MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75b5fb4ad3ead4091a83a4dde5e6b328196f62a529817ff705450a47dc94a3c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	75b5fb4ad3ead4091a83a4dde5e6b328196f62a529817ff705450a47dc94a3c6
SHA3-384 hash:	74698112d184cb8aefd48cf234495cc0a88841285ef82df44f826c5f0a79d43aec7108afb0a484d478ad92737407044c
SHA1 hash:	c495b844d81a5d1fd517c73c487914268a16f607
MD5 hash:	43b9ad66a6a70867ac220849eee4a470
humanhash:	muppet-leopard-monkey-cardinal
File name:	KOQxv7Wlz4aLVgk.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	901'632 bytes
First seen:	2021-07-14 06:58:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:eaQUCGMFxNFHDsGXDURjysclcL6aFCkUvM5Oq+dAdgRBsequKKs+:eaQUiFxPjsGA99V7CkgM8peXnuKK
Threatray	6'737 similar samples on MalwareBazaar
TLSH	T1CB157A626784C62FCB7D46BD7950A091F3619DAAA3C1DE0B3B837392D57B2013097D2E
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

KOQxv7Wlz4aLVgk.exe

Verdict:

Malicious activity

Analysis date:

2021-07-14 06:59:39 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b53d2d97-5cca-4673-ac60-08d9858858c3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/171574/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.5506.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4297b8e7-a933-4225-8f62-545838c0170c

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/816039

Signature

.NET source code contains very large strings

Found malware configuration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/75b5fb4ad3ead4091a83a4dde5e6b328196f62a529817ff705450a47dc94a3c6/

Threat name:

Win32.Trojan.Pwsx

Status:

Malicious

First seen:

2021-07-14 06:59:07 UTC

AV detection:

7 of 46 (15.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ow27wswt5lkasguduto6lzvtfamw6yvffgax75yfiufepxeuupda._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3cbc16e758d2dd21158d4a2b832b42f53a2acc99763e5f1201eed468ac52403e

AgentTesla

5c1acbd40fb6b82586354bd863d53e71d6cbc6f6271f0f8da6f3692c4446ebe6

AgentTesla

718f9065e9aff74288e63d800e903057b889d54913c8ce27fc7859cf2643018b

AgentTesla

7aca2c9fc681d73f89b0f2127bbdd5001f7675ec9788e3d5fd5ec7a0405dd49b

AgentTesla

828e23d2a1e4de67827b62b8c1fad396ebb7a1005b3137e686552e631957a70f

AgentTesla

91006c58f26cf791bc0d2981879e1b3cb045d9013dc3a92a158ce8968bd61ff4

AgentTesla

98cea7e20d6760aa8052e7be2968a74df11f602bf9860243631f1a56140fa13c

AgentTesla

c5c5950509109e01461d9a3779f6ff994b755f4f995c241c1d0e9f775df867c6

AgentTesla

c5e8a6ea759d6b8b95422435a60af0f787f598c0825847734778e9fa6259ad96

AgentTesla

+ 6'727 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210714-51xqnbqnss/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

624ccc5b7909a49c89911a55d4fca613cc19ff977bd289e4173576ee51f18079

MD5 hash:

c958b8307c0ddfd07acc1dc37dcea6ed

SHA1 hash:

e658524feb24818398f5cb32fe130edeb883aa9d

Link:

https://www.unpac.me/results/cf6b6d71-757b-4736-b843-e20816a43166/

SH256 hash:

c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b

MD5 hash:

0327d1374a5ce015ad9c83c5de76e823

SHA1 hash:

e521349d9e96a4191248747c42c78b6f88fc8f63

Link:

https://www.unpac.me/results/cf6b6d71-757b-4736-b843-e20816a43166/

SH256 hash:

34e7522a07765868bc3a2a40c7f44e32ff107faaab18ea5314f7e8a580d2e043

MD5 hash:

aaf1ee9ad6f31d0ec7fff42f0e2dd91f

SHA1 hash:

2716d72c96595773d0f853455d4aea9b1ab3807d

Link:

https://www.unpac.me/results/cf6b6d71-757b-4736-b843-e20816a43166/

SH256 hash:

75b5fb4ad3ead4091a83a4dde5e6b328196f62a529817ff705450a47dc94a3c6

MD5 hash:

43b9ad66a6a70867ac220849eee4a470

SHA1 hash:

c495b844d81a5d1fd517c73c487914268a16f607

Link:

https://www.unpac.me/results/cf6b6d71-757b-4736-b843-e20816a43166/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/75b5fb4ad3ead4091a83a4dde5e6b328196f62a529817ff705450a47dc94a3c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/171574/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample