MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 923feb3e35182aa195f2e048d85b9f903dd4f9d8e0c0f333e39d955834854ed2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 923feb3e35182aa195f2e048d85b9f903dd4f9d8e0c0f333e39d955834854ed2
SHA3-384 hash: 25ae2dc08dd1efdae9eb7df2f78bd7302d83e626c28be51fa8845d0dbba41ed612e95deeff5655630a2ca3397b2552ad
SHA1 hash: f4a4b7915663d4d25d31b9a63b9acf20956b8150
MD5 hash: dfc6db04dc518bca95891c1a92bdbbee
humanhash: thirteen-fifteen-cola-north
File name:dfc6db04dc518bca95891c1a92bdbbee
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'175'040 bytes
First seen:2022-07-25 19:40:33 UTC
Last seen:2022-07-25 21:33:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:2kpjn6ydGQeuK+Ex8Kvx/68q17X6q68GhY:H/QQTEx/68q17
Threatray 18'853 similar samples on MalwareBazaar
TLSH T1C6458C84B6B84916C6AEB7FC802605908374AD63A851DB9D717430EA7DB2F97CD013EF
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
449
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/294104/
Detection(s):
SecuriteInfo.com.Variant.Barys.324979.22775.23136.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching a service
Changing a file
Reading critical registry keys
Creating a window
Unauthorized injection to a recently created process
Blocking the User Account Control
Stealing user critical data
Adding exclusions to Windows Defender
Changing the hosts file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys
Link:
https://www.filescan.io/uploads/62def24bcfc30516768b3b49/reports/ee50fbe8-3f93-431b-87c6-accdd44f216f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/291a12e0-2099-46a7-90c9-64494709cb8a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1040661
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Contains functionality to hide user accounts
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 673155 Sample: 6firs8hDN0 Startdate: 25/07/2022 Architecture: WINDOWS Score: 100 87 Malicious sample detected (through community Yara rule) 2->87 89 Multi AV Scanner detection for submitted file 2->89 91 Yara detected UAC Bypass using CMSTP 2->91 93 8 other signatures 2->93 9 6firs8hDN0.exe 3 6 2->9         started        process3 file4 77 f812bd33-22cb-483c-8325-8978df4e5946.exe, PE32 9->77 dropped 79 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 9->79 dropped 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->95 97 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->97 99 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->99 101 Adds a directory exclusion to Windows Defender 9->101 13 f812bd33-22cb-483c-8325-8978df4e5946.exe 44 2 9->13         started        16 6firs8hDN0.exe 9->16         started        20 powershell.exe 26 9->20         started        22 3 other processes 9->22 signatures5 process6 dnsIp7 103 Multi AV Scanner detection for dropped file 13->103 24 PkgMgr.exe 13->24         started        26 PkgMgr.exe 13->26         started        28 PkgMgr.exe 13->28         started        30 conhost.exe 13->30         started        81 tricomcomputacion.com 192.254.211.36, 49768, 587 UNIFIEDLAYER-AS-1US United States 16->81 83 192.168.2.1 unknown unknown 16->83 85 mail.tricomcomputacion.com 16->85 57 C:\Windows\System32\drivers\etc\hosts, ASCII 16->57 dropped 105 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->105 107 Tries to steal Mail credentials (via file / registry access) 16->107 109 Tries to harvest and steal ftp login credentials 16->109 111 2 other signatures 16->111 32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        36 conhost.exe 22->36         started        38 AdvancedRun.exe 22->38         started        file8 signatures9 process10 process11 40 Dism.exe 24->40         started        43 Dism.exe 26->43         started        45 Dism.exe 28->45         started        file12 71 52 other files (none is malicious) 40->71 dropped 47 conhost.exe 40->47         started        49 DismHost.exe 40->49         started        59 C:\Users\user\AppData\...\WimProvider.dll.mui, PE32 43->59 dropped 61 C:\Users\user\AppData\...\VhdProvider.dll.mui, PE32 43->61 dropped 63 C:\Users\user\...\UnattendProvider.dll.mui, PE32 43->63 dropped 73 49 other files (none is malicious) 43->73 dropped 51 conhost.exe 43->51         started        53 DismHost.exe 43->53         started        65 C:\Users\user\AppData\...\VhdProvider.dll.mui, PE32 45->65 dropped 67 C:\Users\user\...\UnattendProvider.dll.mui, PE32 45->67 dropped 69 C:\Users\user\...\TransmogProvider.dll.mui, PE32 45->69 dropped 75 30 other files (none is malicious) 45->75 dropped 55 conhost.exe 45->55         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/923feb3e35182aa195f2e048d85b9f903dd4f9d8e0c0f333e39d955834854ed2/
Threat name:
ByteCode-MSIL.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2022-07-25 19:41:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=si76wprvdavkdfps4benqw47sa65j6oy4dapgm7dtwkvqnefj3ja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4fceb4df6ab4101b304b188fd8ae5de4b3e1bfc29a9de2b0f5b001adfc454d18
AgentTesla
99242cd4755c4c9aaaf4d39d77adec7981e6c4f25dbaefc5ecadddce576a35a8
AgentTesla
c5f361b5d9afb24923543df1940de03fc6923755aa5dc15e50e9ba8bf890165a
AgentTesla
c8e7095edd7c1d3ac3442ae1f29e34681ea348c5d8bdf3cb1a684c12498b3793
AgentTesla
e3458b4811b78ac8a2391f21b3579fef0ec7eb4f462a1c4cb3301d7c038253bd
AgentTesla
e9bd3df24e3beacf41ddecf97a34c5cfdd696ad9d58e3fbe79dbea8f88487ad5
AgentTesla
+ 18'843 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220725-yd3yrscca9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks whether UAC is enabled
Maps connected drives based on registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Checks BIOS information in registry
Checks computer location settings
Drops file in Drivers directory
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Nirsoft
AgentTesla
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/1d0d7bbe-3f74-47c1-9b8c-86dfcfb55924/
SH256 hash:
f504d3815199026185fc891d2c73b439839bbff00584372ee626ddd5ac029e6d
MD5 hash:
3dcde301445c99c73fa45a96f8757c5c
SHA1 hash:
b4b36d28dd937a602f8556f9e76bbe4160f4343d
Link:
https://www.unpac.me/results/1d0d7bbe-3f74-47c1-9b8c-86dfcfb55924/
SH256 hash:
923feb3e35182aa195f2e048d85b9f903dd4f9d8e0c0f333e39d955834854ed2
MD5 hash:
dfc6db04dc518bca95891c1a92bdbbee
SHA1 hash:
f4a4b7915663d4d25d31b9a63b9acf20956b8150
Link:
https://www.unpac.me/results/1d0d7bbe-3f74-47c1-9b8c-86dfcfb55924/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/923feb3e3518/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/923feb3e35182aa195f2e048d85b9f903dd4f9d8e0c0f333e39d955834854ed2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 923feb3e35182aa195f2e048d85b9f903dd4f9d8e0c0f333e39d955834854ed2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2261067/
Cape
Cape
https://www.capesandbox.com/analysis/294104/

Comments


Avatar
zbet commented on 2022-07-25 19:40:44 UTC

url : hxxp://107.174.138.192/OP.exe