MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 758ebfe9abda91060e57c14ee1aaf699199a02db641bf5e7db620af5b8160f58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 758ebfe9abda91060e57c14ee1aaf699199a02db641bf5e7db620af5b8160f58
SHA3-384 hash: 05b8d4df69de9e2f5a65ed34c0c5cb6aea733a4d724c4258a122ad793121d01bb4c7cb7ca045e04f4d61011c01357384
SHA1 hash: d82892ddfb420eef95df7c401690404e638c9fbe
MD5 hash: 36b3bcb27c3820613e5e32f4d4019d6e
humanhash: football-west-earth-salami
File name:RFQ - AUTO PARTS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:743'936 bytes
First seen:2023-07-25 18:05:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 12288:9kvJRBusykq07Df+LuDhFb1hFlCjDZIGIem6T2ZK/5mjkBiisoy:cFuwq8f+LuDHb/FEDmPiT2owQi1/
Threatray 701 similar samples on MalwareBazaar
TLSH T1EBF4236A377E6E23E698BEB44690D540033661A43D13D3DCDDB670892E97B80BF122D7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 48d4f4f0f0f0d8c0 (37 x RedLineStealer, 18 x AgentTesla, 9 x SnakeKeylogger)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
270
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
RFQ - AUTO PARTS.exe
Verdict:
Malicious activity
Analysis date:
2023-07-25 18:07:33 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/f0b62854-adc2-4214-a01a-f2785b2eb576

