MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 763db148488de0ecda28ac3d55147a0dc7b092a64e915bff98529b0185668e03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 763db148488de0ecda28ac3d55147a0dc7b092a64e915bff98529b0185668e03
SHA3-384 hash: f05dcb87842a7ad38b5176a826e8ccaa46eef8abfb237c5d6f40ad09176c6d9fe1aea58b91bcf81cd0f6b423a3bc1477
SHA1 hash: fad6dfc65eb539dc7438096c10d3b18b21c5a97f
MD5 hash: 27d0f9389dcd690e6e6976427f1e266c
humanhash: lithium-golf-east-emma
File name:SecuriteInfo.com.Win32.PWSX-gen.13397.19541
Download: download sample
Signature AgentTesla
Create hunting rule
File size:825'344 bytes
First seen:2023-10-16 10:31:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:ZzfqBuqzo+ouymkp0y63wKFFouZ30+rPe1hNDuJ7AYfmDy:ZT6nLymaKFFouegPiP27WDy
Threatray 8 similar samples on MalwareBazaar
TLSH T1FE051292DA4986DDED3553F31433CD509AF33C7A95B0C1AD4E8DB6A60B733A10062E6B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 130b33230b2b4ac8 (2 x Formbook, 2 x AgentTesla)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
342
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.13397.19541
Verdict:
Malicious activity
Analysis date:
2023-10-16 10:33:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/de2ffa8a-96b6-447f-9a30-30b66174a391

