MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94e367e6b334e6fc3e50624503159a06b45083b763238c47aaaa3fd6fe492628. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94e367e6b334e6fc3e50624503159a06b45083b763238c47aaaa3fd6fe492628
SHA3-384 hash: 69f7b1833f34f78f841c29d2ac02ce074dd875f3688e3a8eb390532af263580e258e10b27727b38dfba3f9893248ca5f
SHA1 hash: 6f620ef0385f8e74cca147b03050877591abbd6a
MD5 hash: f5823ba2e7052a283526eed8f4dac9e5
humanhash: johnny-seventeen-hawaii-friend
File name:Solicitar Cotizacion.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:982'016 bytes
First seen:2023-02-07 15:22:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:bp1jYGDkjwJsoGlWYwHyR1HFI3LHLHa3QbsgXc3:bphY5UsoGlx7G3LrvrX
Threatray 22'914 similar samples on MalwareBazaar
TLSH T152256D013AF6C863F04A0E7460283DCC3A3CE4479BD9419FB972A96453E6BB6F5D8D61
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 1460e0d0f0e8e8c0 (1 x AgentTesla)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Solicitar Cotizacion.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-02-07 15:25:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4a981b2a-1f51-413c-aade-99b95f8144a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/361419/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/63e26cd62d4f6d560e2489aa/reports/2bd26e22-6d3e-4288-b8a3-8d8dd6043f74/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/94e367e6b334e6fc3e50624503159a06b45083b763238c47aaaa3fd6fe492628
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f2c1c798-6ce9-4ab9-8f0a-40522b6b00ee
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1167811
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 800600 Sample: Solicitar Cotizacion.pdf.exe Startdate: 07/02/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 13 other signatures 2->57 7 HUnVYsqqfQX.exe 5 2->7         started        10 Solicitar Cotizacion.pdf.exe 7 2->10         started        process3 file4 59 Multi AV Scanner detection for dropped file 7->59 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->61 63 May check the online IP address of the machine 7->63 69 2 other signatures 7->69 13 HUnVYsqqfQX.exe 7->13         started        17 schtasks.exe 1 7->17         started        19 HUnVYsqqfQX.exe 7->19         started        21 HUnVYsqqfQX.exe 7->21         started        35 C:\Users\user\AppData\...\HUnVYsqqfQX.exe, PE32 10->35 dropped 37 C:\Users\...\HUnVYsqqfQX.exe:Zone.Identifier, ASCII 10->37 dropped 39 C:\Users\user\AppData\Local\...\tmp98E5.tmp, XML 10->39 dropped 41 C:\Users\...\Solicitar Cotizacion.pdf.exe.log, ASCII 10->41 dropped 65 Adds a directory exclusion to Windows Defender 10->65 67 Injects a PE file into a foreign processes 10->67 23 Solicitar Cotizacion.pdf.exe 15 7 10->23         started        25 powershell.exe 21 10->25         started        27 schtasks.exe 1 10->27         started        signatures5 process6 dnsIp7 43 api.ipify.org 13->43 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->71 73 Tries to steal Mail credentials (via file / registry access) 13->73 75 Tries to harvest and steal browser information (history, passwords, etc) 13->75 29 conhost.exe 17->29         started        45 api4.ipify.org 173.231.16.76, 443, 49687, 49690 WEBNXUS United States 23->45 47 api.telegram.org 149.154.167.220, 443, 49688, 49689 TELEGRAMRU United Kingdom 23->47 49 api.ipify.org 23->49 77 Installs a global keyboard hook 23->77 31 conhost.exe 25->31         started        33 conhost.exe 27->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94e367e6b334e6fc3e50624503159a06b45083b763238c47aaaa3fd6fe492628/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-02-07 15:21:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=strwpzvtgttpypsqmjcqgfm2a22fba5xmmryyr5kvi75n7sjeyua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0028ef36d8287cb6fa087e130c8e8b18350bc0b3257f14200b47fc31ccf9f99b
AgentTesla
14fec3e253e81227fab7ea1a9a09a9d202e6fc273c812bcdfe112ffbe3822b79
AgentTesla
24902a43196fd02d2939443510181c165980bd71e889dcff559ca25153c76d81
AgentTesla
2a5098792b07f38355f0e06fee170432226013a21bc18c129212bb868e98f478
AgentTesla
33dee3fa1474d96c5f4dec544d0015c56a7a3f46a80033c9ee4cb46c5f677a25
AgentTesla
6941a5420e23e7309cc09e6ffebf847a7c781dbbb726996a2b3d36340d347819
AgentTesla
92d13e09fd15a7a89caa8753d0fe0f8be6ac49f402a4bbae0da6a6bc57d21c33
AgentTesla
a7d2bd1e968aea0e81664aa5aabd428a57d12bc8573611543ad72a57661180b8
AgentTesla
eaf9e049d4c8725414095db9012dcd798f509a244e8cf17d6a17805420902e52
AgentTesla
+ 22'904 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230207-ssftwsfe9t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5677685939:AAFELEmWBrxMnyX4KiFEXWGKBWoRi9TCLHE/
Unpacked files
SH256 hash:
72cc3c6dc1fb9ac4fa1675aec6bc9a007ea8bcb60403793d090bdfff4c3ebd95
MD5 hash:
8f800894bee9b2068d599595c8cd174f
SHA1 hash:
dcf33dc395221d066e00b32a674229a524b508fa
Link:
https://www.unpac.me/results/ee76988d-443f-425f-a7c5-687a4869777e/
SH256 hash:
635d5d7dc748832e1e5d85bfdfde1e489767e3d75f2421b58d534e5c0c763dda
MD5 hash:
ee580558ef9ae82db04533a9a4c18cfd
SHA1 hash:
a654e3ca2357c546e6795bed18baa58117b63daa
Link:
https://www.unpac.me/results/ee76988d-443f-425f-a7c5-687a4869777e/
SH256 hash:
02eb9a99fd1dccec7d3aee4037fc6a0d8dec3fad8e25737c154ac30effbf50ab
MD5 hash:
245da516b3e95dc3fc3c6fbc9a87e01d
SHA1 hash:
6beeac391d6a9bc02d2bf118a6dec8d24c23892a
Link:
https://www.unpac.me/results/ee76988d-443f-425f-a7c5-687a4869777e/
SH256 hash:
1c3e4ff6e851bfa07f36d3da37b98cf507f0fe2a8612c91645ca3fae6caa37e3
MD5 hash:
3b2eb7cc5be788e8e9dca548dd8d23f8
SHA1 hash:
5a8a7fbf693348799ba3909305bc56d7002f678b
Link:
https://www.unpac.me/results/ee76988d-443f-425f-a7c5-687a4869777e/
SH256 hash:
8f0c7e3047346b8d6477ff6d4639fd6157602c7ebc840f3432b99263f1cb415c
MD5 hash:
e5b073b30db1b058298f5df032164e4d
SHA1 hash:
15d3ada4e7ac01b766615b9b66785e7e2ae9b0ca
Link:
https://www.unpac.me/results/ee76988d-443f-425f-a7c5-687a4869777e/
SH256 hash:
94e367e6b334e6fc3e50624503159a06b45083b763238c47aaaa3fd6fe492628
MD5 hash:
f5823ba2e7052a283526eed8f4dac9e5
SHA1 hash:
6f620ef0385f8e74cca147b03050877591abbd6a
Link:
https://www.unpac.me/results/ee76988d-443f-425f-a7c5-687a4869777e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/94e367e6b334e6fc3e50624503159a06b45083b763238c47aaaa3fd6fe492628

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/361419/

Comments