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/432960/
Detection(s):
Win.Packed.Boxter-10005643-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/758ebfe9abda91060e57c14ee1aaf699199a02db641bf5e7db620af5b8160f58
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c4cc5fb-2e78-4f57-8c55-e11112c9e9b2
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1279558
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1279558 Sample: RFQ_-_AUTO_PARTS.exe Startdate: 25/07/2023 Architecture: WINDOWS Score: 100 75 Snort IDS alert for network traffic 2->75 77 Found malware configuration 2->77 79 Sigma detected: Scheduled temp file as task from temp location 2->79 81 7 other signatures 2->81 7 RFQ_-_AUTO_PARTS.exe 7 2->7         started        11 HvVlKXFh.exe 5 2->11         started        14 newapp.exe 5 2->14         started        16 newapp.exe 2->16         started        process3 dnsIp4 53 C:\Users\user\AppData\Roaming\HvVlKXFh.exe, PE32 7->53 dropped 55 C:\Users\...\HvVlKXFh.exe:Zone.Identifier, ASCII 7->55 dropped 57 C:\Users\user\AppData\Local\...\tmp3B45.tmp, XML 7->57 dropped 59 C:\Users\user\...\RFQ_-_AUTO_PARTS.exe.log, ASCII 7->59 dropped 91 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->91 93 May check the online IP address of the machine 7->93 95 Uses schtasks.exe or at.exe to add and modify task schedules 7->95 97 Adds a directory exclusion to Windows Defender 7->97 18 RFQ_-_AUTO_PARTS.exe 17 5 7->18         started        23 powershell.exe 21 7->23         started        25 schtasks.exe 1 7->25         started        73 192.168.2.1 unknown unknown 11->73 99 Multi AV Scanner detection for dropped file 11->99 101 Machine Learning detection for dropped file 11->101 103 Injects a PE file into a foreign processes 11->103 27 HvVlKXFh.exe 11->27         started        29 schtasks.exe 11->29         started        31 newapp.exe 14->31         started        33 schtasks.exe 14->33         started        35 newapp.exe 16->35         started        37 schtasks.exe 16->37         started        file5 signatures6 process7 dnsIp8 61 api4.ipify.org 173.231.16.76, 443, 49692, 49694 WEBNXUS United States 18->61 63 api.telegram.org 149.154.167.220, 443, 49693, 49699 TELEGRAMRU United Kingdom 18->63 65 api.ipify.org 18->65 49 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 18->49 dropped 51 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 18->51 dropped 83 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->83 85 Tries to steal Mail credentials (via file / registry access) 18->85 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->87 39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        67 api.ipify.org 27->67 43 conhost.exe 29->43         started        69 api.ipify.org 31->69 45 conhost.exe 33->45         started        71 api.ipify.org 35->71 89 Tries to harvest and steal browser information (history, passwords, etc) 35->89 47 conhost.exe 37->47         started        file9 signatures10 process11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/758ebfe9abda91060e57c14ee1aaf699199a02db641bf5e7db620af5b8160f58/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-24 00:58:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=owhl72nl3kiqmdsxyfhodkxwtemzuaw3mqn7lz63mifploawb5ma._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
363b5b951382bb7c9af26fadf9a61541d5a2d4e733adcb40fbc87e18579fd69f
AgentTesla
5af1aba19d9dd639542ba941b8e31495d1f9789ed426d376e87e040d5cd9df5f
AgentTesla
6771834e7cdb8a8f7813d313e65281901a61493653beb7fd0aad365036ede94a
AgentTesla
6d5b825b8559f912c5e26bb5290bffb54c674347f98711fc9e63d2aed0bc9c12
AgentTesla
7510d23c5bd88ede2d8d2efbd6d851da1dfcdc1dfb089b80a4a310b7fb96df4a
AgentTesla
76d55aec6c6ce78586bcfa2b1ae7e727d9c922ff75a3f2aedc7cba917f793395
AgentTesla
7ae867cd981bcf4ee5a98923f6ca7e415f3287b1ad04a6e31b3f905a67b2c1e5
AgentTesla
812b79890b4f2f12bbf6feda239d5daa55bb4870aef44cc01621a02f1fad4814
AgentTesla
81a48f67c7805ecf8ee47f17999208a9a116fca844d8dff8dbf12f66f4c91445
AgentTesla
af093bd71cb66c24a34d31d6efa125d86e6ffa89bfbfad9d20658889553e133d
AgentTesla
+ 691 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230725-wpqrgaeh22/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6277240654:AAFrA27rnZiCxrm3Aov6JwG7la5tg3qbLbk/
Unpacked files
SH256 hash:
3f68cc843eb3b2a764dc02355e2e3f97dce8f1164d6f18a4f77e850410dfc137
MD5 hash:
60126f10641986bbcefca9ed6159994b
SHA1 hash:
df584155d49b10805f1f0d81a758e98b23990815
Link:
https://www.unpac.me/results/4a1a776b-76be-461a-bf5c-5c553b8f4ea9/
SH256 hash:
c91280d052ab473aa2393f572d32ef79bd3b1005bc17c70325a51782330c801e
MD5 hash:
59af67d64196f07999c529395e05db2e
SHA1 hash:
7e174f52a0aa7a7883293915bab0f480f5f12a18
Link:
https://www.unpac.me/results/4a1a776b-76be-461a-bf5c-5c553b8f4ea9/
SH256 hash:
6cd68416bc4e342447793b31528dde4f2fca07a3da7136d10081ff8c63de9afb
MD5 hash:
45f9e68648b495bb71478a022bca4a2e
SHA1 hash:
3fb9a2c1088851bba4ec3db3f12a84d8125f4d0f
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/4a1a776b-76be-461a-bf5c-5c553b8f4ea9/
SH256 hash:
e6f6d4537b5a06dcaa639efb0f59ad138130ef4c513244de3546a5738c0ebed3
MD5 hash:
04c1c72fcdab1c3639a9bedb97400004
SHA1 hash:
0e02ae80df4243f81292cbfbed7037f171aaf544
Link:
https://www.unpac.me/results/4a1a776b-76be-461a-bf5c-5c553b8f4ea9/
SH256 hash:
758ebfe9abda91060e57c14ee1aaf699199a02db641bf5e7db620af5b8160f58
MD5 hash:
36b3bcb27c3820613e5e32f4d4019d6e
SHA1 hash:
d82892ddfb420eef95df7c401690404e638c9fbe
Link:
https://www.unpac.me/results/4a1a776b-76be-461a-bf5c-5c553b8f4ea9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/758ebfe9abda91060e57c14ee1aaf699199a02db641bf5e7db620af5b8160f58

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 758ebfe9abda91060e57c14ee1aaf699199a02db641bf5e7db620af5b8160f58

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/432960/

Comments