MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 977ae825349a430b9494cb5ea917a77163190ad185eb0ae3f1cd76a29e608da0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 977ae825349a430b9494cb5ea917a77163190ad185eb0ae3f1cd76a29e608da0
SHA3-384 hash: d94fb4b0a4cef6e22357528f9a9ee5153f5ab29848da0627d3ed8bd7e738455531dd5a041e974643b5dcc7799dd68b3c
SHA1 hash: 0dcbe853d08c3a09e89730aacce5b296156efa73
MD5 hash: 92e624b6f9a91da08a0bbc7c5036dccb
humanhash: single-yellow-chicken-eight
File name:PO#AEM 40523.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:621'056 bytes
First seen:2023-04-16 14:09:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:tnlP4XAsIAWCDrVFyURLExwkgWHNfnfJqwavhqasHMiW6cman:6AsICDrzdgZLVnhvavEashW6c
Threatray 301 similar samples on MalwareBazaar
TLSH T111D4CE8633B18532F0AE42B4540579CC4F7CB00B64D5F1166F6B3AE19261BBBF66CE62
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO#AEM 40523.exe
Verdict:
Malicious activity
Analysis date:
2023-04-16 14:09:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cab227de-f2b3-4148-a666-b6cca67fee66

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382629/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/643c0cfba952850b627661c9/reports/f267e50a-a2c0-46f7-a609-60a376eab637/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/977ae825349a430b9494cb5ea917a77163190ad185eb0ae3f1cd76a29e608da0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/701e9c53-61d0-4bdd-a15e-e2efec4f90a7
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1214695
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 847619 Sample: PO#AEM_40523.exe Startdate: 16/04/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 4 other signatures 2->55 7 PO#AEM_40523.exe 7 2->7         started        11 wOPDcUFCFRmB.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\wOPDcUFCFRmB.exe, PE32 7->35 dropped 37 C:\Users\...\wOPDcUFCFRmB.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmp5C1C.tmp, XML 7->39 dropped 41 C:\Users\user\...\PO#AEM_40523.exe.log, ASCII 7->41 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Adds a directory exclusion to Windows Defender 7->61 13 PO#AEM_40523.exe 2 7->13         started        17 powershell.exe 17 7->17         started        19 schtasks.exe 1 7->19         started        63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 67 Injects a PE file into a foreign processes 11->67 21 wOPDcUFCFRmB.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        25 wOPDcUFCFRmB.exe 11->25         started        27 wOPDcUFCFRmB.exe 11->27         started        signatures5 process6 dnsIp7 43 strictfacilityservices.com 111.118.212.38, 49730, 587 PUBLIC-DOMAIN-REGISTRYUS India 13->43 45 mail.strictfacilityservices.com 13->45 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        47 mail.strictfacilityservices.com 21->47 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->69 71 Tries to steal Mail credentials (via file / registry access) 21->71 73 Tries to harvest and steal browser information (history, passwords, etc) 21->73 33 conhost.exe 23->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/977ae825349a430b9494cb5ea917a77163190ad185eb0ae3f1cd76a29e608da0/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s55oqjjutjbqxfeuznpksf5hofrrscwrqxvqvy7rzv3kfhtarwqa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04a42e9d0b1c019989d91249331e0920703296490ab8a565bed15e1a0e1742fc
