MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85dbaf3c1ef1403904104404461f1a40b9a0382c30babdc8db98c5dd38d1c7f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85dbaf3c1ef1403904104404461f1a40b9a0382c30babdc8db98c5dd38d1c7f7
SHA3-384 hash: 7b5083978005fa8ec3eed631e0eaf6606f5f5309f1173310f1ca22b2d31dec4f37cb173c85d3156d28b30f3235e99755
SHA1 hash: 7517de1928d6712edf071e5099797ca38abfba73
MD5 hash: d49da3fa6c354d649d13165e9fb6fba0
humanhash: hawaii-grey-west-mango
File name:SecuriteInfo.com.W32.AIDetectNet.01.7654.16806
Download: download sample
Signature AgentTesla
Create hunting rule
File size:961'024 bytes
First seen:2022-07-11 10:55:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:vR05WSuGZzB62EvNFgR8V2p1O2dPU4/FLZAOxArtvygo2YsI:JQcAxIUFpbZLanrtygrYs
Threatray 20'278 similar samples on MalwareBazaar
TLSH T10915E1CAA054E950F02A097C31FEF3D451B1AC7AC99D7DDEB862703E49F0577242A6CA
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0ccf096c8f2ccf0 (15 x AgentTesla, 7 x Formbook, 5 x Loki)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.W32.AIDetectNet.01.7654.16806
Verdict:
Malicious activity
Analysis date:
2022-07-11 19:08:28 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/3c7978ba-aff3-448a-9459-caec8f70d5ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/286182/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.7654.16806.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62cc01cabbcf6baf279357d0/reports/b16d0779-d521-4cdd-8459-dfd38ff43637/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e619a0c7-d921-45c7-ba3b-670fb1d90fdd
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1028468
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 660965 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 11/07/2022 Architecture: WINDOWS Score: 100 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for dropped file 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 7 other signatures 2->43 7 SecuriteInfo.com.W32.AIDetectNet.01.7654.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\...\WZAZPrFmamHc.exe, PE32 7->23 dropped 25 C:\Users\...\WZAZPrFmamHc.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp9CC0.tmp, XML 7->27 dropped 29 SecuriteInfo.com.W...Net.01.7654.exe.log, ASCII 7->29 dropped 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->45 47 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->47 49 Uses schtasks.exe or at.exe to add and modify task schedules 7->49 51 2 other signatures 7->51 11 SecuriteInfo.com.W32.AIDetectNet.01.7654.exe 2 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 qualityconsultores.cl 67.212.174.154, 49795, 587 SINGLEHOP-LLCUS United States 11->31 33 192.168.2.1 unknown unknown 11->33 35 mail.qualityconsultores.cl 11->35 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->53 55 Tries to steal Mail credentials (via file / registry access) 11->55 57 Tries to harvest and steal ftp login credentials 11->57 59 Tries to harvest and steal browser information (history, passwords, etc) 11->59 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/85dbaf3c1ef1403904104404461f1a40b9a0382c30babdc8db98c5dd38d1c7f7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-11 07:52:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxn26pa66fadsbaqiqcemhy2ic42aobmgc5l3sg3tdc52ogry73q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
5a9b7d77317d0a0aeba87971e7ddc528a96eca2f95351e190d6b09701f78fa44
AgentTesla
76bf1e687e5092ee9855c9db8577a6cb68d437833acf7bebebfb1fc1cbda167d
AgentTesla
878c17caa7d1ef6630b8053b0d552fe7c9103ce6219a4e29f83fc343fb7e945e
AgentTesla
89b950ea92bec7e3a79c7d58e12745d73cc894b439944c5684441e551f2ef7d8
AgentTesla
96ad00d53b672f1130e2dbee01a90ce858fe5ad5718b28f992d49f5bbdd63803
AgentTesla
ad32f72bfe35c4a7dcee11b48952f05b53a94c187066f03eaad861b2e27760b7
AgentTesla
+ 20'268 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220711-m1nxksage7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
0ebb1062ae386d8d7236798bf1c0f390ee4eb210b3259a3392aecab7c91fd148
MD5 hash:
ee5ceb66531b546db83b9040e5aa0ba7
SHA1 hash:
e1a753585f88083cda6ae32b6cd7a9f8c6588141
Link:
https://www.unpac.me/results/5ab3b141-2298-4ba4-91ad-92a7ae9eae50/
SH256 hash:
0fae1855c65d635d55e5f6aa450d8c9f3bd63c5cb4ef8e7d6947757b6c4a812e
MD5 hash:
51b3e4f94acfd5f6febdeda4f4e09db3
SHA1 hash:
c526c72601e747287c80aebb4357e6091aa2a960
Link:
https://www.unpac.me/results/5ab3b141-2298-4ba4-91ad-92a7ae9eae50/
SH256 hash:
b77da0bc9237c7b71c7e5a6f2fa22251dbac9687f8e47d321dc14b51b2bad9d7
MD5 hash:
53e7b278d3b869776cabeba9f8236af1
SHA1 hash:
9a96827c94d2ed3f3f1057ddbfde5be9d9b43361
Link:
https://www.unpac.me/results/5ab3b141-2298-4ba4-91ad-92a7ae9eae50/
SH256 hash:
883b63ef84c6b1cc09687962beca56e4f4b7960df7c5459e29998befaa3ccf15
MD5 hash:
ecb3f27eb8279c51608c8ea8f8050655
SHA1 hash:
82385d75444ab5fccacf37e2746c7dce73faa7f3
Link:
https://www.unpac.me/results/5ab3b141-2298-4ba4-91ad-92a7ae9eae50/
SH256 hash:
fb0da328466eb87102a90a82ee009679a800efb649c53623481e3047a2154288
MD5 hash:
84a6d247488110e5c80fc2ec4a3061c8
SHA1 hash:
2faa79fa57af05bc6f7cc4978376a912c132354e
Link:
https://www.unpac.me/results/5ab3b141-2298-4ba4-91ad-92a7ae9eae50/
SH256 hash:
85dbaf3c1ef1403904104404461f1a40b9a0382c30babdc8db98c5dd38d1c7f7
MD5 hash:
d49da3fa6c354d649d13165e9fb6fba0
SHA1 hash:
7517de1928d6712edf071e5099797ca38abfba73
Link:
https://www.unpac.me/results/5ab3b141-2298-4ba4-91ad-92a7ae9eae50/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/85dbaf3c1ef1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85dbaf3c1ef1403904104404461f1a40b9a0382c30babdc8db98c5dd38d1c7f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/286182/

Comments