MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94a6386de18fd5bdceb96d6f99251a6cf8ea6d03de7dc01acd8c84260acbbb22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94a6386de18fd5bdceb96d6f99251a6cf8ea6d03de7dc01acd8c84260acbbb22
SHA3-384 hash: dccd0b476d3d03f141e0e4837d558e1ed2189ebb6fb6233268cceb286189de8ab4f44c87010a93dbdddda6027e1b5b1f
SHA1 hash: 33eeb3c86ed0699a701a50017e081482bbcb844d
MD5 hash: 7c8eecdfc94e177026078da1d8de47dd
humanhash: idaho-salami-angel-robin
File name:doc0148492023021710544 (2).exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'231'872 bytes
First seen:2023-03-06 07:20:27 UTC
Last seen:2023-03-06 08:28:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:cTQYZrKMOOzHGbX6ZJEAJxh7iJda09Nht58ipYvwsUXOL:+QmOMlbKWJxv7i7N/58EFPe
Threatray 156 similar samples on MalwareBazaar
TLSH T17645422809BC0AF28461FFB99FD4F713A9808CE6A6049D558EC37789573295730ABD3D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 1535756961554945 (2 x AveMariaRAT, 1 x Neshta, 1 x AgentTesla)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
doc0148492023021710544 (2).exe
Verdict:
Malicious activity
Analysis date:
2023-03-06 07:20:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/57902a3a-afff-4c1f-87b8-e46817f97c3c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/371789/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6405946147dff094b5287a68/reports/cc34ef89-3fe2-4d0e-935a-ef44cb5eba45/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/94a6386de18fd5bdceb96d6f99251a6cf8ea6d03de7dc01acd8c84260acbbb22
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fac68cd7-7368-495e-b49c-5ce4dbdf0470
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1187541
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 820416 Sample: doc0148492023021710544 (2).exe Startdate: 06/03/2023 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 9 other signatures 2->59 7 RvOgBkxSrU.exe 5 2->7         started        10 doc0148492023021710544 (2).exe 7 2->10         started        process3 file4 61 Multi AV Scanner detection for dropped file 7->61 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->63 65 May check the online IP address of the machine 7->65 71 2 other signatures 7->71 13 RvOgBkxSrU.exe 7->13         started        17 schtasks.exe 7->17         started        35 C:\Users\user\AppData\...\RvOgBkxSrU.exe, PE32 10->35 dropped 37 C:\Users\...\RvOgBkxSrU.exe:Zone.Identifier, ASCII 10->37 dropped 39 C:\Users\user\AppData\Local\Temp\tmpDB8.tmp, XML 10->39 dropped 41 C:\...\doc0148492023021710544 (2).exe.log, ASCII 10->41 dropped 67 Adds a directory exclusion to Windows Defender 10->67 69 Injects a PE file into a foreign processes 10->69 19 doc0148492023021710544 (2).exe 15 7 10->19         started        21 powershell.exe 21 10->21         started        23 powershell.exe 21 10->23         started        25 2 other processes 10->25 signatures5 process6 dnsIp7 43 104.237.62.211, 443, 49698 WEBNXUS United States 13->43 45 api.ipify.org 13->45 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->73 75 Tries to steal Mail credentials (via file / registry access) 13->75 77 Tries to harvest and steal browser information (history, passwords, etc) 13->77 27 conhost.exe 17->27         started        47 api4.ipify.org 64.185.227.155, 443, 49695 WEBNXUS United States 19->47 49 api.telegram.org 149.154.167.220, 443, 49696, 49697 TELEGRAMRU United Kingdom 19->49 51 api.ipify.org 19->51 79 Installs a global keyboard hook 19->79 29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94a6386de18fd5bdceb96d6f99251a6cf8ea6d03de7dc01acd8c84260acbbb22/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-03 08:55:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
