803354094f322c1575a5deb80e9929710e013
Link:
https://www.unpac.me/results/33bda0e8-59a0-44d2-9dc4-4cd91e04db51/
SH256 hash:
05b37b4f31612a4e7d360bc6317422c0945f82b071afc241b58cd3ac72da12ac
MD5 hash:
d2ba439e0a9fa77a2bcc01e411b40d18
SHA1 hash:
59797ff8d300fdacf923b161b59bbce5eb493bc7
Link:
https://www.unpac.me/results/33bda0e8-59a0-44d2-9dc4-4cd91e04db51/
SH256 hash:
f074b2c09142fa55caae482b5ec6ba350fda0ac62329bb825d61f21e2e7059a1
MD5 hash:
567bbf43aac601560b1def4a872d4089
SHA1 hash:
21dfc6e6ecf39c9c23927c114ca911559ca4593e
Link:
https://www.unpac.me/results/33bda0e8-59a0-44d2-9dc4-4cd91e04db51/
SH256 hash:
74f0cd3a4b819ccc977a778fccba82e096dec880a6dba59641fedbdcfb4f7292
MD5 hash:
d9279aaabf04653b63bb553c36f2598e
SHA1 hash:
f3b2cd5e7552c800653c35080034b0597ff9be16
Link:
https://www.unpac.me/results/33bda0e8-59a0-44d2-9dc4-4cd91e04db51/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/74f0cd3a4b81/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:pe_imphash
Create hunting rule
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 74f0cd3a4b819ccc977a778fccba82e096dec880a6dba59641fedbdcfb4f7292

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382182/

Comments