MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90f62de446a1eae56b9d1b905354435f6748f1baf0a1de98f58314411b4f052b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90f62de446a1eae56b9d1b905354435f6748f1baf0a1de98f58314411b4f052b
SHA3-384 hash: b4dfc945cf8150f9dbebf3370a12cfe4edc1386f5f50fc83e3f5c015df801f0329a3f98dc60df2666f71dae9d7e80d0d
SHA1 hash: 84a93133ddbed610fe7b77dcaa1007aee7a5f75f
MD5 hash: 98a50b400b15823d1875170b5912a330
humanhash: five-iowa-kitten-happy
File name:SecuriteInfo.com.Win32.MalwareX-gen.29833.10913
Download: download sample
Signature AgentTesla
Create hunting rule
File size:983'040 bytes
First seen:2023-01-11 22:29:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:bNOtTKZv0VKsnqBQ1NaUQlzdnqJrYTSKIKTn6ALDxY:JSK2VKsSQ1NabzdnEB
Threatray 24'738 similar samples on MalwareBazaar
TLSH T1EC25BE9233F0D477F4CE133D4A2427D82CBA6256B2B4F23A5F232D95A2949FF7285149
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0010716971710020 (3 x AgentTesla, 3 x RemcosRAT, 1 x AveMariaRAT)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.MalwareX-gen.29833.10913
Verdict:
Malicious activity
Analysis date:
2023-01-11 22:30:44 UTC
Tags:
trojan rat agenttesla
Link:
https://app.any.run/tasks/b16b572f-7eb1-4510-bc67-b4d477abb2cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/352082/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.29833.10913.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Gathering data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ffecd2a8-e3e3-46bd-a6ff-7d01b0e34a01
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1149947
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 782679 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 11/01/2023 Architecture: WINDOWS Score: 100 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected AgentTesla 2->26 28 4 other signatures 2->28 7 SecuriteInfo.com.Win32.MalwareX-gen.29833.10913.exe 4 2->7         started        process3 file4 20 SecuriteInfo.com.W...29833.10913.exe.log, ASCII 7->20 dropped 30 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->30 32 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->32 34 Adds a directory exclusion to Windows Defender 7->34 36 Injects a PE file into a foreign processes 7->36 11 SecuriteInfo.com.Win32.MalwareX-gen.29833.10913.exe 15 2 7->11         started        14 powershell.exe 20 7->14         started        16 SecuriteInfo.com.Win32.MalwareX-gen.29833.10913.exe 7->16         started        signatures5 process6 signatures7 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->38 40 Tries to steal Mail credentials (via file / registry access) 11->40 42 Tries to harvest and steal browser information (history, passwords, etc) 11->42 44 Installs a global keyboard hook 11->44 18 conhost.exe 14->18         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90f62de446a1eae56b9d1b905354435f6748f1baf0a1de98f58314411b4f052b/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2023-01-11 22:30:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sd3c3zcguhvok245doifgvcdl5tur4n26cq55ghvqmkecg2pauvq._file
Verdict:
malicious
Similar samples:
4a683b38bf8bcb7b198d4be37413033f2a015aaed075cbe81ba63e3190647dff
AgentTesla
52ab9f2e3878dd9fa61c7bbbdfff113485fb4c12f8af0fa28b938696d68e54bb
AgentTesla
6b985b8239b575b46b57f36daaa55e30efabf08e39f2a421e12f0e6b82cb5cc4
AgentTesla
70a6380ac61f933eddc4cd126d95836371a933c5a311882701a5eaa1fd8b99f7
AgentTesla
77ced15da197776d3e66903fd6eba7e5288761f6b3011922400fd3a6d920e2d9
AgentTesla
d548bfcde55e09b8314b273b6fc1eff79563961b965cb83a763f4bb1b6c424ac
AgentTesla
dfe7a0c2e727c18f17644d33c1db7547943da38d8c05b7103f865c88b6279896
AgentTesla
e19bcbf0c3ca0fe5e246cede2ef4ee264d0908faf4ca4b39aeb687c443f85f91
AgentTesla
fa2301c017f32fbe205082b01c1608826ea7e7346739c338ff222648b0b14c89
AgentTesla
ffb64f4d42dd2de275cbf4ae7b334ffdd8920ff8fec95aca9900493472603d16
AgentTesla
+ 24'728 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230111-2esqzaae2w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/97773ae0-7f4a-428c-82ea-37a9ba30ee6e
Unpacked files
SH256 hash:
9de3051d186fc434d73a782bd336aa97c52bbfcf15e0f636762943a1602723c7
MD5 hash:
5eaec94f0363d48345c3f96eb02d98be
SHA1 hash:
f39602504a65aea289d1245dda6db41aa7f865f7
Link:
https://www.unpac.me/results/583a2fd0-4ccb-4ae4-ba8f-de145ce5c586/
SH256 hash:
1c0072bd0c8fbf0e27d145a0ee7e34428936c2ddeba929d3f60e352891e7e0c6
MD5 hash:
b2d0625c46714e40a6a38238659ea9ed
SHA1 hash:
dc43d5d539eab67b7e3109d0e4894e099a1a18f8
Link:
https://www.unpac.me/results/583a2fd0-4ccb-4ae4-ba8f-de145ce5c586/
SH256 hash:
5c7b3fcb46d002d14473ea26d4a10f50a21afca36d0b6faaf01014da03105aaa
MD5 hash:
5fb780707e7d1d6add3049815f17d7d7
SHA1 hash:
5a9a13449bf8b0fd3f48b08b70f22778c1948926
Link:
https://www.unpac.me/results/583a2fd0-4ccb-4ae4-ba8f-de145ce5c586/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/583a2fd0-4ccb-4ae4-ba8f-de145ce5c586/
SH256 hash:
380a5d9e93dbd5ceb7c615164c44cb7c4ced891ce22cd4390acb1d5c7fd3bbc6
MD5 hash:
bf2aa08618290a817edada9748d122f0
SHA1 hash:
0199d3acdf70ecf144e95a86dfbd2d27f73864a6
Link:
https://www.unpac.me/results/583a2fd0-4ccb-4ae4-ba8f-de145ce5c586/
SH256 hash:
90f62de446a1eae56b9d1b905354435f6748f1baf0a1de98f58314411b4f052b
MD5 hash:
98a50b400b15823d1875170b5912a330
SHA1 hash:
84a93133ddbed610fe7b77dcaa1007aee7a5f75f
Link:
https://www.unpac.me/results/583a2fd0-4ccb-4ae4-ba8f-de145ce5c586/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/90f62de446a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90f62de446a1eae56b9d1b905354435f6748f1baf0a1de98f58314411b4f052b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/352082/

Comments