MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95b00f75b811e33b79725a40c2dde196dc8c95fc1591d36fee341181d2e7a167. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95b00f75b811e33b79725a40c2dde196dc8c95fc1591d36fee341181d2e7a167
SHA3-384 hash: e8d603396481a1586158b14a346bb53e8b9528bf58f32c1bba5afa2c31d9a75cd9a0241f62cf1e6b01d3d0dc08a33f33
SHA1 hash: af35e32fa776123ed46cacebd055e108db25ba8d
MD5 hash: fe92eb10f855272ceb138f1763b3e3fc
humanhash: cup-lima-alabama-river
File name:ungziped_file
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'193'472 bytes
First seen:2024-03-25 12:30:45 UTC
Last seen:2024-03-25 14:36:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bd3825b6e0410966f0c31f64b6c7644a (36 x AgentTesla, 15 x Formbook, 6 x RemcosRAT)
ssdeep 24576:BAHnh+eWsN3skA4RV1Hom2KXcmtc14evtJ2DVEg340H2F/etI:Yh+ZkldoPKsac6QJ0Kgm/+
Threatray 42 similar samples on MalwareBazaar
TLSH T13645BE027392D03AFFBB92B35B69B2015AB97D250123852F13D82D79BE701B1673D762
TrID 49.2% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon a065646aeec646ec (21 x AgentTesla, 13 x Formbook, 5 x DarkCloud)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
355
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
95b00f75b811e33b79725a40c2dde196dc8c95fc1591d36fee341181d2e7a167.exe
Verdict:
Malicious activity
Analysis date:
2024-03-25 12:33:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8d9a77a2-dbf2-4dcc-a35b-014da9bc7bf5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a window
Launching a process
Moving a file to the Program Files subdirectory
Replacing files
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit fingerprint keylogger lolbin packed shell32
Link:
https://www.filescan.io/uploads/66016ea101323620085bf1b1/reports/c50804f8-43cf-47b1-92e1-2fda5029ed73/overview
Verdict:
Malicious
Labled as:
AIT:Trojan.Nymeria
Link:
https://www.hybrid-analysis.com/sample/95b00f75b811e33b79725a40c2dde196dc8c95fc1591d36fee341181d2e7a167
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d5982751-f3d8-4a36-9668-667bbe851b0e
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1415047
Signature
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/95b00f75b811e33b79725a40c2dde196dc8c95fc1591d36fee341181d2e7a167
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95b00f75b811e33b79725a40c2dde196dc8c95fc1591d36fee341181d2e7a167/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2024-03-25 12:31:21 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=swya65nychrtw6lsljamfxpbs3oizfp4cwi5g37ogqiyduxhuftq._file
Verdict:
unknown
Similar samples:
5c702d043863b1bdd6e4dbdf89ffde07497dea0570396698509e23637b5558ab
AgentTesla
6368bd094f648a12bcdd609edb833cb5ca3aa7a70efc0cf7e0dcbc71e80ed51b
AgentTesla
95b00f75b811e33b79725a40c2dde196dc8c95fc1591d36fee341181d2e7a167
AgentTesla
b7e1e34df8d8f63cad1d66970746631001c34f2bad3f86e3a517e5ebdfdd6b3a
AgentTesla
c20765742b6d22e16299239e960d1c4e851fa9f12bd1b0696d4195f8890a6bf6
AgentTesla
cd1ee01f73112ac8092488e3c8bd6edf3c5defc2ff087b60312ecd34a46afeef
AgentTesla
e4d521e8c1f8bc496fe8fcdf2e083f0ab341696723586c83c12c5b13013843c3
AgentTesla
+ 32 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240325-pp5r3aae5y/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
AutoIT Executable
Unpacked files
SH256 hash:
6560932213e8edbf3fc867c30cedd9bb70c06e469d8e90d83bbec06dfb753029
MD5 hash:
692d2db4b5cda93caa8cee205c873ee8
SHA1 hash:
942c83c249a7c34be0b25228f32112a0d3c6033f
Detections:
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
RedLine_Campaign_June2021
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/8895fba5-1540-4156-9d10-93068c3d38d2/
Parent samples :
95b00f75b811e33b79725a40c2dde196dc8c95fc1591d36fee341181d2e7a167
90df828229e0aeb79e21c74aca2d2774a76f80cf246e668785d93bac5b049867
SH256 hash:
847c2f34ace356739f13cd9b652d0abf12079749f92de464053bfd33e071038b
MD5 hash:
01f9993f042abff5c5fa69636bfe80fd
SHA1 hash:
03ebf12e93de58cbe8dad8065d1c7da37463ebd9
Detections:
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/8895fba5-1540-4156-9d10-93068c3d38d2/
Parent samples :
95b00f75b811e33b79725a40c2dde196dc8c95fc1591d36fee341181d2e7a167
90df828229e0aeb79e21c74aca2d2774a76f80cf246e668785d93bac5b049867
SH256 hash:
056257b45067962e4dc18ee349f049b0cd21fe0e55fa0c3d4db693c88440a406
MD5 hash:
9004517fa717f5dd7497966daaa01808
SHA1 hash:
e0fc05b4c54a9e1e54d9729c6f792e3eaf224530
Detections:
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MetaStealer_NET_Reactor_packer
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/8895fba5-1540-4156-9d10-93068c3d38d2/
Parent samples :
95b00f75b811e33b79725a40c2dde196dc8c95fc1591d36fee341181d2e7a167
90df828229e0aeb79e21c74aca2d2774a76f80cf246e668785d93bac5b049867
SH256 hash:
95b00f75b811e33b79725a40c2dde196dc8c95fc1591d36fee341181d2e7a167
MD5 hash:
fe92eb10f855272ceb138f1763b3e3fc
SHA1 hash:
af35e32fa776123ed46cacebd055e108db25ba8d
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/8895fba5-1540-4156-9d10-93068c3d38d2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/95b00f75b811e33b79725a40c2dde196dc8c95fc1591d36fee341181d2e7a167

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 95b00f75b811e33b79725a40c2dde196dc8c95fc1591d36fee341181d2e7a167

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetAce
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.DLL::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.DLL::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::TerminateProcess
KERNEL32.DLL::SetSystemPowerState
KERNEL32.DLL::LoadLibraryA
KERNEL32.DLL::LoadLibraryExW
KERNEL32.DLL::LoadLibraryW
KERNEL32.DLL::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.DLL::WriteConsoleW
KERNEL32.DLL::ReadConsoleW
KERNEL32.DLL::SetStdHandle
KERNEL32.DLL::GetConsoleCP
KERNEL32.DLL::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.DLL::CopyFileExW
KERNEL32.DLL::CopyFileW
KERNEL32.DLL::CreateDirectoryW
KERNEL32.DLL::CreateHardLinkW
KERNEL32.DLL::CreateFileW
IPHLPAPI.DLL::IcmpCreateFile
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.DLL::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments