MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 950de660ce5f58e7991441c5109a594382eceb65e8e16f9667f4089f508ba796. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 950de660ce5f58e7991441c5109a594382eceb65e8e16f9667f4089f508ba796
SHA3-384 hash: 99f71b46c8d8eb88b408d29ee25d654fba5d1034074483257874d9153a77a17e83b69fb01d8326291d2e83e174b83c61
SHA1 hash: 5111b39f87307fa49d2bb096f9a5bacdecab48f6
MD5 hash: 77fd7a42366f20396cfd02d3f0aea455
humanhash: december-network-bacon-video
File name:rpagamento.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:890'880 bytes
First seen:2023-06-17 13:29:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:UrYkZLYdXjZz1S5LA9acijRNJ32hgxGq:UgXjZzs5LA93SxG
Threatray 5'438 similar samples on MalwareBazaar
TLSH T12B15D04072A89F52E03F87F991916030C3F52623F57FF79ACDD221EA1DA6FA18A51193
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter FXOLabs
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
293
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rpagamento.exe
Verdict:
Malicious activity
Analysis date:
2023-06-17 13:32:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cd3082f5-5a0d-4a7e-838e-4b4603a8e949

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/399803/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/648db55b7324434f085b8515/reports/2d730c73-ff5d-4f34-84f4-00704aa59ad5/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/950de660ce5f58e7991441c5109a594382eceb65e8e16f9667f4089f508ba796
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3c738c0c-acbf-4a1c-8581-71496dc8aaae
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1256498
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/950de660ce5f58e7991441c5109a594382eceb65e8e16f9667f4089f508ba796/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-16 16:36:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
20 of 36 (55.56%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sug6mygol5mopgiuihcrbgszioboz23f5dqw7fth6qej6uelu6la._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
24e0a3aedd9e710a748e81aaaf062a95356753f48fb3cfa94ed5cf18c1c6ddfa
AgentTesla
38b7e813402447704258ca274ea142fc05f52da70913bbd3d31392a855287f8e
AgentTesla
71626f4c825903dc56b7df19096cf84ae800ce19aa6e02f23d72fe847eb3cec1
AgentTesla
813ee787efe7691b84a7286dfb567f0f6f377f3ac0f0d2dc200e106df9f8f222
AgentTesla
9267fc3af8040cbf3f53d4501c063d70e54574c98d7133a5c18c8d5b9686d901
AgentTesla
a1e791d05730569356fad45cac12cc6fdd3c6a81009ea50ee40609053ce3216e
AgentTesla
b56b1cd85f7629245b8688d774aac1a87bf4d79bacc7a0207157f00894c7d405
AgentTesla
b6e2144718d44a1723211a5172b2827284335df121b4b61df35292cfae73fd88
AgentTesla
ed7f74a7f08c133d454c3b2484a86e288cb35f236bc3889b4fcd2c8f033601f6
AgentTesla
f3341ea77e5c8f5e57ee22b1842656ff8225d0fef647bef19d0b0fcc6b87200d
AgentTesla
+ 5'428 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230617-qrsqysbh55/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/27060e4e-b7ad-44c1-80cd-ca59ea8e848a/
SH256 hash:
05f28ef457ba6182fd10cab5b9793036663f3203f9d1afcac56cbe03d77f0206
MD5 hash:
04dd799c7c742fda56086c4c15c713a3
SHA1 hash:
d95082d8d127b6d43c83020c9fa83901da7b0a06
Link:
https://www.unpac.me/results/27060e4e-b7ad-44c1-80cd-ca59ea8e848a/
SH256 hash:
daeef5235265de13025c1894fb03cf1f9389d56608ec0f23bdb6764376fbedd8
MD5 hash:
315c9d7867852cd78abe106fe1227c5b
SHA1 hash:
be5b20417f149029c9e20d72c919ec27f4447713
Link:
https://www.unpac.me/results/27060e4e-b7ad-44c1-80cd-ca59ea8e848a/
SH256 hash:
b86193f0f5eeadf451f23596dffb4d015245311c67bc15244c2b1c81293d3679
MD5 hash:
be09d1a9fbdc7fe4ad47e49a0ccf2a0e
SHA1 hash:
3eea7d856de59fefd670110c2edda63c319a5a1b
Link:
https://www.unpac.me/results/27060e4e-b7ad-44c1-80cd-ca59ea8e848a/
SH256 hash:
42e7bbc3cdce6f28abf3863462d12da1a61b020d3927ff1aaad076bc93156568
MD5 hash:
7ebc37f2b36d6379bf28cd66e50cb78a
SHA1 hash:
3a42967f20f172d5ff19a35af445bf618c2c2a6b
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/27060e4e-b7ad-44c1-80cd-ca59ea8e848a/
SH256 hash:
950de660ce5f58e7991441c5109a594382eceb65e8e16f9667f4089f508ba796
MD5 hash:
77fd7a42366f20396cfd02d3f0aea455
SHA1 hash:
5111b39f87307fa49d2bb096f9a5bacdecab48f6
Link:
https://www.unpac.me/results/27060e4e-b7ad-44c1-80cd-ca59ea8e848a/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/950de660ce5f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/950de660ce5f58e7991441c5109a594382eceb65e8e16f9667f4089f508ba796

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 950de660ce5f58e7991441c5109a594382eceb65e8e16f9667f4089f508ba796

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/399803/

Comments