MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79444990f14a93a2dbf9d6441c0cd28d9f1b9934e0bff5377663526c7ca85aaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79444990f14a93a2dbf9d6441c0cd28d9f1b9934e0bff5377663526c7ca85aaa
SHA3-384 hash: a88e94e301d6f7f4a5cbd6fcb51b0f69d4cd1f822fbc5d1530f7249ba652ed582d5e6de31303f848cdada9aa5a0b0847
SHA1 hash: 4af669a997e2ba379b81ae986f5d93bbe2edd4c4
MD5 hash: 665f25aed2eb3884dc15b14b15b578a8
humanhash: jupiter-zulu-purple-avocado
File name:SecuriteInfo.com.Trojan.Packed2.44591.7248.24141
Download: download sample
Signature AgentTesla
Create hunting rule
File size:3'416'064 bytes
First seen:2022-11-09 08:46:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:cvKSBnP1/wN4UsDWfZ+y6W7POy0IkeqhbJbw:+R97URd2yxsbJb
Threatray 540 similar samples on MalwareBazaar
TLSH T18DF586342DAC2447959FB926ABDE94348914ABC7EB988343F59830434D1BD0ACF71BF9
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/331096/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.44591.7248.24141.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Changing a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the User Account Control
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/636b690782dd9f2e26531f8e/reports/ed80f6a4-14ef-4463-ac23-204efdba6c93/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a29195cd-7f13-42be-87c3-bc59ad93c761
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
expl.evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1109169
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Contains functionality to register a low level keyboard hook
Creates autostart registry keys with suspicious names
Disables UAC (registry)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 741850 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 09/11/2022 Architecture: WINDOWS Score: 100 50 api.telegram.org 2->50 52 api.ipify.org.herokudns.com 2->52 54 api.ipify.org 2->54 70 Snort IDS alert for network traffic 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 7 other signatures 2->76 8 SecuriteInfo.com.Trojan.Packed2.44591.7248.24141.exe 2 2 2->8         started        12 SecuriteInfo.com.Trojan.Packed2.44591.7248.24141.exe 1 2->12         started        14 SecuriteInfo.com.Trojan.Packed2.44591.7248.24141.exe 1 2->14         started        signatures3 process4 file5 40 SecuriteInfo.com.T....7248.24141.exe.log, ASCII 8->40 dropped 78 Creates autostart registry keys with suspicious names 8->78 80 Writes to foreign memory regions 8->80 82 Adds a directory exclusion to Windows Defender 8->82 84 Disables UAC (registry) 8->84 16 CasPol.exe 15 13 8->16         started        20 powershell.exe 27 8->20         started        86 Injects a PE file into a foreign processes 12->86 22 CasPol.exe 12->22         started        24 powershell.exe 12->24         started        26 CasPol.exe 12->26         started        28 CasPol.exe 4 14->28         started        30 powershell.exe 14->30         started        32 CasPol.exe 14->32         started        signatures6 process7 dnsIp8 42 api.telegram.org 149.154.167.220, 443, 49799, 49800 TELEGRAMRU United Kingdom 16->42 44 api.ipify.org.herokudns.com 3.232.242.170, 443, 49796 AMAZON-AESUS United States 16->44 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->56 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->58 60 Tries to steal Mail credentials (via file / registry access) 16->60 68 2 other signatures 16->68 34 conhost.exe 20->34         started        46 54.91.59.199, 443, 49812 AMAZON-AESUS United States 22->46 62 Tries to harvest and steal ftp login credentials 22->62 64 Tries to harvest and steal browser information (history, passwords, etc) 22->64 66 Installs a global keyboard hook 22->66 36 conhost.exe 24->36         started        48 3.220.57.224, 443, 49809 AMAZON-AESUS United States 28->48 38 conhost.exe 30->38         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79444990f14a93a2dbf9d6441c0cd28d9f1b9934e0bff5377663526c7ca85aaa/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-11-09 05:33:18 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
19 of 41 (46.34%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pfcetehrjkj2fw7z2zcbydgsrwprxgju4c77kn3wmnjgy7filkva._file
Verdict:
unknown
Similar samples:
06a71366813620e612dfc0f0e7f293712b6b10546db85bc065705d14db007a2d
AgentTesla
44e70f14e20d43e59bee945d443ba00adc352d38a22b1a6b82731a83bc02ebfe
AgentTesla
4f28d606adaacc365adde510380b2d5111339ecca6fc7e996d68e6ebb66d29b8
AgentTesla
560a2b36202c7ffffb40372f390dddc776a8fb0d3deef44e7c7b4cbb02a61138
AgentTesla
5b65bd3beffa01f08710d696c4011d321846c81ff8248e31ce9c4bc933a54d39
AgentTesla
9d0cd2b1f470af7bba55345850c4f2b24ba96b9c4c361e4ff75c14a72bb3e7de
AgentTesla
d3c0d9f3e9555fac2f6c6431339c4556f2d87b5479543a927040c4ddfd1e25ba
AgentTesla
f4742eb31c8b2c6dfd22b03aefe30d4891d50f88e70b5bc27dae05fb3a615d69
AgentTesla
+ 530 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221109-kpvvmsfcc8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks whether UAC is enabled
Looks up external IP address via web service
Checks computer location settings
Windows security modification
AgentTesla
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
https://api.telegram.org/bot5705602282:AAFcwBeX9coGMKJeokPZOq06CS7N1H2rCJI/
Unpacked files
SH256 hash:
79444990f14a93a2dbf9d6441c0cd28d9f1b9934e0bff5377663526c7ca85aaa
MD5 hash:
665f25aed2eb3884dc15b14b15b578a8
SHA1 hash:
4af669a997e2ba379b81ae986f5d93bbe2edd4c4
Link:
https://www.unpac.me/results/f7b08cf2-5251-40be-9f27-abe2f1f1c1de/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/79444990f14a93a2dbf9d6441c0cd28d9f1b9934e0bff5377663526c7ca85aaa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/331096/

Comments