AgentTesla
26f7c2a6ed82ed4f46ad1bde0caa72058fedddc006d534b17b42c1528dbfa720
AgentTesla
69fa15d77275d1d0383f6a1ec7137989a392fe17050cb90f3670e8e834f931be
AgentTesla
900d92079c889090445b172adbb843546731d69d22c39c75a41f8e195e0721f5
AgentTesla
b5faf98263a83d05175328850c5b397e4d5c26a7b36ca417d93811c2745edab9
AgentTesla
c86d38aa757ac108e7d31f03848e49091391730cf0d132b71e70d487c919f68c
AgentTesla
e68df2087331bc53cc8df1fea6ccabb8fd68ce31e9b5a6addbb6bc9036988c51
AgentTesla
ffaa75d7cd46ad3d7497b4085cb223cce99568c9e7e28d70542f8af0028a2a78
AgentTesla
+ 291 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230416-rgpf8aca5s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
48545f584847b4a39eacdda80ff4befbca3078b3e90ca8ba001abfe85598dec1
MD5 hash:
e34fb84f46e2381fb81f28048e8f0335
SHA1 hash:
f1765c7c7396540aa0a7a769c5c64f3a0be638cc
Link:
https://www.unpac.me/results/0cb049d6-f4c7-400a-83d5-38497573ffc7/
SH256 hash:
79196b422eead796a5f236832b3444c0e2eaf2076f8947c61ddfe2a7ca0f27ff
MD5 hash:
526dbe0e7d014d3ba9aeb1c73a7e0440
SHA1 hash:
d5693a5c42e9407a3897f67dca0c15b809e5eddf
Link:
https://www.unpac.me/results/0cb049d6-f4c7-400a-83d5-38497573ffc7/
Parent samples :
7b0134022faef8ea8b527241b3dc2e74457b4b05fbe029eb9b0e9bc4d1206453
fbb8dd09df0e0c79dcf488c021765e4fa915ca3a490ea45a78b622565e920f1a
da2672a63dddcb9bf226ce99f0b096bd65875ae950b4b0d481e2dc02b6b9a260
5e949730956708626bb6db283bf7962841aa18848b79a951e84bd29070bddd3f
c498c88360de57bc9aafce102efe582a988ca1859e1f4fba5914a0b02e41a2fd
62d357696687f648091816eca9e33634cdbb61059b37005fc990f926d9f5860e
cee5014c188dc40530d3945c7bb1e2f544f185349e06d6a8a49c9ae9faeafb4a
9b39264190816a89d1eecefd725d8a91ddca7d3c6cf05445025d73c5b7360584
a7bd440cebd598d5baf8741864d87849def7fdd5bd97f35d4b4d5c558a3376c6
1c5cc71cd847d8a2679ec629b631b4d7e1082e7126022ab26ff015298d93a61e
767f8a18d7d28b82d76fd39c3ae639d352659110a6bfa1a4b929f136e034ca8d
369589e738fc8b7e8e74ae15fc398639e3ed906982c7244705a66875cca0a611
99ab8536c0da1f4eb60edc3b8b848de23de618127baafcaa76ff80ab9b9ebf59
a62a229c3b4cf8ab99889409867fed1758148f1187f8afdca2e29fa3b79239d3
85356ef96af996a05fb53ecdaf9b2559a05d0fc23874e8b97a64a46a28ad498c
1302dd8497ba8909d81dce0a4069767bc358b0879443c1982ffea0292f9707e3
a96e05074cd3acbf563b6e88b123197a89260f2c6898f488b2f486c95892a3f5
a7844d54db8f79a6c878de38086ea87e7bd11ecc16f0550f2258b6cd134392e6
e3cd7dbd437ed0c0b5cef54a5d46b44bd63e656175ce1ec0cd669af08c4482c9
228d7f101a604736db5019b9a13d7601003c76a7c55d67a4b1bb42a7c62ea9b3
88ac7d9f157d80cb2aec269591e6386fc57ddb114d129a439ff66a596baf7f7b
fde58fc777d2b4f3a2cb1b5e818132185df9135fc85a1a4456574c92b30e36ec
23a80d3ed45bf211ad90814dd5180e6a9d1cc9427d354bcfe344a44537f1d1a5
c7709eedf4730a691a8ae7d73a0e8ccf5642c97317428947a7f6257ed6b30d6f
b92d18e28a0d9818d6b6cb017a1840a5f4786fd32287cd89e71646ebaba74866
b0d9e970a53d36e3238693badcb386b0a7b3abf5331cb9b641f5c606899ce8a4