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/454824/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/652d1124422e14c65a90a28f/reports/6213cb07-56a8-402f-a11d-a181d3793b6e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/763db148488de0ecda28ac3d55147a0dc7b092a64e915bff98529b0185668e03
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b1ab4793-a5c0-45f8-b5aa-9102fc05a8e1
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1326382
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1326382 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 16/10/2023 Architecture: WINDOWS Score: 100 48 www.victorviera.com 2->48 50 www.schonbutter.com 2->50 52 18 other IPs or domains 2->52 62 Malicious sample detected (through community Yara rule) 2->62 64 Sigma detected: Scheduled temp file as task from temp location 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 4 other signatures 2->68 10 cbKhCLJKvA.exe 5 2->10         started        13 SecuriteInfo.com.Win32.PWSX-gen.13397.19541.exe 7 2->13         started        signatures3 process4 file5 78 Multi AV Scanner detection for dropped file 10->78 80 Machine Learning detection for dropped file 10->80 82 Injects a PE file into a foreign processes 10->82 16 cbKhCLJKvA.exe 10->16         started        19 schtasks.exe 1 10->19         started        44 C:\Users\user\AppData\...\cbKhCLJKvA.exe, PE32 13->44 dropped 46 C:\Users\user\AppData\Local\...\tmp357A.tmp, XML 13->46 dropped 84 Uses schtasks.exe or at.exe to add and modify task schedules 13->84 86 Adds a directory exclusion to Windows Defender 13->86 21 powershell.exe 23 13->21         started        23 schtasks.exe 1 13->23         started        25 SecuriteInfo.com.Win32.PWSX-gen.13397.19541.exe 13->25         started        signatures6 process7 signatures8 60 Maps a DLL or memory area into another process 16->60 27 gdgTvxfPSSV.exe 16->27 injected 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 WerFault.exe 22 16 25->37         started        process9 dnsIp10 54 parkingpage.namecheap.com 91.195.240.19, 49727, 49728, 49729 SEDO-ASDE Germany 27->54 56 schonbutter.com 81.88.48.71, 49725, 80 REGISTER-ASIT Italy 27->56 58 7 other IPs or domains 27->58 88 Maps a DLL or memory area into another process 27->88 39 PATHPING.EXE 13 27->39         started        signatures11 process12 signatures13 70 Tries to steal Mail credentials (via file / registry access) 39->70 72 Tries to harvest and steal browser information (history, passwords, etc) 39->72 74 Writes to foreign memory regions 39->74 76 2 other signatures 39->76 42 firefox.exe 39->42         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/763db148488de0ecda28ac3d55147a0dc7b092a64e915bff98529b0185668e03
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/763db148488de0ecda28ac3d55147a0dc7b092a64e915bff98529b0185668e03/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-10-16 09:47:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
16 of 22 (72.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oy63cscirxqozwrivq6vkfd2bxd3bevgj2ivx74ykknqdblgrybq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
50c55b209d899514903835fbded92e680b34cd34e24aac9d3919522c42b543d4
AgentTesla
5c81f8bdc8982d2a8dd77d0eaae816095fbfb73c9d11a7f82cb3ed005ba601d7
AgentTesla
69823adb0ba288e8067ebfb8bb9377c8e86d336f70abb2186f86a306addca65b
AgentTesla
7a9e4659261f4a3c4744f60dfdb170ebc705756a6b921621c24d85c4a2876318
AgentTesla
84a957af4bee9e5f07b399e5a36ea6b59038e85d3efb2f0f6bd86de787f634ad
AgentTesla
a94ee1fa20f2c027003ee0bef71045f2b0200eeb6511b621a599ab60f40f4b9f
AgentTesla
bdaeb27128a9d6dbcd93b0844d57e6de8a03ec3b53b1380f41523ec35ad6af18
AgentTesla
e41ce47cf174f8b3f909756c90495e990b4f5550da4bd7e1a6b5ba50ba0ba9e9
AgentTesla
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231016-mkyf3sdd9y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
3bed583d9c1ab349b01160f25f1baa5543d16a8c001e715a9f2528bdecc71585
MD5 hash:
5cd146496c674594cd0e17959a1a8864
SHA1 hash:
c1d9bac2a8f49f26b4db00f4fcd7d240c5a793c7
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/0116cba6-118b-4278-a10e-72a266268ff4/
SH256 hash:
fdb868821b5d4ac4afdd344d93083aa8292c2e62206a3b0588340be2acfb72a7
MD5 hash:
c0f7df6cc1840f1c5205875c1418620b
SHA1 hash:
3c6d2235f3d3deff5c2573e9128dab59bbfc368f
Link:
https://www.unpac.me/results/0116cba6-118b-4278-a10e-72a266268ff4/
SH256 hash:
b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63
MD5 hash:
5c904da8528cfb1b87b15a6aa7c059cd
SHA1 hash:
f0a192969485d1bc34bf52adf37d9c20176d6b85
Link:
https://www.unpac.me/results/0116cba6-118b-4278-a10e-72a266268ff4/
SH256 hash:
be4b62dde8ea819da76e898b0e64a7858be2e5f598233ed0d5474e0996db52b1
MD5 hash:
9aa83a0233f21419a96f5a1201adb4aa
SHA1 hash:
7fa0fe91070505550da96f11698259749ba824db
Link:
https://www.unpac.me/results/0116cba6-118b-4278-a10e-72a266268ff4/
SH256 hash:
59076ab049ab2b6dbee8b13a7ee52369d6116cccda8d717f5fe3add17ad3ba64
MD5 hash:
1053bee94f2139f9b2a4cf67e2639186
SHA1 hash:
51e7cc9a9677239d19b17fd2fa85dc5e328f0a59
Link:
https://www.unpac.me/results/0116cba6-118b-4278-a10e-72a266268ff4/
SH256 hash:
763db148488de0ecda28ac3d55147a0dc7b092a64e915bff98529b0185668e03
MD5 hash:
27d0f9389dcd690e6e6976427f1e266c
SHA1 hash:
fad6dfc65eb539dc7438096c10d3b18b21c5a97f
Link:
https://www.unpac.me/results/0116cba6-118b-4278-a10e-72a266268ff4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/763db148488de0ecda28ac3d55147a0dc7b092a64e915bff98529b0185668e03

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/454824/

Comments