MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75c96c8d4e720fe1290200707fcca94188b4525dcc8ae2f1dfe49068b7bb3e83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75c96c8d4e720fe1290200707fcca94188b4525dcc8ae2f1dfe49068b7bb3e83
SHA3-384 hash: 9fb137e2978dc968ddbb047dc76f400839b7cb9091d779b1f3d9ba0b2644465ad8a3d11c021bbc30aa1008da5e066fbd
SHA1 hash: 5b29dc2969a512aaf8ecef5bae9c10ab1c9ca571
MD5 hash: 33a57e36b93588f026574b4a3f748443
humanhash: mobile-ack-iowa-king
File name:SecuriteInfo.com.Win32.PWSX-gen.15705.12320
Download: download sample
Signature AgentTesla
Create hunting rule
File size:766'976 bytes
First seen:2024-04-15 05:19:12 UTC
Last seen:2024-04-16 07:15:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:ca0NBK+gv85YJ25t9WA02qgwx5zZZ4mIPlcx4Cv1/BBs0i/7rhLl:z0NDAJmh02qgwxzZ4sXBs0IF
Threatray 8 similar samples on MalwareBazaar
TLSH T10DF4126076AD8B77E6AF17F9882D206007B0B776B136EB0D4CCA90C91564F019ED1EDB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 00822a6ed7a78600 (12 x AgentTesla, 2 x Neshta, 2 x Formbook)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
296
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
75c96c8d4e720fe1290200707fcca94188b4525dcc8ae2f1dfe49068b7bb3e83.exe
Verdict:
Malicious activity
Analysis date:
2024-04-15 05:22:29 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/ca9ca7d7-ac14-40f7-9b7c-b4bab4de1728

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
explorer lolbin packed
Link:
https://www.filescan.io/uploads/661cb90608ebdfcacd05fa3f/reports/e25c5b39-39b9-417c-ae75-5c5cfc283228/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/75c96c8d4e720fe1290200707fcca94188b4525dcc8ae2f1dfe49068b7bb3e83
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cd6a9dfe-4d11-4e5b-b3f9-c9a2c53b2d3d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1425932
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1425932 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 15/04/2024 Architecture: WINDOWS Score: 100 42 mail.daanapharma.com 2->42 44 daanapharma.com 2->44 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Sigma detected: Scheduled temp file as task from temp location 2->52 54 8 other signatures 2->54 8 SecuriteInfo.com.Win32.PWSX-gen.15705.12320.exe 7 2->8         started        12 lTkljpnpbWtqA.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\lTkljpnpbWtqA.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp4DEB.tmp, XML 8->40 dropped 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 8->58 60 Adds a directory exclusion to Windows Defender 8->60 14 SecuriteInfo.com.Win32.PWSX-gen.15705.12320.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        26 2 other processes 8->26 62 Multi AV Scanner detection for dropped file 12->62 64 Injects a PE file into a foreign processes 12->64 22 lTkljpnpbWtqA.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 46 daanapharma.com 107.6.7.237, 49711, 49714, 587 COGECO-PEER1CA Canada 14->46 66 Loading BitLocker PowerShell Module 18->66 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        68 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->68 70 Tries to steal Mail credentials (via file / registry access) 22->70 72 Tries to harvest and steal browser information (history, passwords, etc) 22->72 34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/75c96c8d4e720fe1290200707fcca94188b4525dcc8ae2f1dfe49068b7bb3e83
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/75c96c8d4e720fe1290200707fcca94188b4525dcc8ae2f1dfe49068b7bb3e83/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-04-15 05:20:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oxewzdkooih6ckicabyh7tfjigelius5zsfof4o74sigrn53h2bq._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
43c9d2ce7dd27609316480a0995af447903a6c9bf6dd64e4ff2ae666062076ba
AgentTesla
4ec8f72bf35c4a1de223b92521d3e0c996809eaf52f50960d8580e89be6152e7
AgentTesla
75c96c8d4e720fe1290200707fcca94188b4525dcc8ae2f1dfe49068b7bb3e83
AgentTesla
7d17f84cab786296bb3ac7001e3706f112db5b69c82789b709f6cec2ea0fd116
AgentTesla
d82adbafec869ce93ab6133e0f88ae81e1f138d6f31bd90aa054fc4331001169
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240415-f1ewcaff26/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
d2088a77f291c0809775ee7a9636d5a45e5c3f6a65223aedf462d9ca6945cb33
MD5 hash:
a0c107b57dea9d6973770b5c58d543a2
SHA1 hash:
f0fcc9ba240452ca0270c9011995e7612deff511
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/d6673248-03e3-4a23-9ee6-2258ec1deecd/
SH256 hash:
4d490f76b44ab9e51a6691a8d7cc36afaf3a358c7275bc6e06e860907ee30ee8
MD5 hash:
6cf07fb54ed11c675c51a95ec4028bb7
SHA1 hash:
955db27ab0b47c4b96ee406b577199c089f28f7d
Link:
https://www.unpac.me/results/d6673248-03e3-4a23-9ee6-2258ec1deecd/
SH256 hash:
6c4a2931506f6d2be6083c1b018222a4efeecc2c09866a9db30fc647d1288a92
MD5 hash:
884e2c7e4b3ffd7528bcbfb8cb5fb0f9
SHA1 hash:
7583ffc5ec52904eadbae7d33dff7b53c39713eb
Link:
https://www.unpac.me/results/d6673248-03e3-4a23-9ee6-2258ec1deecd/
SH256 hash:
3c1bddb687a4b72f4be4fd412805d5bd678a6003e0b7075eb5874c6df737d4b7
MD5 hash:
987d1c038230d109c05f14db5d343167
SHA1 hash:
483a527043e353419d98de62172542b4f1319655
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/d6673248-03e3-4a23-9ee6-2258ec1deecd/
Parent samples :
75c96c8d4e720fe1290200707fcca94188b4525dcc8ae2f1dfe49068b7bb3e83
aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109
7d17f84cab786296bb3ac7001e3706f112db5b69c82789b709f6cec2ea0fd116
849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a
46f903112e133bc567c54392a876d768001a1934e75d17ce219ec41a1063d1aa
SH256 hash:
75c96c8d4e720fe1290200707fcca94188b4525dcc8ae2f1dfe49068b7bb3e83
MD5 hash:
33a57e36b93588f026574b4a3f748443
SHA1 hash:
5b29dc2969a512aaf8ecef5bae9c10ab1c9ca571
Link:
https://www.unpac.me/results/d6673248-03e3-4a23-9ee6-2258ec1deecd/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/75c96c8d4e72/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75c96c8d4e720fe1290200707fcca94188b4525dcc8ae2f1dfe49068b7bb3e83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 0bd27cf3e62297f2eda12a09cb28c272cabf470f791f278e24a77fdd0875d427

AgentTesla

Executable exe 75c96c8d4e720fe1290200707fcca94188b4525dcc8ae2f1dfe49068b7bb3e83

(this sample)

  
Dropped by
SHA256 0bd27cf3e62297f2eda12a09cb28c272cabf470f791f278e24a77fdd0875d427
  
Dropped by
MD5 c5dc0ae190a5607e76a735a0537f431e
  
Dropped by
SHA256 9d35545a75033e48cdc77639b08925d20161fd24783a30fc1e77a2f73cb4cb95
  
Dropped by
MD5 3d25cca725c5240380f43258834acce4

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments