MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75bdfd56936622e5fa950139b536b1319a2e86ee868c1c46c83297be950607f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75bdfd56936622e5fa950139b536b1319a2e86ee868c1c46c83297be950607f3
SHA3-384 hash: 6cd7053d6cd757b2e099868856c8015d7c020cc2224ae5aaec47d008b31fd18db2d7b8b776554ec5f3a55628c8531453
SHA1 hash: c1d906e236393477a8ab9efca226c7d85842c3a6
MD5 hash: c91c4f236a8ba9195cfb4d0be62728a2
humanhash: fruit-glucose-mirror-purple
File name:c91c4f236a8ba9195cfb4d0be62728a2.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:297'100 bytes
First seen:2022-12-01 15:46:31 UTC
Last seen:2022-12-01 17:31:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ab6770b0a8635b9d92a5838920cfe770 (84 x Formbook, 30 x AgentTesla, 15 x Loki)
ssdeep 6144:QBn1j5DQGjO0l0fje9HQUILbVd86Z6l+nK+Wi24hmy0Fowpx4VsCMsm+:gV0GBAGHQUIP4plXumy0FoDpZm+
Threatray 18 similar samples on MalwareBazaar
TLSH T14D54122B31E280F7C4608B786473F69AD3FF1A143576B28B5B444F2AAD31AE27C5D191
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe Telegram

Intelligence

File Origin
# of uploads :
2
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c91c4f236a8ba9195cfb4d0be62728a2.exe
Verdict:
Suspicious activity
Analysis date:
2022-12-01 15:49:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e95ed640-4ab3-481b-b649-6d58ab725293

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/341195/
Detection(s):
SecuriteInfo.com.Trojan.Loader.1200.15794.26387.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Sending a custom TCP request
Reading critical registry keys
Creating a window
Setting a keyboard event handler
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6388cc78ba2a5a5de1801702/reports/e447506b-6ba1-4ffd-9a30-68319c1b9f78/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0f564fdb-fc8f-48cb-ad72-8103c94ddf40
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1125550
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75bdfd56936622e5fa950139b536b1319a2e86ee868c1c46c83297be950607f3/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2022-11-30 11:38:27 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ow672vutmyrol6uvae43knvrggnc5bxoq2gbyrwigkl35figa7zq._file
Verdict:
malicious
Similar samples:
11ea4f65b83885a62749e9aa74cfa43faf6b19acdb28a4d400bc7e53a6e4eb8d
AgentTesla
124c7e9b3f1e0b7875e4b45594a983bfe1eaa1fdf358b4b8af141bba16f40137
AgentTesla
4111d8a77648c1ecc36b62e34144f14a7b02e22bd5a0ba7493b9c2d0faadec0d
AgentTesla
511646182f1e77634cb75442ff180bf9fd490addf15a7b943a20fce6a347c5d6
AgentTesla
581b533fee4fcc7772372b7c8cb0f7d970980a397febf634bb95a406176f2e85
AgentTesla
8dec08c523bc61d2d8da23da4d82ff33e89f69c7478578af3623f9411e1a38d0
AgentTesla
9d3a555c7d87a1571ecdc140b42a3f51df2fa4a65314810bc7546e7a7a528539
AgentTesla
a15286dfda1645f03a85b3131f190969b5d4b640984081a1e43e1e8c277765a8
AgentTesla
aa6c4142f8eb54d879c6bd1554c8079f5381eae1c376d4690682a6452791fe1e
AgentTesla
aeb7511ea428c00eba4785ac69ec53afcf3f06604bd1cb0b99173c76cd34dfa2
AgentTesla
+ 8 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221201-s784zsgf4t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b3bdaae1-054f-49af-9dda-b8d004643161
Unpacked files
SH256 hash:
29317416f5822d8768241d1c019ecf5f1ae5bad6ed705fbf12feb92afb9c7a58
MD5 hash:
90b7996e39d1ef807d7ff1e78dca5b0f
SHA1 hash:
4dd9078bbbac1cd422d55b417c945fd906636249
Link:
https://www.unpac.me/results/0677c15f-8036-447f-8eaa-4c97c242347e/
SH256 hash:
75bdfd56936622e5fa950139b536b1319a2e86ee868c1c46c83297be950607f3
MD5 hash:
c91c4f236a8ba9195cfb4d0be62728a2
SHA1 hash:
c1d906e236393477a8ab9efca226c7d85842c3a6
Link:
https://www.unpac.me/results/0677c15f-8036-447f-8eaa-4c97c242347e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.23
Link:
https://yomi.yoroi.company/submissions/75bdfd56936622e5fa950139b536b1319a2e86ee868c1c46c83297be950607f3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 75bdfd56936622e5fa950139b536b1319a2e86ee868c1c46c83297be950607f3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2432074/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2438491/
Cape
Cape
https://www.capesandbox.com/analysis/341195/

Comments