MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95f994f1cbe8e74ce5c1849210f8dfa6f15d2f2e45e2c12a637c06b946c1f839. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95f994f1cbe8e74ce5c1849210f8dfa6f15d2f2e45e2c12a637c06b946c1f839
SHA3-384 hash: d4111c3967f4741972235be7f9a06dcc772b333fca568a2f12a31a2a7c8a06dfcef581bcddf93aa759b1e600e847fb09
SHA1 hash: dba0f13f998f6c93d43dfd1c4b5605b551c0d8b9
MD5 hash: df7edc4231b357eb836746d344fccd0b
humanhash: maine-oklahoma-triple-undress
File name:03Dc2MIz.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:704'000 bytes
First seen:2023-10-02 21:46:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:psA1gsj/aP5gypEhJ0zSGuE3MaOv32/A++xX0XFjEVhG75:psygG/saypEv8SNWMaOfWA++xkVjCy5
Threatray 6'420 similar samples on MalwareBazaar
TLSH T121E4C43C21ED2A88F36596BCF3744EFF57D5796F81ABB8B7AC4CA58305A97C04512220
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter smica83
Tags:AgentTesla exe HUN

Intelligence

File Origin
# of uploads :
1
# of downloads :
310
Origin country :
HU HU
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Malaz-9939293-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/651b3a579b16696e9f8d3028/reports/68c96512-bcb0-4b39-98b8-533cd2d97160/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/95f994f1cbe8e74ce5c1849210f8dfa6f15d2f2e45e2c12a637c06b946c1f839
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff8578cc-5404-4dca-aef8-44530e55891b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1318326
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/95f994f1cbe8e74ce5c1849210f8dfa6f15d2f2e45e2c12a637c06b946c1f839/
Threat name:
ByteCode-MSIL.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2023-10-02 00:50:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sx4zj4ol5dtuzzobqsjbb6g7u3yv2lzoixrmcktdpqdlsrwb7a4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
003569fddd9c4c72cfd68b3188ffc2700138a90212a85aedbf040e1f68f9acdd
AgentTesla
3096973acd0408ca6115b08d3e7968a5f029e353878991a39c22cc3f9d60683d
AgentTesla
3776d991080dd8cdf41d7b64315d1bccf2c09ed001058b9a28042d760f888163
AgentTesla
98c140b482c040e7e9bfb991d7b817ff64bb416f9c7d1089246382b04a0276df
AgentTesla
b7d2b37cc28a00f2b70eab0d8d20fd07b5f8d4a908b5de1f5ad828fe80edcdfb
AgentTesla
d5e591ea8f68073801567e09b4323723d5cf1232ce0225365b1e74ee1cfe2c44
AgentTesla
ed5d871ea2afdbdd66a20e04f156f2ecb0fa56e929aaeaa65779e37a13852e20
AgentTesla
f783b15fc1e213a63dc1272a4f46d630ae0542d3a7cff83ae1df1b9efac6fc4f
AgentTesla
+ 6'410 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231002-1m63wsgf48/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
4ff8a522ef000b82d57dfa14f4e9b04967e4240dc36a0c7c3e0c53834afcf0c5
MD5 hash:
777d9708d2981116060c2978b3fc7e8b
SHA1 hash:
b3013c2b4bfde33883ca8c74d89a5fd57cbe502f
Link:
https://www.unpac.me/results/900110b9-2d2f-4f5d-b2a3-85ac1fa4720a/
SH256 hash:
5eb8c8c5704337f949f2e2542242a6dd722dc7d8ac0e6fb468e702118c11dac3
MD5 hash:
f05984f753d56ee00ad3a50ad1adeff1
SHA1 hash:
afc10b287793a53e446dfc80f2dcc2fe2a6a819e
Link:
https://www.unpac.me/results/900110b9-2d2f-4f5d-b2a3-85ac1fa4720a/
SH256 hash:
82285a575ea205476be5bf48340be52a19296fb6afff6183e6602ac8fc9a449a
MD5 hash:
4c963ce10be216472a5cc89e6866e241
SHA1 hash:
21a9a24908f421fee6a1d4b6041bd5871cffbd2f
Link:
https://www.unpac.me/results/900110b9-2d2f-4f5d-b2a3-85ac1fa4720a/
SH256 hash:
95f994f1cbe8e74ce5c1849210f8dfa6f15d2f2e45e2c12a637c06b946c1f839
MD5 hash:
df7edc4231b357eb836746d344fccd0b
SHA1 hash:
dba0f13f998f6c93d43dfd1c4b5605b551c0d8b9
Link:
https://www.unpac.me/results/900110b9-2d2f-4f5d-b2a3-85ac1fa4720a/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/95f994f1cbe8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/95f994f1cbe8e74ce5c1849210f8dfa6f15d2f2e45e2c12a637c06b946c1f839

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_bytecodes_sep_2023
Create hunting rule
Author:Matthew @embee_research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments