MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94b3c1fcf7fc898d958131debf45f492f218c8af57eede19ecb3d5b77a16df02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 18

Intelligence 18 IOCs YARA 7 File information Comments

SHA256 hash:	94b3c1fcf7fc898d958131debf45f492f218c8af57eede19ecb3d5b77a16df02
SHA3-384 hash:	5929b75682285d3f68a7e544c4a4769729118f99b0f5db870719f7c305ec1c6925ab6f6b5ca001c1f27e6762cd46065a
SHA1 hash:	2a0e657e8eb4b8cd17ef7163e4a3672272a455cb
MD5 hash:	966410eeaef9218253688d38271f1086
humanhash:	beryllium-island-whiskey-mirror
File name:	SecuriteInfo.com.Trojan.PackedNET.738.14263.14401
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	678'912 bytes
First seen:	2023-09-12 15:36:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:EhFPYyVF3jAKRak0FQ0/rYoVfAfkiZ0YWBe6h2COpZSQfIe2:Ejg+F3l0FQDoVIfkuyHsOcI9
Threatray	5'626 similar samples on MalwareBazaar
TLSH	T1BAE401636B42AB7DC63B8BF67C2582060732FD0FA850924999E5B1B65C31703907EF67
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

290

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Trojan.PackedNET.738.14263.14401

Verdict:

Malicious activity

Analysis date:

2023-09-12 15:38:16 UTC

Tags:

agenttesla stealer

Link:

https://app.any.run/tasks/1a6c0cbb-2b22-407b-b934-172d6c389900

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/448208/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

SecuriteInfo.com.Trojan.PackedNET.738.14263.14401.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6500859e985359c839071990/reports/ddc695b7-cfd9-44f0-9b92-fd658226cdc0/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/94b3c1fcf7fc898d958131debf45f492f218c8af57eede19ecb3d5b77a16df02

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/26eca9c9-b085-4ac6-951b-4026a7031fec

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1308569

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/94b3c1fcf7fc898d958131debf45f492f218c8af57eede19ecb3d5b77a16df02/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2023-09-12 11:06:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 38 (60.53%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ssz4d7hx7sey3fmbghpl6rpuslzbrsfpk7xn4gpmwpk3o6qw34ba._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

35ffe1b77f2462e8ea815fdbb87213d0233228cd34778f9b4576bd7c64e8b9a8

AgentTesla

3625699aceef8218cece58914659f6ba003e6f26ad033645ed738b4972050aa5

AgentTesla

68d7bd6dc7ce2ada6af865682185e9f2c33c897ec3191f0d6127d3654e69b4a1

AgentTesla

6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825f

AgentTesla

83a017f0486a37a65a6d3d423a90bb392502640c2f45401bcc1112f00aea8aa4

AgentTesla

8d47a0875bae9f6a20e36525e6be0c0450e7492fb540a1f65802601bf8e558bb

AgentTesla

9a9fc5c4dd7a166545f663bd6dda67a0e8d428f0737c7396b6358eda4bd9b679

AgentTesla

c13d10d9eb5505c91c1982dd55019f8d5e5121952be774dc80eff344453c50ea

AgentTesla

cd1a3a3951014346894a253fa1a9dc05b221640be311dc679a83b4f91b1449f0

AgentTesla

+ 5'616 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230912-s2f61sdg6z/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

9a63b62a1296933300f9cda87fefbdfc9f55ee908575a2130c641c9fd0c4f830

MD5 hash:

651ffbf7723d66c959851ec6c450fba2

SHA1 hash:

f7cf3587def824a298ae36da8ce82c62e2245f48

Link:

https://www.unpac.me/results/42b3d020-bfa6-48d1-b158-4fa6559e3d69/

SH256 hash:

0685765f52bb01c82e761f17d0aff02df82d993ae5b8fa43f02691e2bd1e7dc7

MD5 hash:

574f27015efd53cacd5da2e394ce5cba

SHA1 hash:

5c5b6f3b43e1a6637d86d340e6e0a00df34add86

Link:

https://www.unpac.me/results/42b3d020-bfa6-48d1-b158-4fa6559e3d69/

SH256 hash:

8dcd83abf4af7921dacab3db3107c836f069151620023a80241e1b1c89508eb7

MD5 hash:

18e5c29285b6f404cc3fab8c4e305bb7

SHA1 hash:

399149d3a91895fa246243a7e56dbf3160818a14

Detections:

AgentTesla

Link:

https://www.unpac.me/results/42b3d020-bfa6-48d1-b158-4fa6559e3d69/

Parent samples :

94b3c1fcf7fc898d958131debf45f492f218c8af57eede19ecb3d5b77a16df02
bde356df76eadf9a14d5f5f9a6d9c7ed2677639ffa89b4fdb184c2d4ad7c8d33
d2e1eead980699faad8218e03f34a2a6309f4fa40c43126f752a8e759a1c1fbd
c66d4b72b5c5e730f5ad11169a86e3b51f4e7d7b4a83c5041a0bf41218870eca
bbc5da70b1d00cc3f766229cd1548b582678a18f2fdc75206af530781784f805
87dcdd3f1671bc564055e160fe0a4cf12033f6b430d2a5520e5a92adaf85e4d2

SH256 hash:

0630b864e828fff2d66f33ab7d00fad231df4c00fc0bbad313ee0d12ca503198

MD5 hash:

f559a9abbd849eb977d262d597d6e4fd

SHA1 hash:

0a8769b40b026852690c89b913c2812817ef43c8

Link:

https://www.unpac.me/results/42b3d020-bfa6-48d1-b158-4fa6559e3d69/

Parent samples :

cef72412a1dd9486bae5f7e606d4330660fba98575ba1c939559ccc83536f41a
81ccf158093718305b3499d0f16d8a82bcad69f2740066daca8d5b5ca9979688

SH256 hash:

94b3c1fcf7fc898d958131debf45f492f218c8af57eede19ecb3d5b77a16df02

MD5 hash:

966410eeaef9218253688d38271f1086

SHA1 hash:

2a0e657e8eb4b8cd17ef7163e4a3672272a455cb

Link:

https://www.unpac.me/results/42b3d020-bfa6-48d1-b158-4fa6559e3d69/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/94b3c1fcf7fc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/94b3c1fcf7fc898d958131debf45f492f218c8af57eede19ecb3d5b77a16df02

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/448208/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample