MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88481fc9b8b2beb564ae58c9ad551d3810a15fbb58a7dc98944167e2f8f2dfd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88481fc9b8b2beb564ae58c9ad551d3810a15fbb58a7dc98944167e2f8f2dfd2
SHA3-384 hash: b1c15f6ef8e2fd429147f39855cab6c5c924df77c4e980ce638b73677bb05bb01502b718f83bb00fbbd5329b1e5eb5d0
SHA1 hash: 38981edc6ce8e39eb9644d1e8942a4317b17c43f
MD5 hash: 80db50a5a702d2911e7e2d1ebaf80361
humanhash: blossom-massachusetts-video-grey
File name:Molex part # 1300130287(x1120 pcs).exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:501'533 bytes
First seen:2023-09-27 07:45:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 40 x GuLoader, 25 x RemcosRAT)
ssdeep 12288:NnPdEaDT2T0FvA8ZTI4GEIcdkETQ16fWQ6NU:BPdhyT0+U02IcmgqNU
Threatray 5'805 similar samples on MalwareBazaar
TLSH T167B41301A0A4D8FEEDA14F7065361D2682E3EE1568B8E30F5B1139CB76736D3B11E762
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6975a6ac8c163681 (4 x AgentTesla, 1 x Formbook)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Molex part # 1300130287(x1120 pcs).exe
Verdict:
Malicious activity
Analysis date:
2023-09-27 07:47:23 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/2ad697ef-8fb6-4470-97e5-5e21a6ec1be3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/451499/
Detection(s):
SecuriteInfo.com.Trojan.Loader.1550.15417.2796.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6513ddbb83a0c6425d007de2/reports/9e641bfc-f840-451c-a262-a92097ceeed7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/88481fc9b8b2beb564ae58c9ad551d3810a15fbb58a7dc98944167e2f8f2dfd2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d8e56eb0-39c1-4dee-96bf-ea65e6cd3ca7
Result
Threat name:
AgentTesla, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1315057
Signature
Contains functionality to log keystrokes (.Net Source)
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/88481fc9b8b2beb564ae58c9ad551d3810a15fbb58a7dc98944167e2f8f2dfd2/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2023-09-25 13:15:37 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rbeb7snywk7lkzfolde22vi5haikcx53lct5zgeuift6f6hs37ja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c67ccd6b722d25bbe932693afe8d0895555d12442699122c8810d2d6610e2a8
AgentTesla
505727b56d70693677cd53bf8e29770f00f0a98b5eb741c3f98621f96f8d5514
AgentTesla
58357272406c20e677f34777d792bdecc67f8502616621858a609d9cd8e3bd7e
AgentTesla
59e8d4adc87713d6243f1130289d36da2fbd84aca576a0bc1a99d1728f29c756
AgentTesla
7e0fa6073200440c8e01d79cf84c37d2671559a6b24575fc1407ac2166304ca4
AgentTesla
86c93b4c01ca5cf2a505360e36677d0f5e5c159ba32a84019c8ef0e1e28cd596
AgentTesla
8ac1c0f03f5591ee9291e375cb28afa7175defc336e2d3e834a339d4a8b4d7a6
AgentTesla
dc5eb730f1df702be89804ca234b60fec5fed7b6ed8d6c719f7006f40775f888
AgentTesla
+ 5'795 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230927-jlyxfsac86/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
77d99fd96db69bfb826c09fb65fa592597b667f9f1f6b286a7a10d884d34577a
MD5 hash:
e90f2ebfdc75d526692f3ca90d7effd5
SHA1 hash:
1776734bc90fd8376c549105b18ecf402d78a8f6
Link:
https://www.unpac.me/results/9f68464a-a456-4225-899a-57f16c751c40/
SH256 hash:
88481fc9b8b2beb564ae58c9ad551d3810a15fbb58a7dc98944167e2f8f2dfd2
MD5 hash:
80db50a5a702d2911e7e2d1ebaf80361
SHA1 hash:
38981edc6ce8e39eb9644d1e8942a4317b17c43f
Link:
https://www.unpac.me/results/9f68464a-a456-4225-899a-57f16c751c40/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/88481fc9b8b2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88481fc9b8b2beb564ae58c9ad551d3810a15fbb58a7dc98944167e2f8f2dfd2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 88481fc9b8b2beb564ae58c9ad551d3810a15fbb58a7dc98944167e2f8f2dfd2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/451499/

Comments