MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76f2e24151a110b474722868aa411baf79605bb0802afd3eb29b1e91217c04dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76f2e24151a110b474722868aa411baf79605bb0802afd3eb29b1e91217c04dd
SHA3-384 hash: 3c6d4ca0ca3cd6f71dc91d314eb633f42bf1e7d4d8fccd1dff6441d3221185c065b7f3ee7c1821e6aa2f62223a59590c
SHA1 hash: ddd78c224351c8938835eee974f2be38cd067717
MD5 hash: 5679a3b4d0a2f034efa87c838b972e43
humanhash: kitten-bluebird-nine-carpet
File name:1-18 Produkte aufgelistet.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:622'592 bytes
First seen:2023-01-31 08:53:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:+qjy3thZ+GvJp2eJzJStedQiPGuf/WFmGqYNar8z9i7+pvFCWtO:kth0bAMENP5Q2YNar8zw6Rkh
Threatray 24'021 similar samples on MalwareBazaar
TLSH T15CD42311127843E9C61D03BE75738D30437A5E69B827EF0CAAD6B4E615777C213B2AA3
TrID 59.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.6% (.SCR) Windows screen saver (13097/50/3)
8.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 3511156707116181 (1 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
1-18 Produkte aufgelistet.exe
Verdict:
Malicious activity
Analysis date:
2023-01-31 08:55:43 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/99ef8fdf-be6e-43bc-99c9-a5d4b9fb0dca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/358587/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.45756.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d8d72d696b2d972574fc2a/reports/ef8cfc45-5588-4b79-8f6b-2062053c5d90/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/84a27720-b130-455f-a8a5-6d9662ee9e0a
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1162253
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 795004 Sample: 1-18 Produkte aufgelistet.exe Startdate: 31/01/2023 Architecture: WINDOWS Score: 100 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 10 other signatures 2->59 7 QQtEftZ.exe 5 2->7         started        10 1-18 Produkte aufgelistet.exe 7 2->10         started        process3 file4 61 Multi AV Scanner detection for dropped file 7->61 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->63 65 May check the online IP address of the machine 7->65 71 2 other signatures 7->71 13 QQtEftZ.exe 7->13         started        17 schtasks.exe 7->17         started        35 C:\Users\user\AppData\Roaming\QQtEftZ.exe, PE32 10->35 dropped 37 C:\Users\user\...\QQtEftZ.exe:Zone.Identifier, ASCII 10->37 dropped 39 C:\Users\user\AppData\Local\...\tmp75CA.tmp, XML 10->39 dropped 41 C:\...\1-18 Produkte aufgelistet.exe.log, ASCII 10->41 dropped 67 Adds a directory exclusion to Windows Defender 10->67 69 Injects a PE file into a foreign processes 10->69 19 1-18 Produkte aufgelistet.exe 15 3 10->19         started        21 powershell.exe 21 10->21         started        23 powershell.exe 21 10->23         started        25 schtasks.exe 1 10->25         started        signatures5 process6 dnsIp7 43 mail.eurekapools.com.my 13->43 45 api.ipify.org 13->45 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->73 75 Tries to steal Mail credentials (via file / registry access) 13->75 77 Tries to harvest and steal ftp login credentials 13->77 79 Tries to harvest and steal browser information (history, passwords, etc) 13->79 27 conhost.exe 17->27         started        47 mail.eurekapools.com.my 19->47 49 api4.ipify.org 64.185.227.155, 443, 49695, 49697 WEBNXUS United States 19->49 51 2 other IPs or domains 19->51 29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76f2e24151a110b474722868aa411baf79605bb0802afd3eb29b1e91217c04dd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-31 08:54:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o3zoeqkrueili5dsfbukuqi3v54waw5qqavp2pvstmpjcil4atoq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
5a0893d2100052e465b5329bc5ab00bad025469b279ef9fe1ab6a4643b5e8a5e
AgentTesla
61f0682e81e51a2da57e9d2abd46efa24f920f3151757b5871db1932ff67de9b
AgentTesla
89c9b86de8083ac5ed85f81e10535af56983e6f9a3037aaef810c5b069c1d1cd
AgentTesla
8db04b3a0c1bf0ff77b9f0f352e6091887199e998236f70bbe0833260b864370
AgentTesla
b74982501cdb0e1bdcc34a05b2db5ecc0b7fb87d118e0d7dee8aa1794620dced
AgentTesla
c1b9ddd584078ecf7375239eecc419c3ebcf441c71db62b8e559b88613861026
AgentTesla
cd96c879ce3a8b24fa5d021d0c296565806a4a98e75d90e8141943afbf517f66
AgentTesla
+ 24'011 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230131-ktb84aff98/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
c9004afa131a1c8c34952525a307d5889a50d3ac5d3e72d6f410a4dc7f395b17
MD5 hash:
6662e7ea7c8d351695cecd6d433af02a
SHA1 hash:
fbd706660faa16c8b3864d5f54297a48beefaca7
Link:
https://www.unpac.me/results/981fd198-52a7-4468-910e-821032c1e7cc/
SH256 hash:
178cc7474b323b0ae6b3095ff67127726530d9d44be5cb58ba7315ef3a1199ad
MD5 hash:
159af9cf7f94d64c8120c80268965306
SHA1 hash:
fb41ab37af2c83e96d97e9cd066f90e72d4887ea
Link:
https://www.unpac.me/results/981fd198-52a7-4468-910e-821032c1e7cc/
SH256 hash:
9241e2007a4b5c511f0e8a5042bf2b90490cb4546faaca7fee87e23606a53562
MD5 hash:
11de9196b64c1f31d2b1c8c8d847b791
SHA1 hash:
b592f6ce44fe7cb47865fe84ae7094dd2fba9f5d
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/981fd198-52a7-4468-910e-821032c1e7cc/
Parent samples :
f7318ba2fa1309d96755c3f7614b24f8ff05c3d14491f9becfab3b58f2be00d0
d6bfda96996e156537354738e29438d268acd7c7b7ca5f60a0771223d9b16394
76f2e24151a110b474722868aa411baf79605bb0802afd3eb29b1e91217c04dd
SH256 hash:
3e4d34d41e21a361728b2f095bee328db5a5e69f3d69612a7025898168a45c19
MD5 hash:
2c286c9dce10fba9d3ad01852531e30a
SHA1 hash:
7d7ad80068479a220f4c02729a5012be41d62882
Link:
https://www.unpac.me/results/981fd198-52a7-4468-910e-821032c1e7cc/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/981fd198-52a7-4468-910e-821032c1e7cc/
SH256 hash:
76f2e24151a110b474722868aa411baf79605bb0802afd3eb29b1e91217c04dd
MD5 hash:
5679a3b4d0a2f034efa87c838b972e43
SHA1 hash:
ddd78c224351c8938835eee974f2be38cd067717
Link:
https://www.unpac.me/results/981fd198-52a7-4468-910e-821032c1e7cc/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/76f2e24151a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76f2e24151a110b474722868aa411baf79605bb0802afd3eb29b1e91217c04dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_d3ac2b2f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 76f2e24151a110b474722868aa411baf79605bb0802afd3eb29b1e91217c04dd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/358587/

Comments