MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a184d2ce3480d7760397c33df9cb2558133468bf0872d9653a44efc2d85142b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a184d2ce3480d7760397c33df9cb2558133468bf0872d9653a44efc2d85142b3
SHA3-384 hash: 0d9e7e66b6e392368678c2bb68684618e583271d43ea66c96d4a8ea898456a3ba44ed8622ada936edbc449d2862ac0d6
SHA1 hash: 2e57cc965696ac50536b36a0724db0b76b1d83f9
MD5 hash: a1225afd917b14a2194b63384ff82163
humanhash: connecticut-charlie-early-comet
File name:SecuriteInfo.com.Win32.PWSX-gen.12391.31887
Download: download sample
Signature AgentTesla
Create hunting rule
File size:606'208 bytes
First seen:2023-10-17 08:32:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:xBLXmsrJM1riHsHF4N6bXB8NGjZjY1OuSPynH/68pNdtmFRe:LLWiMGsjbx8mgIyfrNGRe
Threatray 85 similar samples on MalwareBazaar
TLSH T1CBD41312B3FD8786E53EE7F95561107517F8B21AD4BACBC82F9A38D9841DB0005B932B
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
九月声明 40981677.xls
Verdict:
Malicious activity
Analysis date:
2023-10-17 06:33:07 UTC
Tags:
opendir exploit cve-2017-11882 loader formbook xloader
Link:
https://app.any.run/tasks/967b29b3-eb17-4c33-8475-9b6fec183a22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/455221/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.PWSX-gen.12391.31887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/652e46bea29a700213a40c6a/reports/ea82e123-f6ca-4a3c-ad68-e1bd9a45d522/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/a184d2ce3480d7760397c33df9cb2558133468bf0872d9653a44efc2d85142b3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6c7f0107-8ebd-415c-b339-77b75964c8bd
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1327096
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a184d2ce3480d7760397c33df9cb2558133468bf0872d9653a44efc2d85142b3
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a184d2ce3480d7760397c33df9cb2558133468bf0872d9653a44efc2d85142b3/
Threat name:
ByteCode-MSIL.Trojan.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2023-10-17 06:34:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ugcnftruqdlxma4xym67tszflajti2f7bbznszj2itx4fwcrikzq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
3dffc312e024e6daba1c3ff795a3070682341d9f99bd6e9f103d28234c695589
AgentTesla
6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463
AgentTesla
795998e9064cb981d6a40a34fbeee48381121ea7ac7175ffe5b506b11cf843d7
AgentTesla
9e986879ac645f058d5deb6415cc90f40130a67e3d4263be55dbe1a8ff68ad2d
AgentTesla
ac4761c259daede4b4efb78816c98fb56344e381bb56d69ea897c30c9899bf39
AgentTesla
afd193c804de7b5b9e18a0f385233c2706175b30bab03afe82be899e08689b82
AgentTesla
bbcaa127862b5b70b5a833b3136f431c03a9165dd0a4646ba78922ebcc7ebdc3
AgentTesla
cc06328c412ff41125dbceb0bc2838c1cbea24fa2909b7614e08b6546ad77891
AgentTesla
dc999aa2db84e4f91022be10a55e971c49da82960027b7482b44856fee46f9cc
AgentTesla
f3c99b21d43e967be5b3e53e70050b9d6dce181fe5415f9825b512850ecb0b52
AgentTesla
+ 75 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:rs10 rat spyware stealer trojan
Link:
https://tria.ge/reports/231017-kfvhhscb93/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
723ded73c10edb99c7f2c6b22cd1d74c1fb8985556fe4f16b0f21c87b8a3b13e
MD5 hash:
0ec3c3fe5f0c1c9e4ecb124c4b05fde0
SHA1 hash:
542c250037697c26ea30b702994473c9ac0d7636
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/4e3bf47d-b545-4814-adcc-a1478ab28b90/
Parent samples :
a184d2ce3480d7760397c33df9cb2558133468bf0872d9653a44efc2d85142b3
356025114ed69404543712922762409938a37d54cabd294c661d844cc547fc52
0ad9757a6895b3595b4eaa5a71cca88d658a1c21f335b8d3268949d659e27fda
608aa86a359a3a8cd3f5e51e98331376cb9bdefeb7d7a68e543799d253ff6da7
SH256 hash:
b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63
MD5 hash:
5c904da8528cfb1b87b15a6aa7c059cd
SHA1 hash:
f0a192969485d1bc34bf52adf37d9c20176d6b85
Link:
https://www.unpac.me/results/4e3bf47d-b545-4814-adcc-a1478ab28b90/
SH256 hash:
c574496286c32e7db457f72884829e3a686c0089c65fdba4f9a9e99f8d64abf8
MD5 hash:
b13fccfd3754e41880a5cdb70eb90f27
SHA1 hash:
879dab0abd37297bc99d950537843cf4b13c0e75
Link:
https://www.unpac.me/results/4e3bf47d-b545-4814-adcc-a1478ab28b90/
SH256 hash:
068b103533bd50fd32cb8df489bc3a04193174cb4ea556a1ffe852d3cbac112d
MD5 hash:
bce58d976229b466b5b84dd6ae51ffd4
SHA1 hash:
7c4c7d969a7bbdc74447c434dd5d862138e1b260
Link:
https://www.unpac.me/results/4e3bf47d-b545-4814-adcc-a1478ab28b90/
SH256 hash:
a184d2ce3480d7760397c33df9cb2558133468bf0872d9653a44efc2d85142b3
MD5 hash:
a1225afd917b14a2194b63384ff82163
SHA1 hash:
2e57cc965696ac50536b36a0724db0b76b1d83f9
Link:
https://www.unpac.me/results/4e3bf47d-b545-4814-adcc-a1478ab28b90/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a184d2ce3480/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a184d2ce3480d7760397c33df9cb2558133468bf0872d9653a44efc2d85142b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe a184d2ce3480d7760397c33df9cb2558133468bf0872d9653a44efc2d85142b3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2721536/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/455221/

Comments