MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 786ddc7d011a47966badc8c053026456f011367863ab1f184f1b4e6517bc80ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 786ddc7d011a47966badc8c053026456f011367863ab1f184f1b4e6517bc80ab
SHA3-384 hash: 64ceefa98fe6bee620c66ec241b71b898b8b8c2dd3be7a05b4e6783c456856bce36018671901ebb2023f981ce0afd069
SHA1 hash: dc54868fa32adcdfca6987992a01a95f389f8a76
MD5 hash: 4391cf63d78dd4e8d05cf172aa7f5065
humanhash: low-pasta-hydrogen-zulu
File name:Swift_Ref 240223.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:324'317 bytes
First seen:2023-02-27 09:04:04 UTC
Last seen:2023-03-06 08:30:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:DYa65pgJ4g/dDsQDXkEPY3pbe8aKUM63O2z3JWdJxP3EvQMy5ZNMlHcFI2qRYI:DY7pgJ4gVDsQdA308CM6e+5WdJ+y5Z3G
Threatray 926 similar samples on MalwareBazaar
TLSH T14A64234436E2C067D481493A4A7AE3A15BF9D60E24A4C74B23B53F7CB83A146AD0F7D7
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Swift_Ref 240223.exe
Verdict:
Malicious activity
Analysis date:
2023-02-27 09:10:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ef4c05b8-d91d-4874-aeeb-f19a179e47ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/370064/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.15914.24001.12151.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Reading critical registry keys
Setting a keyboard event handler
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63fc72412313ffd5d3189e20/reports/86c8f0b8-5409-4922-8092-0712a63c89af/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/786ddc7d011a47966badc8c053026456f011367863ab1f184f1b4e6517bc80ab
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d6ffb8eb-556d-461b-bef0-0f737ccd2caa
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1183951
Signature
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/786ddc7d011a47966badc8c053026456f011367863ab1f184f1b4e6517bc80ab/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-27 08:03:48 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pbw5y7ibdjdzm25nzdafgatek3ybcntymovr6gcpdnhgkf54qcvq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
040fe22eaf3b4e15772932c674e74582dc6c23c8460f7669b9615e35e3ce3c5f
AgentTesla
04518db5d52daacf4a9805b90a3fee8eccf1bedafe203a728baeff92f25bb143
AgentTesla
19b2a3829ed8eb3ff4a36bd542c114c3b28b23c64dfa4560db86e4f902d7f7a2
AgentTesla
b1c86264a08c92aaec1c6cdd9dea602387c0cc2a14d7fd715165a18a757c4ea2
AgentTesla
bb8e578f777a7963c7e18be9484136f341dae13f47afed2b7c6c46a3f4d47ca2
AgentTesla
bbf1ba75e76d3236f90a446e039fe746e0222c8f89f8ec728f275bc43a813a05
AgentTesla
e92d947e5ba510e9dff65b5e87e56e08df8c70e1bd9a05ea7ed08a860b957295
AgentTesla
f07e48ea979743c38e1531d1b9b66585956d3d204546958b45fb7aeba189ba96
AgentTesla
+ 916 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230227-k1my6scg59/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6166794428:AAFa7ajWAWrkz8Mg0N_HjJadbltJMMTv7Gs/
Unpacked files
SH256 hash:
5e0982c2af1b815e3cc6df7d78e485d10b116aa5cb599e9ac6af67491aedf14d
MD5 hash:
2eb8680775f7b548dc23ad97e953abd0
SHA1 hash:
fe32e0105058fe3ad6cd9af8e5019b87b76a16e6
Link:
https://www.unpac.me/results/266c2eb2-27e0-465f-a66b-b38e60178a6d/
SH256 hash:
1874e40bb30390e21822916ffbd06433c263f128e8537e28456d28878c0c30fc
MD5 hash:
b79be98f010be73e8636bd8942255829
SHA1 hash:
c1b46bd28c80f1c54be64dc4550761d016e3c6ca
Link:
https://www.unpac.me/results/266c2eb2-27e0-465f-a66b-b38e60178a6d/
SH256 hash:
d3d3728032a5f4cdfe0a3b5e7ab9899815bf905703f6e24dd5343ed2ec8be9c0
MD5 hash:
fbf9cbd7564811434dcde964794a7114
SHA1 hash:
bf967760bbd64751f834d219da73d6a473f70cf7
Link:
https://www.unpac.me/results/266c2eb2-27e0-465f-a66b-b38e60178a6d/
SH256 hash:
786ddc7d011a47966badc8c053026456f011367863ab1f184f1b4e6517bc80ab
MD5 hash:
4391cf63d78dd4e8d05cf172aa7f5065
SHA1 hash:
dc54868fa32adcdfca6987992a01a95f389f8a76
Link:
https://www.unpac.me/results/266c2eb2-27e0-465f-a66b-b38e60178a6d/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/786ddc7d011a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/786ddc7d011a47966badc8c053026456f011367863ab1f184f1b4e6517bc80ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 786ddc7d011a47966badc8c053026456f011367863ab1f184f1b4e6517bc80ab

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/370064/

Comments