MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 993fdcdb1261188978fad606cb1a577b3ad26fa8a90b8054120bf50a5bcdc500. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 993fdcdb1261188978fad606cb1a577b3ad26fa8a90b8054120bf50a5bcdc500
SHA3-384 hash: 0ea4dede1187e50e77cf63b13db3de89f4cec26bb8fa435ac0998b6dbc8522a5896c2ef31bc7b8474e476c4812897c67
SHA1 hash: 4b8fd33c7b7ce2715eb5935093ecad364f55ccb1
MD5 hash: 16d331c1fdd7f2e7bdaff9d5cc5a9e26
humanhash: fifteen-pip-happy-quebec
File name:SOA 50970351.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'020'416 bytes
First seen:2023-07-03 06:33:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:ahBk76irpYHI0P1qxCkshmVTda7MNF3WzYz4u461+Qr69s:ahuvG4xzZ1jeYMj61+Qs
Threatray 188 similar samples on MalwareBazaar
TLSH T14725C724997E0912C074C3BDD6C1E32FAA9D4C9724219B321CC27FCE5F7AA06159BD6E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SOA 50970351.exe
Verdict:
Malicious activity
Analysis date:
2023-07-03 06:35:53 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/9f5a4aeb-f346-4f58-9932-9e844792b88a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/405698/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67879968.17293.1671.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo packed
Link:
https://www.filescan.io/uploads/64a26bdc2299d26882644a45/reports/be7984e3-2f2c-485e-9b36-a11cbaf40483/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/993fdcdb1261188978fad606cb1a577b3ad26fa8a90b8054120bf50a5bcdc500
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5638c6b0-9982-49f9-a241-4a7de711d3fb
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1265551
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 898581 Sample: SOA_50970351.exe Startdate: 03/07/2023 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 4 other signatures 2->57 7 SOA_50970351.exe 7 2->7         started        11 ZeAKXzyKGmNtY.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\ZeAKXzyKGmNtY.exe, PE32 7->31 dropped 33 C:\...\ZeAKXzyKGmNtY.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp67F8.tmp, XML 7->35 dropped 37 C:\Users\user\...\SOA_50970351.exe.log, ASCII 7->37 dropped 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->59 61 May check the online IP address of the machine 7->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 7->63 65 Adds a directory exclusion to Windows Defender 7->65 13 SOA_50970351.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 71 Injects a PE file into a foreign processes 11->71 21 ZeAKXzyKGmNtY.exe 14 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 mail.opulent-elite.com 135.181.115.139, 49721, 49725, 587 HETZNER-ASDE Germany 13->39 41 api4.ipify.org 64.185.227.156, 443, 49720 WEBNXUS United States 13->41 49 2 other IPs or domains 13->49 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        43 104.237.62.211, 443, 49724 WEBNXUS United States 21->43 45 192.168.2.1 unknown unknown 21->45 47 api.ipify.org 21->47 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->73 75 Tries to steal Mail credentials (via file / registry access) 21->75 77 Tries to harvest and steal browser information (history, passwords, etc) 21->77 29 conhost.exe 23->29         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/993fdcdb1261188978fad606cb1a577b3ad26fa8a90b8054120bf50a5bcdc500/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-30 10:20:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=te75zwysmemis6h22ydmwgsxpm5ne35ivefyavasbp2quw6nyuaa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0725b0bb5b536502fd3a4593864bbf3b25dcacc3b3259162080909284c1348de
AgentTesla
2be2d84da21ebb26725281d12bfb989af6115a9494b6de2a154c2cdd79f50799
AgentTesla
7d544b59bf7b7ca12e4a1b27617caba4d020774a2d09fe3e8db9870a5a9b8943
AgentTesla
7f01e18e55c703b1a21ec0f57483da3de9d5565ce3e440028d40cf553977a101
AgentTesla
85516b5e6517acd4dc26d67b6ae16d9f8373eed6e33e858c0842dc2545eaa2fe
AgentTesla
971af8d67cb7f2a81fcd15f2a50f66251355411499a56a2d92bccbd7839d67ba
AgentTesla
cca30cba64c9679893c85367083785816667a745a2a382afd3b0311285c7017f
AgentTesla
cef9ee760a9e4e3d132a05164243a878622db8cb86d26753e10a4430312d3486
AgentTesla
de955fab450ed36ebd64571db676d4f9330458fadb058f22f57c0a4683d4fc96
AgentTesla
e74ecf1c2f87e3182e7a6414767b62eeea8a49e1d1b08894fbb50a8cd6243961
AgentTesla
+ 178 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230703-hbrjysgc7s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
6744d8586d4379c37713a430069d072494478d4c709377a0ddd0c5c66eaec59c
MD5 hash:
87c3924c3a51e9bd5727bd67dc9a5a3a
SHA1 hash:
eb10b8e80741b17ef91c91270af5a83b7e598f99
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/d5252437-3356-41ba-8eb8-917a963e63b3/
SH256 hash:
bf4ee830e109c345fa89b76c3925b8e7ec33cf96e1bb374f592b6de7125ca6a9
MD5 hash:
0c2b667bfdf84a75a68983b342c6c8c4
SHA1 hash:
df4697ba53c9c0946cd7b91a2913626377aac942
Link:
https://www.unpac.me/results/d5252437-3356-41ba-8eb8-917a963e63b3/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/d5252437-3356-41ba-8eb8-917a963e63b3/
SH256 hash:
4beb97f50324c840d1bc6dc41e5962059ed45272302a8c8f093d001ab7532951
MD5 hash:
807a9bb2b55af8df7aef1dfcb897eefc
SHA1 hash:
1792411ea0ea4188d0fb982ca0eed418852df864
Link:
https://www.unpac.me/results/d5252437-3356-41ba-8eb8-917a963e63b3/
SH256 hash:
6744d8586d4379c37713a430069d072494478d4c709377a0ddd0c5c66eaec59c
MD5 hash:
87c3924c3a51e9bd5727bd67dc9a5a3a
SHA1 hash:
eb10b8e80741b17ef91c91270af5a83b7e598f99
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/d5252437-3356-41ba-8eb8-917a963e63b3/
SH256 hash:
bf4ee830e109c345fa89b76c3925b8e7ec33cf96e1bb374f592b6de7125ca6a9
MD5 hash:
0c2b667bfdf84a75a68983b342c6c8c4
SHA1 hash:
df4697ba53c9c0946cd7b91a2913626377aac942
Link:
https://www.unpac.me/results/d5252437-3356-41ba-8eb8-917a963e63b3/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/d5252437-3356-41ba-8eb8-917a963e63b3/
SH256 hash:
4beb97f50324c840d1bc6dc41e5962059ed45272302a8c8f093d001ab7532951
MD5 hash:
807a9bb2b55af8df7aef1dfcb897eefc
SHA1 hash:
1792411ea0ea4188d0fb982ca0eed418852df864
Link:
https://www.unpac.me/results/d5252437-3356-41ba-8eb8-917a963e63b3/
SH256 hash:
6744d8586d4379c37713a430069d072494478d4c709377a0ddd0c5c66eaec59c
MD5 hash:
87c3924c3a51e9bd5727bd67dc9a5a3a
SHA1 hash:
eb10b8e80741b17ef91c91270af5a83b7e598f99
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/d5252437-3356-41ba-8eb8-917a963e63b3/
SH256 hash:
bf4ee830e109c345fa89b76c3925b8e7ec33cf96e1bb374f592b6de7125ca6a9
MD5 hash:
0c2b667bfdf84a75a68983b342c6c8c4
SHA1 hash:
df4697ba53c9c0946cd7b91a2913626377aac942
Link:
https://www.unpac.me/results/d5252437-3356-41ba-8eb8-917a963e63b3/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/d5252437-3356-41ba-8eb8-917a963e63b3/
SH256 hash:
4beb97f50324c840d1bc6dc41e5962059ed45272302a8c8f093d001ab7532951
MD5 hash:
807a9bb2b55af8df7aef1dfcb897eefc
SHA1 hash:
1792411ea0ea4188d0fb982ca0eed418852df864
Link:
https://www.unpac.me/results/d5252437-3356-41ba-8eb8-917a963e63b3/
SH256 hash:
6744d8586d4379c37713a430069d072494478d4c709377a0ddd0c5c66eaec59c
MD5 hash:
87c3924c3a51e9bd5727bd67dc9a5a3a
SHA1 hash:
eb10b8e80741b17ef91c91270af5a83b7e598f99
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/d5252437-3356-41ba-8eb8-917a963e63b3/
SH256 hash:
bf4ee830e109c345fa89b76c3925b8e7ec33cf96e1bb374f592b6de7125ca6a9
MD5 hash:
0c2b667bfdf84a75a68983b342c6c8c4
SHA1 hash:
df4697ba53c9c0946cd7b91a2913626377aac942
Link:
https://www.unpac.me/results/d5252437-3356-41ba-8eb8-917a963e63b3/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/d5252437-3356-41ba-8eb8-917a963e63b3/
SH256 hash:
4beb97f50324c840d1bc6dc41e5962059ed45272302a8c8f093d001ab7532951
MD5 hash:
807a9bb2b55af8df7aef1dfcb897eefc
SHA1 hash:
1792411ea0ea4188d0fb982ca0eed418852df864
Link:
https://www.unpac.me/results/d5252437-3356-41ba-8eb8-917a963e63b3/
SH256 hash:
993fdcdb1261188978fad606cb1a577b3ad26fa8a90b8054120bf50a5bcdc500
MD5 hash:
16d331c1fdd7f2e7bdaff9d5cc5a9e26
SHA1 hash:
4b8fd33c7b7ce2715eb5935093ecad364f55ccb1
Link:
https://www.unpac.me/results/d5252437-3356-41ba-8eb8-917a963e63b3/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip ee116db3e8668047eec39c45ada16a095004aa1b154fbccaa62945de4e1a2c6a

AgentTesla

Executable exe 993fdcdb1261188978fad606cb1a577b3ad26fa8a90b8054120bf50a5bcdc500

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 ee116db3e8668047eec39c45ada16a095004aa1b154fbccaa62945de4e1a2c6a
Cape
Cape
https://www.capesandbox.com/analysis/405698/
  
Dropped by
MD5 8515de0bde4b170f340ab25c088b0576

Comments