MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84e9f33b682944d11444e1ddd0f27f2fa6c1d0ca29ed8a6a620b406233ef82a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	84e9f33b682944d11444e1ddd0f27f2fa6c1d0ca29ed8a6a620b406233ef82a0
SHA3-384 hash:	39f14ae6fc7bc6d626e03ed7955677883591fbef556c50c7538af5c3f0f5ef0a9206bff89a7c62f8fa3ad8b489a2c449
SHA1 hash:	e6ce9d4a725cd807b42d99fa25f70ad85a0a6a0c
MD5 hash:	f1e19cb77735aa1ec5609899b5fdde02
humanhash:	kilo-california-happy-quebec
File name:	SecuriteInfo.com.Win32.PWSX-gen.15388
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	202'160 bytes
First seen:	2022-09-08 02:32:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:hIH7oRE2e0scNU9iMB2BphEhDpERjpbK70WSe8cQMc:g7oRE2e0sviMwBphDRjpbM0WSeqMc
Threatray	18'807 similar samples on MalwareBazaar
TLSH	T168149C887614B5CFC82BC932CAE94D2057A07CBB5717C617A09B32AD9A1CBD7CE141F6
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	d2e8ecb2b2a2b282 (106 x AgentTesla, 106 x Formbook, 24 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

393

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.15388

Verdict:

Malicious activity

Analysis date:

2022-09-08 02:34:50 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/594cf905-807e-49f0-ae04-4185b94df910

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/308630/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.15388.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Reading critical registry keys

DNS request

Sending a custom TCP request

Creating a window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/631954dee73fb79b7aff81d1/reports/d0f032f8-ebd3-4382-abc9-a26189673883/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4128fdc2-a7bb-42f0-9b99-032d383c2b76

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1066862

Signature

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/84e9f33b682944d11444e1ddd0f27f2fa6c1d0ca29ed8a6a620b406233ef82a0/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-09-08 00:51:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qtu7go3iffcncfce4ho5b4t7f6tmdugkfhwyu2tcbnagem7pqkqa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

4f5057f749812cda5d588b54fa0e514a3c0acf82d2a7bc6ec4eb7074cc950683

AgentTesla

5adb4cea36b31385d66787ec1a8b686704e9c85793fb8aec0be8ddd7f12fcd0b

AgentTesla

5cca2b13030b0165de54ad5e9cac2d828985d995030a90a1e8093179aec6e815

AgentTesla

72e4a4fe5801818e196675661939e12520b62566481812f61563250d41ddecf6

AgentTesla

89823f7c472a09c6062578082579da7f8cdb093c99de1a7c92aafa5d741c7316

AgentTesla

8d5f8190ec870db510d2b95b830a07bf3c67d9996df775778dfa82b6c2bdd7b3

AgentTesla

fb1afa6e7bae619514d7d2ff10a9cc96a03b5e10640059f592c7e5f3d6093d31

AgentTesla

+ 18'797 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/220908-fv871aaggp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

AgentTesla

Unpacked files

SH256 hash:

a0a0569e9d6ad53808aa54a7d5dee10a5ceb1ee79a8d8ec10ac73e9c2f46aead

MD5 hash:

b0bafad2feb91b6196f41df7271371e8

SHA1 hash:

53f04b2843c40832cb54faa3dd7a676263396f54

Link:

https://www.unpac.me/results/949a287c-7905-49c9-aa91-7e46a227a1b7/

SH256 hash:

f6650299cc59a94123487873a6afbe371a3ca6b1f5e4e32c57cfe056c0759684

MD5 hash:

33a6b46d00c32a875b21b9cd3e363064

SHA1 hash:

25c1183f59d37445efed561882dca2da0478b687

Link:

https://www.unpac.me/results/949a287c-7905-49c9-aa91-7e46a227a1b7/

SH256 hash:

84e9f33b682944d11444e1ddd0f27f2fa6c1d0ca29ed8a6a620b406233ef82a0

MD5 hash:

f1e19cb77735aa1ec5609899b5fdde02

SHA1 hash:

e6ce9d4a725cd807b42d99fa25f70ad85a0a6a0c

Link:

https://www.unpac.me/results/949a287c-7905-49c9-aa91-7e46a227a1b7/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/84e9f33b6829/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/84e9f33b682944d11444e1ddd0f27f2fa6c1d0ca29ed8a6a620b406233ef82a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/308630/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample