MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90c969a104f33d6c89449d251002a70b17a89b451da43cd0a71e19f167205293. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 6 File information Comments

SHA256 hash:	90c969a104f33d6c89449d251002a70b17a89b451da43cd0a71e19f167205293
SHA3-384 hash:	a43f0308af70e1bd1a2655a599ce52743d64906343d40e75de151743ff3e3654a68a7c8c8bdb0602e70e03e76c0b0fbb
SHA1 hash:	af188b5e9c690e38d4d137c63d0f0220439e4504
MD5 hash:	4ad9dedd170b73c8fd77e8d08fe9a300
humanhash:	earth-snake-don-sweet
File name:	SecuriteInfo.com.Win32.DropperX-gen.26829.1574
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'229'824 bytes
First seen:	2023-08-25 04:28:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:tzCv00BIkcgGTj7TwIYWTAZllCS/ElQct47VEzI0:hOGTj7s0k/EyO47qF
Threatray	5'617 similar samples on MalwareBazaar
TLSH	T1DA457C03B657C9A5D1489B3AC58F624407A9DA513BAFC7AE7EEE137104033E5ED81E0B
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

297

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Win32.DropperX-gen.26829.1574

Verdict:

Malicious activity

Analysis date:

2023-08-25 04:30:53 UTC

Tags:

agenttesla stealer

Link:

https://app.any.run/tasks/3c5530e5-9fe5-4124-b0c9-7e857407eb2d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/444644/

Detection(s):

SecuriteInfo.com.Win32.DropperX-gen.26829.1574.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/64e82e0fd7ae0984750ec4b9/reports/1db34dea-d25e-4e17-a5c9-928de46b53d3/overview

Verdict:

Malicious

Labled as:

Trojan.Mardom.MN.Generic

Link:

https://www.hybrid-analysis.com/sample/90c969a104f33d6c89449d251002a70b17a89b451da43cd0a71e19f167205293

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e1403221-8c8c-457d-8ef1-0f647d25c1c0

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1297153

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Creates multiple autostart registry keys

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: MSBuild connects to smtp port

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/90c969a104f33d6c89449d251002a70b17a89b451da43cd0a71e19f167205293/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2023-08-25 00:16:42 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sdewtiie6m6wzcketusraavhbml2rg2fdwsdzufhdym7czzakkjq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

27e4134c13c4d29e345e79a9aa6a14498b048ae3877e01a6dd87c122aa89f54b

AgentTesla

3315bcd2571eaa4f2730a093f359224d554943d6e411e74be1802a9deeb6c136

AgentTesla

caca5d5339d47737b3e7995ae6bed4b6c2f92a88f7368020726e6ab94726b2eb

AgentTesla

cc0ff94435a883b461d26716d636619c6c670e6e574a2f58ad76f5c1f6de5d40

AgentTesla

db802f34784957d3338aeb17fa23e3206d00dba3c5874e9bdfae25edb0691dda

AgentTesla

dd7ace63ca3c3c6c8fad312a3b8fd2d022364bfd04228e511aa6e72d28c00e5e

AgentTesla

ef3d3d5b989b883d8cef90f1e2f40c1c722037390db0bc735a552510c7867394

AgentTesla

f865712074af18fd3e39087342df5c158f0ae596a753eaedc0ddd724ce231d95

AgentTesla

+ 5'607 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/230825-e38qrshb37/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

e31337ed1e7caca78410edf3d3ab902086c632dd4d05e6490b63695dcc79e64b

MD5 hash:

9b7bc3379e93bae4d81bf3bb3e7a1453

SHA1 hash:

b40c149784940f64e8d879cef3c7db994ce77e25

Detections:

AgentTesla

Link:

https://www.unpac.me/results/c4cf7acb-e749-40cc-ab25-397befeb9959/

Parent samples :

ef3d3d5b989b883d8cef90f1e2f40c1c722037390db0bc735a552510c7867394
3315bcd2571eaa4f2730a093f359224d554943d6e411e74be1802a9deeb6c136
1cc4477f2ab0c933ebecfa365ceba14eac86438d11dd5e42626e4aaf45199c68
db802f34784957d3338aeb17fa23e3206d00dba3c5874e9bdfae25edb0691dda
90c969a104f33d6c89449d251002a70b17a89b451da43cd0a71e19f167205293
71e7dfba6cd94d1be1096f5d2ac0938c3bc4bedbe649f422eef44f9821f170ab
ff15b350c7e36195d41344e9b6eb4c9ac3a4648b3db76df9db8d1dbe24ef4bfa
d586099dd209b92c47190ee099d0f3c61ea3835815d70347b3974e59a2670ac6

SH256 hash:

f6b153b0371ac2f842c7184254c0d0eaf4d85b524a4856ba78db98df3a7d638a

MD5 hash:

1df16728018e14fe296dede476dec690

SHA1 hash:

913054631b8274492623d75f31127f46f4932b58

Link:

https://www.unpac.me/results/c4cf7acb-e749-40cc-ab25-397befeb9959/

SH256 hash:

870a3007892aa3e7386a8d715ccb99250650a3599a197a1a559648d93d050bfd

MD5 hash:

0590f5f94e1f1994d48a995228bc994c

SHA1 hash:

5674882965815bc5ab6b8dedcea083cff0e30898

Link:

https://www.unpac.me/results/c4cf7acb-e749-40cc-ab25-397befeb9959/

SH256 hash:

4556288989d5fc8e35775e428787dc073d88d097cf7e6c73c29efc392748efd7

MD5 hash:

ce41d87eb0ecc8997e723c2d86faf182

SHA1 hash:

354daa2a942d5010dccd4ce1cbe7cc21203e8368

Link:

https://www.unpac.me/results/c4cf7acb-e749-40cc-ab25-397befeb9959/

SH256 hash:

90c969a104f33d6c89449d251002a70b17a89b451da43cd0a71e19f167205293

MD5 hash:

4ad9dedd170b73c8fd77e8d08fe9a300

SHA1 hash:

af188b5e9c690e38d4d137c63d0f0220439e4504

Link:

https://www.unpac.me/results/c4cf7acb-e749-40cc-ab25-397befeb9959/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/90c969a104f3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/90c969a104f33d6c89449d251002a70b17a89b451da43cd0a71e19f167205293

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/444644/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample