MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88c57d68e2ca4a359aaf8a1d6225ce440657f02c27f2e87f61cf72d93b4ae956. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88c57d68e2ca4a359aaf8a1d6225ce440657f02c27f2e87f61cf72d93b4ae956
SHA3-384 hash: 5e88dbb0f524117a103fc1799b5ce9e05f6acd32669ff08b94f7d9178bca03bfc2ea0e5b42e02796f17fbe242a64f607
SHA1 hash: 909492de26131649fdcdc41bbdf81addd1c0e786
MD5 hash: 4800ebd004e4134b0fe7aac791f66ced
humanhash: avocado-kansas-south-snake
File name:4800ebd004e4134b0fe7aac791f66ced.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:697'344 bytes
First seen:2023-04-24 14:35:57 UTC
Last seen:2023-05-13 22:43:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:HKHEjY+LaE5czMZm81UuhWbnk1nLn9mWbavvSy2p3NIYxVhOO/uLqy:H7P5PWZw59wvvSy2dv7h92Lqy
Threatray 2'517 similar samples on MalwareBazaar
TLSH T125E4BE2B622AD5B6E15E66B3D0D517FB0F6C2ECAFD79A0430BA87CD431727B90B48411
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla FTP exfil server:
ftp.redemed.xyz:1

Intelligence

File Origin
# of uploads :
2
# of downloads :
271
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
4800ebd004e4134b0fe7aac791f66ced.exe
Verdict:
Malicious activity
Analysis date:
2023-04-24 14:51:27 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/5e45adfb-2595-4e4b-80c4-7aa67dbd4963

