MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 940089bbf36611ee87fd96805eea9e203b94d6c2052c5fdb1c8db8ffdd044a14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash:	940089bbf36611ee87fd96805eea9e203b94d6c2052c5fdb1c8db8ffdd044a14
SHA3-384 hash:	d3f60bda6d6ddbc6473ad9da24d24d4fe738ffc16e36b79fb1d1dcaf8d1bacade5b05b6126d31ff75c4d14411a262201
SHA1 hash:	4d85d30aeedfea586e0427355cee46a1ae7076b3
MD5 hash:	f62d4211a12a08a5129e1a7af7ee860e
humanhash:	social-iowa-black-fruit
File name:	INV9019849.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'295'321 bytes
First seen:	2024-05-20 13:20:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0560f063e7363d920c1f0f9c018c6a15 (14 x AgentTesla, 2 x Formbook, 2 x RemcosRAT)
ssdeep	24576:5JZMADBzPPQGA3zH6s5K4Z3LBz+c11wwupKJGg5kknrbkwh:RpZAmM3LhTwwupQpkk86
Threatray	4'366 similar samples on MalwareBazaar
TLSH	T11B55F10226AC06F9E677E13AC9954E82F6F2FC184720E78703F486666F236955E3F351
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

349

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

940089bbf36611ee87fd96805eea9e203b94d6c2052c5fdb1c8db8ffdd044a14.exe

Verdict:

Malicious activity

Analysis date:

2024-05-20 12:35:47 UTC

Tags:

smtp agenttesla stealer

Link:

https://app.any.run/tasks/33bdd9c9-7389-4694-a57a-60471378e4c3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

99.1%

Tags:

Encryption Execution Infostealer Network Static Stealth Gensteal

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Using the Windows Management Instrumentation requests

Reading critical registry keys

Connection attempt to an infection source

DNS request

Connection attempt

Sending an HTTP GET request

Creating a window

Stealing user critical data

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

fingerprint overlay packed

Link:

https://www.filescan.io/uploads/664b4e43636c5be33c811493/reports/2d4c2726-d155-4ccf-a806-b3a32ce5a45b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/940089bbf36611ee87fd96805eea9e203b94d6c2052c5fdb1c8db8ffdd044a14

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/c289d749-3990-434a-b1f4-8a811a525765

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

spre.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1444286

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: RegAsm connects to smtp port

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Score:

26%

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/940089bbf36611ee87fd96805eea9e203b94d6c2052c5fdb1c8db8ffdd044a14

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/940089bbf36611ee87fd96805eea9e203b94d6c2052c5fdb1c8db8ffdd044a14/

Threat name:

ByteCode-MSIL.Trojan.Leonem

Status:

Malicious

First seen:

2024-05-20 01:13:00 UTC

File Type:

PE+ (Exe)

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sqaito7tmyi65b75s2af52u6ea5zjvwcauwf7wy4rw4p7xiejika._file

Verdict:

malicious

AgentTesla

4af4e807a39641a52d870358fa8b6486927f7f5daeb94a2a75d9e117ba41a3ea

AgentTesla

5a9523bba8e40c9d642fd99e046c4c06ddb7174cb26da584ccc0db4aea139f87

AgentTesla

7b67d0a145d4a5d7c1743269452d08bc56bfcb91d93786a375e288f94dd265f8

AgentTesla

c907b5ee8b9aae5ad661042f2aed0338df90653b95dad072ef8d8c0b582bc46b

AgentTesla

e5ba47d37554211c555170329555afae35d41989297a18bddbf33bfb2d30a6f0

AgentTesla

+ 4'356 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/240520-qlnj2scg7x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/57658b52-78ef-4f37-b3db-bccd03d887d7

Unpacked files

SH256 hash:

940089bbf36611ee87fd96805eea9e203b94d6c2052c5fdb1c8db8ffdd044a14

MD5 hash:

f62d4211a12a08a5129e1a7af7ee860e

SHA1 hash:

4d85d30aeedfea586e0427355cee46a1ae7076b3

Link:

https://www.unpac.me/results/38b572c9-8b88-4add-bd36-991f4b59c6d2/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/940089bbf366/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/940089bbf36611ee87fd96805eea9e203b94d6c2052c5fdb1c8db8ffdd044a14

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample