MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 754794ccb5c349adb0551759cc1cd6add14616a50b5b3ffe1b4c0d133d13f300. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	754794ccb5c349adb0551759cc1cd6add14616a50b5b3ffe1b4c0d133d13f300
SHA3-384 hash:	f7fc5ad0285561c4c12d2595ecddf1fa59eaa7b6fa4a0b4052c65cbeb846a17d2ed4667ca6b9f341e67f9d1acc426301
SHA1 hash:	e66ed4fd01550e7fef7fe4b6b4d57aaaf1109c11
MD5 hash:	076569d51c616ec2446a2e6b85205764
humanhash:	wisconsin-ack-quebec-mountain
File name:	076569d51c616ec2446a2e6b85205764
Download:	download sample
Signature	AgentTesla Alert Create hunting rule
File size:	17'920 bytes
First seen:	2023-06-22 13:52:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	384:GWeOtTbX4sJStS77uBLbt+B6a2CaneFrmbSEM1+TAVDxfEHufIJzJf:HetAidANFAA36uwJzJf
Threatray	16 similar samples on MalwareBazaar
TLSH	T10C823C1A63DC4236EC9E8779D862334003B6F3BA6B03AB2647CA65652C723704B557F7
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	zbetcheckin
Tags:	64 AgentTesla exe valerehandstand-com

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

254

Origin country :

FR

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

076569d51c616ec2446a2e6b85205764

Verdict:

Malicious activity

Analysis date:

2023-06-22 13:55:49 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d04a7873-90e8-4b9f-931c-0c60efd1c135

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/401696/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.67698654.26913.11654.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6494523ebf0c96409e79a08d/reports/512b9b79-56a1-4e7a-b950-b5e2dc314ac4/overview

Hybrid Analysis MSIL/GenKryptik_AGeneric.AAV trojan

Verdict:

Malicious

Labled as:

MSIL/GenKryptik_AGeneric.AAV trojan

Link:

https://www.hybrid-analysis.com/sample/754794ccb5c349adb0551759cc1cd6add14616a50b5b3ffe1b4c0d133d13f300

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/4a5109d8-ece6-47ee-a5ee-7b21c347c77c

Joe Sandbox AgentTesla

Result

Threat name:

AgentTesla

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1259773

Signature

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/754794ccb5c349adb0551759cc1cd6add14616a50b5b3ffe1b4c0d133d13f300/

ReversingLabs TitaniumCloud Win64.Trojan.Cusloader

Threat name:

Win64.Trojan.Cusloader

Alert

Create hunting rule

Status:

Suspicious

First seen:

2023-06-22 13:53:05 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

1

AV detection:

20 of 24 (83.33%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ovdzjtfvyne23mcvc5m4yhgwvxiumfvfbnnt77q3jqgrgpit6maa._file

Threatray malicious

Verdict:

malicious

Similar samples:

06dc6394565b70ac8efd2cc98225cf3ec9b5f7711e036189b186340c591e4f67

AgentTesla

0a0c50dbc5d0c9811bfd0552ddd075e0e1df2cf07049cc546e41f9bf08cb8290

AgentTesla

37efec4c9df42e2a53f73a9923a8e9a1154a790dc5316ec875b5b7640f27d294

AgentTesla

3956c21824bc18caca2523381ce3fa113e40d5e7f47bf2a05d65f2a1a27a3f1d

AgentTesla

3e24e97aba6e7432395abc346ee3484b9dbadbe803a046a84ea41529d6ed8c89

AgentTesla

4d9e0a28423515a1574837873cc75c3c495daebf2247e5353f9028d97ccf3fb6

AgentTesla

670bc9a86f72af2ab43a89c576a4e1874ce188b35a1f5656ea27f4b7ac3d5f09

AgentTesla

71b83a4a645cee8038819ee490a2b6324d287d8aac405adb1b373277dc5c23ab

AgentTesla

ac8608bc5b4c0f07e986efa1965ea77825ef430b4c7699e569a43877aeebc6a5

AgentTesla

e43e5c816ce04f8fa14c819ff2b5bfc02c03e27a4b0a6b85875ef11ea4d4489f

AgentTesla

+ 6 additional samples on MalwareBazaar

Hatching Triage agenttesla

Result

Malware family:

agenttesla

Alert

Create hunting rule

Score:

  10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230622-q6ywhsga71/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

UnpacMe

Unpacked files

SH256 hash:

754794ccb5c349adb0551759cc1cd6add14616a50b5b3ffe1b4c0d133d13f300

MD5 hash:

076569d51c616ec2446a2e6b85205764

SHA1 hash:

e66ed4fd01550e7fef7fe4b6b4d57aaaf1109c11

Link:

https://www.unpac.me/results/4c4d6c6f-ed72-43d1-a5a6-69bd22722b04/

VMRay AgentTesla

Malware family:

AgentTesla

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/754794ccb5c3/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/754794ccb5c349adb0551759cc1cd6add14616a50b5b3ffe1b4c0d133d13f300

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

exe 754794ccb5c349adb0551759cc1cd6add14616a50b5b3ffe1b4c0d133d13f300

(this sample)

  

Delivery method

Distributed via web download

  

URLhaus

https://urlhaus.abuse.ch/url/2669669/

Cape

https://www.capesandbox.com/analysis/401696/

Comments

---

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-06-22 13:52:43 UTC

url : hxxps://sofancy.co.za/data/IqXYLXKzl6.exe