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/384603/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/644693e137cce82f3a54e08a/reports/56f5f653-6d16-4fbb-9612-f1bbd0513b51/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/88c57d68e2ca4a359aaf8a1d6225ce440657f02c27f2e87f61cf72d93b4ae956
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/963a952b-a964-4191-a37d-9db715f10c51
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1220087
Signature
.NET source code contains potential unpacker
Creates autostart registry keys with suspicious names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 853033 Sample: R516o1Yt6o.exe Startdate: 24/04/2023 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected AgentTesla 2->59 61 3 other signatures 2->61 6 R516o1Yt6o.exe 3 2->6         started        10 svchost#.exe 3 2->10         started        12 svchost#.exe 2 2->12         started        process3 file4 25 C:\Users\user\AppData\...\R516o1Yt6o.exe.log, ASCII 6->25 dropped 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->63 65 May check the online IP address of the machine 6->65 67 Performs DNS queries to domains with low reputation 6->67 14 R516o1Yt6o.exe 17 10 6->14         started        69 Multi AV Scanner detection for dropped file 10->69 71 Machine Learning detection for dropped file 10->71 19 svchost#.exe 14 7 10->19         started        21 svchost#.exe 10->21         started        23 svchost#.exe 12->23         started        signatures5 process6 dnsIp7 31 ftp.redemed.xyz 91.235.116.232, 21, 49702, 49703 THCPROJECTSRO Romania 14->31 33 api4.ipify.org 64.185.227.155, 443, 49701, 49704 WEBNXUS United States 14->33 41 2 other IPs or domains 14->41 27 C:\Users\user\AppData\...\svchost#.exe, PE32 14->27 dropped 29 C:\Users\...\svchost#.exe:Zone.Identifier, ASCII 14->29 dropped 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->43 45 Tries to steal Mail credentials (via file / registry access) 14->45 47 Creates autostart registry keys with suspicious names 14->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->49 35 api.ipify.org 19->35 37 173.231.16.77, 443, 49705 WEBNXUS United States 23->37 39 api.ipify.org 23->39 51 Tries to harvest and steal browser information (history, passwords, etc) 23->51 53 Installs a global keyboard hook 23->53 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88c57d68e2ca4a359aaf8a1d6225ce440657f02c27f2e87f61cf72d93b4ae956/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2023-04-24 09:26:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rdcx22hczjfdlgvpriowejooiqdfp4bme7zoq73bz5znso2k5fla._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0451b9c358b1404717f5060aea5711327cf169cd4c5648f5ac23f1a1fb740716
AgentTesla
13681068261071d375bc58275501f72bbe2693f4df6ec40364b2f62c0eb1b106
AgentTesla
1eb3cc840b6cba8b0893ff4e75fee247f93dfc6d3afe173834439041f8feaaec
AgentTesla
1ed3c374ac458fc9701a422c5608bf80c161a9a4adf4fdd596a7d885c9048de7
AgentTesla
321cacca1d81268ded64db8dfe9325631165d5000d4d2966564f6c6f7fb383d1
AgentTesla
4918ca9b45ac35ea8c6c75c1524e3e87e940e373189bc7b6d18b0219695a8f78
AgentTesla
8ec8019892b2f4625446c785c98dce87ac6362cbbdef61f57c4787ec35bbb262
AgentTesla
a494db0ac3044848e328e4df3cda6dfd698f5389376623cf9936cfc7ce5a31ad
AgentTesla
b828e57eb67420551529ae16c87e86a405a6805698df6957a45f409edcfa7733
AgentTesla
d850ceb318e1d078e00f9f59ff80f6775b8f19bfa26f5f0750582a73e51e4fcf
AgentTesla
+ 2'507 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230424-ryk55aeb6x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
77d68a10ccc2564f15c47fa7d0a4fb3970bcef39aa505f1b3673565d91701278
MD5 hash:
e286629d834b598cce3c99b041a51bf3
SHA1 hash:
9b5b2661af48255ed3d61c82524b9dd838a53fd8
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/66bb8552-8e93-4ced-b376-eafcb0380208/
Parent samples :
a84ce871209f18192168c19b17bc3c0061aff83a98611828128a54fafde6d4a6
88c57d68e2ca4a359aaf8a1d6225ce440657f02c27f2e87f61cf72d93b4ae956
SH256 hash:
346f781aab4e7b0677c714c92bff05fd5fe10d543a74d9a0efe1f5fda78ce04c
MD5 hash:
61640a3a119a717dafab679f47ec9862
SHA1 hash:
612c6fd4b877f93318ba65eae48604e7eaa96144
Link:
https://www.unpac.me/results/66bb8552-8e93-4ced-b376-eafcb0380208/
SH256 hash:
8bb9aeb05b93c600e7b7c1cc104218aafe09315262cb4b8de624c7d61f6b845f
MD5 hash:
43457522ccf6999d1fb32878af368a96
SHA1 hash:
5651edbfb6f4f60e2593d1370969449edd33ed0a
Link:
https://www.unpac.me/results/66bb8552-8e93-4ced-b376-eafcb0380208/
SH256 hash:
5e5c8fe4e53980a98b48fe6b19155edf0f0d285ed899c61dbf4f880583ddf1d2
MD5 hash:
b3bbc5461d12f07ea893bf415dfe7c89
SHA1 hash:
40c3156c471d2afe3fd88c7d20cf93e5782e1bd6
Link:
https://www.unpac.me/results/66bb8552-8e93-4ced-b376-eafcb0380208/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/66bb8552-8e93-4ced-b376-eafcb0380208/
SH256 hash:
88c57d68e2ca4a359aaf8a1d6225ce440657f02c27f2e87f61cf72d93b4ae956
MD5 hash:
4800ebd004e4134b0fe7aac791f66ced
SHA1 hash:
909492de26131649fdcdc41bbdf81addd1c0e786
Link:
https://www.unpac.me/results/66bb8552-8e93-4ced-b376-eafcb0380208/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/88c57d68e2ca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/88c57d68e2ca4a359aaf8a1d6225ce440657f02c27f2e87f61cf72d93b4ae956

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 88c57d68e2ca4a359aaf8a1d6225ce440657f02c27f2e87f61cf72d93b4ae956

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2377928/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/384603/

Comments