ff79d1ebcdc848810a296694b628852b7331629d9e0802ff2dc3ff79f7a7344c
04b4ec7781de78306b3a40756ed05d29fdcb63245d48e37ec934010fbf78cbbc
55f3d17f0bab350032e410b1641d63ee3e4a83a87201c1f66f415b71ada380e4
0b048d863c3b5219beb927aab90b4b489b9929dc6959ae7e52c964bf3b80bbff
245a3e28e1419522b57181cd700a2df90cae1da066c181329bbe458639b2f2a8
815156bad70a59b55681690c8b2e48ff3be7703d45131bca0a486a5247dff35c
SH256 hash:
8b0b94502319c3a089e0c4ca281248c65f17e07d7b74dd2b863b837d7d1de54e
MD5 hash:
e4be17ed488cc8f27a4b4bf5c5727f03
SHA1 hash:
c13d7af819126d26f9e81b451625c895012010d8
Link:
https://www.unpac.me/results/0cb049d6-f4c7-400a-83d5-38497573ffc7/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/0cb049d6-f4c7-400a-83d5-38497573ffc7/
SH256 hash:
23483ac8eebd951836b787fc710e03fba7124e847623f4f8157ebb3c8d21e5dd
MD5 hash:
4749b65cac3e0cba07fb08fb56b44cdf
SHA1 hash:
8f361648cfd5455955033b08c84540c4bcd669e2
Link:
https://www.unpac.me/results/0cb049d6-f4c7-400a-83d5-38497573ffc7/
SH256 hash:
8dd5f0d63fb44d4e024f1117c75d6ed3f6fe0227fd3145cc14892f820a40b688
MD5 hash:
d9b145f034c638eb74bf954267a34db9
SHA1 hash:
2a94c50ff138b1388195572decbc8543a2021beb
Link:
https://www.unpac.me/results/0cb049d6-f4c7-400a-83d5-38497573ffc7/
SH256 hash:
f074b2c09142fa55caae482b5ec6ba350fda0ac62329bb825d61f21e2e7059a1
MD5 hash:
567bbf43aac601560b1def4a872d4089
SHA1 hash:
21dfc6e6ecf39c9c23927c114ca911559ca4593e
Link:
https://www.unpac.me/results/0cb049d6-f4c7-400a-83d5-38497573ffc7/
SH256 hash:
b8c7081df419b05eae2b2bccfb2f2fcb4942ec7592c3c682bc16cd2091dbdd59
MD5 hash:
070c91ff7b4639951a2b4fe1de879bed
SHA1 hash:
11162b33961d21039a84edca89cb83b907c24f9a
Link:
https://www.unpac.me/results/0cb049d6-f4c7-400a-83d5-38497573ffc7/
SH256 hash:
0ce5ee246353a78bcb937838ace64617cbb11776f6222e39378edc2c8c61b43e
MD5 hash:
02ec977a68e5b5bf7d4071d8bf9b3265
SHA1 hash:
01d8591e8a6b8736b68781b75bac176365fb44c1
Link:
https://www.unpac.me/results/0cb049d6-f4c7-400a-83d5-38497573ffc7/
SH256 hash:
5cf654a66387195b8f88ca7fef6c218d2edafbfb1676fb85c78b92d27e39c06d
MD5 hash:
8dbedff0d7e1a5c10d41e7798560412c
SHA1 hash:
d18f616e10c88b4e76981b48f22b85da37b6a29e
Link:
https://www.unpac.me/results/0cb049d6-f4c7-400a-83d5-38497573ffc7/
SH256 hash:
c74cfeb40e03d16912642b5d3db1301ab0a15af51b304b838d916d1c6ff2b2df
MD5 hash:
74470383e384ceb8f0b9f097de0f2ccc
SHA1 hash:
44eab442458797173cffa0cb8783c5ca6e59f146
Link:
https://www.unpac.me/results/0cb049d6-f4c7-400a-83d5-38497573ffc7/
SH256 hash:
977ae825349a430b9494cb5ea917a77163190ad185eb0ae3f1cd76a29e608da0
MD5 hash:
92e624b6f9a91da08a0bbc7c5036dccb
SHA1 hash:
0dcbe853d08c3a09e89730aacce5b296156efa73
Link:
https://www.unpac.me/results/0cb049d6-f4c7-400a-83d5-38497573ffc7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/977ae825349a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.93
Link:
https://yomi.yoroi.company/submissions/977ae825349a430b9494cb5ea917a77163190ad185eb0ae3f1cd76a29e608da0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 977ae825349a430b9494cb5ea917a77163190ad185eb0ae3f1cd76a29e608da0

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382629/

Comments