23 of 25 (92.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sstdq3pbr7k33tvznvxzsji2nt4ou3id3z64agwnrsccmcwlxmra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
24c69122ace7d707b1838376111192f2bcdbd02531521b656536773b8bc4710c
AgentTesla
366d56c69b0267ee6ac2a27cc199911123ed7f511d3e54ac1c69f52236644e84
AgentTesla
478dba764af2f0d8179f62518b9d675cec897722b4bc9dc75b5bf66cbca0b9a0
AgentTesla
808af00d1b4ec59a042cfa6d2a46549fca9d2d588847287bab70321622e008cd
AgentTesla
91855c7204cf7b1a4a56e87b16e5cde14eb8aba073690ca817f2b937130135d6
AgentTesla
c551529018bda5ce4f1f7c2fbbebad88a1544151676521feb0bb5fcacc4a48be
AgentTesla
ea46cc06d4376c90836299719c0fb4bdc65e8edfc9fa367d0daa3e7cd3e63e77
AgentTesla
f530c59ffce92c129896bbe4c2df821ac097d696e2a3f3f99e3bd4aaa5c6ace8
AgentTesla
+ 146 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230306-h6nfsabb29/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5841268171:AAF5UCtwJJFHg-ZOPzcnm1oNf_eTuN08AjI/
Unpacked files
SH256 hash:
0268cf76f31e697d2ddd7b2ebf744a12ea1b431beab521ab36c8e19b5922f4ea
MD5 hash:
310dca18f77633cc96703ed29ca6979d
SHA1 hash:
c8a3dfe89d90d81698559359d21f68e6d9246dae
Link:
https://www.unpac.me/results/0947c333-8542-4599-864b-69ae65969da9/
SH256 hash:
1bab001c090f2f208e39247f8eeaeb77a0740bc9be7fa755cd57a863b3d22dd3
MD5 hash:
90b3109cf9cc5342015fc1583a78b282
SHA1 hash:
bdddff1c96296a0dc9f8d808e3b2d5829a15d2d2
Link:
https://www.unpac.me/results/0947c333-8542-4599-864b-69ae65969da9/
SH256 hash:
eea13f378e688f61cb5d35fbab6b2f745ee2ecd7a77481e00df0bd5e82ce023b
MD5 hash:
050a11d48238cba87613864128b8de20
SHA1 hash:
9d272b3a5b112114da15bf595ea302362caff6e0
Link:
https://www.unpac.me/results/0947c333-8542-4599-864b-69ae65969da9/
SH256 hash:
9ac148907d8aa50fd53412eecdb45b40ad012eb195719a09add77b4ac8ecc2be
MD5 hash:
5c0e2e2e8dbbe2e52830ce71eaac4bf5
SHA1 hash:
52fe7f086b037a89ca4a6ce562ec8b26d59d965b
Link:
https://www.unpac.me/results/0947c333-8542-4599-864b-69ae65969da9/
SH256 hash:
e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29
MD5 hash:
d170ab8c03b9c37d5be449454db131d2
SHA1 hash:
2031b6754a65d21b47dd11a34fee86f048d6048d
Link:
https://www.unpac.me/results/0947c333-8542-4599-864b-69ae65969da9/
SH256 hash:
94a6386de18fd5bdceb96d6f99251a6cf8ea6d03de7dc01acd8c84260acbbb22
MD5 hash:
7c8eecdfc94e177026078da1d8de47dd
SHA1 hash:
33eeb3c86ed0699a701a50017e081482bbcb844d
Link:
https://www.unpac.me/results/0947c333-8542-4599-864b-69ae65969da9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94a6386de18fd5bdceb96d6f99251a6cf8ea6d03de7dc01acd8c84260acbbb22

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 5cb1c85ea2e79064dcf1728fb6a0080641106c23dade25ea1b3d5df7d88a180e

AgentTesla

Executable exe 94a6386de18fd5bdceb96d6f99251a6cf8ea6d03de7dc01acd8c84260acbbb22

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 5cb1c85ea2e79064dcf1728fb6a0080641106c23dade25ea1b3d5df7d88a180e
Cape
Cape
https://www.capesandbox.com/analysis/371789/
  
Dropped by
MD5 1ca339cbffe5fe4c41d0f66289f7df14

Comments