MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77743ead6e13c024db3534a837c669ee3c4fbaac2320bbf937fbe5e58de4a3b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77743ead6e13c024db3534a837c669ee3c4fbaac2320bbf937fbe5e58de4a3b3
SHA3-384 hash: d48143e6387122bc3b52fee58a155483885deb8892490a14b5c3865d7b36db76a4dfa54a447d66bd98fd9b74ae7b630a
SHA1 hash: dcfe9d148b76768ae3dea9875255c0873d58d1b0
MD5 hash: 16d01fd64df59776d3454734512ded3c
humanhash: arkansas-alpha-ceiling-quebec
File name:KYC INQUIRY 14-01.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:590'336 bytes
First seen:2022-01-14 15:16:13 UTC
Last seen:2022-01-14 18:55:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:KK777777777777N7LPJ6OISxBo/+0dxGhu2jfwr7zo:KK777777777777lLB6O/p0dIhJwjo
Threatray 14'464 similar samples on MalwareBazaar
TLSH T165C4014F329A4672CEF09A3454A880505F756C4F2912C31638F9FEAE34B3BC6558EA97
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
KYC INQUIRY 14-01.exe
Verdict:
Malicious activity
Analysis date:
2022-01-14 15:25:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/07edf0f0-0a0b-4c9b-aa30-14da9d94d519

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219352/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Agensla.ic.9669.20627.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/61e193f81883c5ba4ecc13ac/reports/3a5f7f98-bc99-4069-bafb-14a9fd570f2f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6dd7cf18-cfd1-42d9-a070-3e6719a16ce0
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920823
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/77743ead6e13c024db3534a837c669ee3c4fbaac2320bbf937fbe5e58de4a3b3/
Threat name:
ByteCode-MSIL.Hacktool.Mimikatz
Create hunting rule
Status:
Malicious
First seen:
2022-01-14 15:17:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
17 of 28 (60.71%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o52d5llocpacjwzvgsudprtj5y6e7ovmemqlx6jx7ps6ldpeuozq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
28fc5135ea1f14ea296184a3e518908ae77d88f100efa162bf30c046790197a3
AgentTesla
342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda
AgentTesla
45be52ba60dc2401394324f60b577b4919b19442577c34b2f7e89d88fdcd4f94
AgentTesla
6d3deba9b84a0196b94370ee9a1201893fcacacc6736638407d0c4b11b7995a2
AgentTesla
7bd68279cf4cc59ba39b3d6709bae5312c55b880562ad88b606516d415b2b8a4
AgentTesla
b032521341d2f76b1fe69ead761ce67c48fd4ebc7c4ecdb4e7d81dc8b9935e1e
AgentTesla
b86905276e81077e6f84b256d57ec516f3f458b427f5a015088e56a11f9553cd
AgentTesla
c7f4ad3987c2026cd2051b487f34e9f2a56249dc319ab066497be27e01a2ea6e
AgentTesla
c9af30b2a800c774844eee76e019d10b72c4637adbccd34a6de3bcc8a4f32ba4
AgentTesla
f7437bba4e59178441160b2b89e5aa94ee2afca4f07b7f1a47d5e93468de4742
AgentTesla
+ 14'454 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220114-sn34maghc5/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
b328782d470d4c70e49d10dd8c1d21ba36e182e4cffbf5a06c74c651175bf26a
MD5 hash:
5c13d309008206fc771d1a7891562b89
SHA1 hash:
d95c7d9c5b8f1884f9850200d7c963444a69753b
Link:
https://www.unpac.me/results/af1bbdf8-12cd-482d-82d6-6dffb9646926/
SH256 hash:
86c7272c70da407bcf98affbf86b74d01abd824ed6652ac0ac23f6c7e88d660a
MD5 hash:
54a1b63cfd1b5000d64ec9ac811b72ec
SHA1 hash:
7776e11e2303c81aabcdbacc0715f5ab1be5d417
Link:
https://www.unpac.me/results/af1bbdf8-12cd-482d-82d6-6dffb9646926/
SH256 hash:
ed88cd24616f51aef287f02eb1ba8ce80591750f7aeee1a902231d5b74d6f6d4
MD5 hash:
cc834eecd37614a3fc9f858626bf032a
SHA1 hash:
0d0d413304c53b948b50c62bf8d46ef5d493cbaf
Link:
https://www.unpac.me/results/af1bbdf8-12cd-482d-82d6-6dffb9646926/
SH256 hash:
77743ead6e13c024db3534a837c669ee3c4fbaac2320bbf937fbe5e58de4a3b3
MD5 hash:
16d01fd64df59776d3454734512ded3c
SHA1 hash:
dcfe9d148b76768ae3dea9875255c0873d58d1b0
Link:
https://www.unpac.me/results/af1bbdf8-12cd-482d-82d6-6dffb9646926/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77743ead6e13c024db3534a837c669ee3c4fbaac2320bbf937fbe5e58de4a3b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar b52f299806a5675bfb28fd4fede61e47f059b161c4313cecb953c2167cbe219c

AgentTesla

Executable exe 77743ead6e13c024db3534a837c669ee3c4fbaac2320bbf937fbe5e58de4a3b3

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 b52f299806a5675bfb28fd4fede61e47f059b161c4313cecb953c2167cbe219c
Cape
Cape
https://www.capesandbox.com/analysis/219352/

Comments