MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 751e97d79511338f167c15ce971bb790c685a72d7dc1598a50b126099592c496. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 751e97d79511338f167c15ce971bb790c685a72d7dc1598a50b126099592c496
SHA3-384 hash: dc5f1bc9deb00013f973f7e0cbb63e87206a5d6982344a9aa1093743561d7198d57a9344898db3dace87aa3d5f4421bc
SHA1 hash: ddc8ebdec7a6b4cc874401e5c221e788d94d185d
MD5 hash: 287f84e4086454fa604a254c7f0d5f6c
humanhash: beer-bravo-oranges-nine
File name:file
Download: download sample
Signature AgentTesla
Create hunting rule
File size:22'848 bytes
First seen:2022-10-27 23:18:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 384:5mx+qGQGnkpmO8ZpHzGovUJAYkr5kYZFP:5jhnkpmOiRPPrk+FP
Threatray 342 similar samples on MalwareBazaar
TLSH T1F7A26E5A7FC8358ECA02D67154B2750B0EFC86B1A79383C62C88B90A4D5339D25736B7
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 30b2c4c8c8c4b030 (53 x Formbook, 41 x RemcosRAT, 20 x AgentTesla)
Reporter jstrosch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
RFQ-IMP 90881-00.js
Verdict:
Malicious activity
Analysis date:
2022-10-26 10:10:53 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/20978d68-6e9f-478a-af47-c2978f793565

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/325265/
Detection(s):
SecuriteInfo.com.UntrustedCertificate.Aichost.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the system32 subdirectories
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Creating a window
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/54803d70-2ad0-4f12-aff7-e325863e4c96
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1099929
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/751e97d79511338f167c15ce971bb790c685a72d7dc1598a50b126099592c496/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-10-26 17:10:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oupjpv4vcezy6ft4cxhjog5xsddiljznpxavtcsqwetatfmsysla._file
Verdict:
malicious
Similar samples:
06e06f939667ab186db1380b1b948639e3bf01e808e2b98bcb8d7dec3e734314
AgentTesla
435d0e10242410c1f8513df632eac9966534480a2a211fdc2914ad9181b87007
AgentTesla
71c45909c25e965096289f4b941cc7d7c2486534529e4e4110612aaa34502ff8
AgentTesla
98bd201c6a1ae16ccce5009af1cc3ec5b0dd46c31f1b814c93f91bc1376dc3cf
AgentTesla
c039e7f272ffb31cecfdbb5909ce04c29768916a4c66d47e0be8ea04afe9a762
AgentTesla
cb526159a3186694b746856ab53ea28e2f847a1623f5caf8cfe73021bc1a9196
AgentTesla
d915094865ca0d36398957538ca6afb7c59354d1ff13676c8032470986c7db9b
AgentTesla
f3d8fd75e106b26fb267e3d5c78c299b052c5ef53228b0f0fba3e308bcad1d26
AgentTesla
f53340a00d5248f81164bd5a1880698c4926cf62dc2fc5c93696f87780733b1a
AgentTesla
+ 332 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221027-3atm5secam/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
751e97d79511338f167c15ce971bb790c685a72d7dc1598a50b126099592c496
MD5 hash:
287f84e4086454fa604a254c7f0d5f6c
SHA1 hash:
ddc8ebdec7a6b4cc874401e5c221e788d94d185d
Link:
https://www.unpac.me/results/e81bf0a7-ed05-453c-846b-fc6433aa77ef/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/751e97d79511/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/751e97d79511338f167c15ce971bb790c685a72d7dc1598a50b126099592c496

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 751e97d79511338f167c15ce971bb790c685a72d7dc1598a50b126099592c496

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/325265/
  
URLhaus
https://urlhaus.abuse.ch/url/2389261/

Comments