MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a32619cd26fbb97072657ec6a481d4f4fd6c51b72ea5ea0837006d9a8dd24800. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a32619cd26fbb97072657ec6a481d4f4fd6c51b72ea5ea0837006d9a8dd24800
SHA3-384 hash: 8e43843173c97d9fc713b74138d49975a31a63f36c8addb33a975c2824e828f5c2a70d7a15d8d8c6b6ea2aff1ce142fd
SHA1 hash: 850a3b7eb6d6251385c22dd9ddf1103714ae63c7
MD5 hash: a968d6ad57890d14a90d141bdf701a6f
humanhash: finch-oxygen-california-sweet
File name:SOHD5510420.Scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:901'120 bytes
First seen:2022-12-07 07:20:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:cFoQgKZ/nXt7virmWhlGLaQYIM9plrYowdeGy31hxaiNQZQ8mPSH9sz25mIGIIKP:cENE/yFhsKwH9sz28IGIIK8DErr
Threatray 13'444 similar samples on MalwareBazaar
TLSH T15C15E82F8ED395D4ED3787F8B2559BB83DA2B3C1A8A51C4568A09033004C53EB76FDA5
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0c525252c9c4e42b (3 x AgentTesla, 2 x Formbook)
Reporter 0xToxin
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
196
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SOHD5510420.Scr
Verdict:
Malicious activity
Analysis date:
2022-12-07 07:21:06 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/38a229a8-2f83-4cd7-9e98-5818b4b83f35

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/343752/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.46272.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Launching a process
Creating a window
Searching for synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63903ede9a505ad9423dcd19/reports/8f8f60b8-e6f9-4c95-aed4-0d350e259ff8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3453e51d-c844-4800-b7d3-7d00e2df32fd
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1129673
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Contains functionality to register a low level keyboard hook
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 762398 Sample: SOHD5510420.Scr.exe Startdate: 07/12/2022 Architecture: WINDOWS Score: 100 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 6 other signatures 2->41 8 SOHD5510420.Scr.exe 3 7 2->8         started        process3 file4 27 C:\Users\user\AppData\LocalFtwfx_GVWu.exe, PE32 8->27 dropped 29 C:\Users\user\...\SOHD5510420.Scr.exe.log, ASCII 8->29 dropped 11 LocalFtwfx_GVWu.exe 4 8->11         started        14 AcroRd32.exe 39 8->14         started        process5 dnsIp6 51 Multi AV Scanner detection for dropped file 11->51 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->53 55 Machine Learning detection for dropped file 11->55 57 4 other signatures 11->57 17 LocalFtwfx_GVWu.exe 3 11->17         started        21 powershell.exe 21 11->21         started        33 192.168.2.1 unknown unknown 14->33 23 RdrCEF.exe 50 14->23         started        signatures7 process8 dnsIp9 31 work-toolz.click 108.170.55.202, 49719, 49722, 587 SSASN2US United States 17->31 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->43 45 Tries to steal Mail credentials (via file / registry access) 17->45 47 Tries to harvest and steal ftp login credentials 17->47 49 2 other signatures 17->49 25 conhost.exe 21->25         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a32619cd26fbb97072657ec6a481d4f4fd6c51b72ea5ea0837006d9a8dd24800/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-12-07 07:21:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=umtbttjg7o4xa4tfp3dkjaou6t6wyunxf2s6ucbxabwzvdosjaaa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1077d3daea82b7cb84943204ccfc70ee040676a305d7027c7980512b3da80f53
AgentTesla
28da4dc581a7a99fddff8eef31876687c6c64a0564c35f1b9bab984fc9c9160c
AgentTesla
3e8e2a2868f0e729a298541b51105ca23c60b0ffaa2c7b7c89e8a1edc0b2eab7
AgentTesla
624986bf92ce4a3301888ca62e5e20b19d4b662862fb2289d87865a3d67b206d
AgentTesla
63ab71c16a6c9bba733a43e5470b5d67af055a6db778a42e464758556fc47a18
AgentTesla
767a461719e3d2f851ffe9f0fc2e0c51d3d5f63b6d922f0e742c5ae28f66b446
AgentTesla
8b2b130f783c2c3d56658c2fb5d282b70edbd828d76faae5c44027c2f2a017bd
AgentTesla
ba9013c23988b787a28abf3dc0c0f1599372967e4bd9b7abd24280180d5843ba
AgentTesla
c1f9f8a6133d2f6f01574b1a8dafabae2376448bc7a6727a66b8070b66ff15dd
AgentTesla
d4304332bc704765db990000fef8c43da3c66eecd0643087f09d0afde0d2a96d
AgentTesla
+ 13'434 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221207-h56kzahh9t/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b426024e-87ed-41fa-a8ed-77d52c0d01a9
Unpacked files
SH256 hash:
b87ebab5165ff2f8c6346beaadd03259cd3d157f372dac5769dc0ddaf545ed28
MD5 hash:
875295f62215f3b8a7a98b5a282338be
SHA1 hash:
d2a72a06a82131e59c9b0c2434ce567ff30cf799
Link:
https://www.unpac.me/results/23464196-a818-4ba6-995e-64f146af2748/
SH256 hash:
578130fcb575dca7feb608fc52999803b58b0e8861335ee97562c8bd77e830bf
MD5 hash:
9311dd0534bd58a3b641da0bb9721a76
SHA1 hash:
7db4c87e858a9a8e6e31c3af2197db414fcabcf5
Link:
https://www.unpac.me/results/23464196-a818-4ba6-995e-64f146af2748/
SH256 hash:
1e80d77ba979cb6eafea6ae32a4cbeb1a33a3ab7cc5aa0bd72c805c496f20904
MD5 hash:
a3390d0192e8dd95b7fac685075c0177
SHA1 hash:
395efa383a4c70ed941a2dc87cef3509774abe10
Link:
https://www.unpac.me/results/23464196-a818-4ba6-995e-64f146af2748/
SH256 hash:
d2d03ac526c9ca441e298f99bdc6ee7534b4d29a2db34cda0d40a2ddda3dd3e5
MD5 hash:
08d3f9f7d0c8e78d54c2f829c586c639
SHA1 hash:
34a6816e02ac59c63f8974e8d6af30501fff0c9e
Link:
https://www.unpac.me/results/23464196-a818-4ba6-995e-64f146af2748/
SH256 hash:
340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3
MD5 hash:
85f9290aa8900e9fd74b01ee23125706
SHA1 hash:
310eb5e4aea5471b74a6385f1da283b9d8e3d698
Link:
https://www.unpac.me/results/23464196-a818-4ba6-995e-64f146af2748/
SH256 hash:
9d84d2275e5f1a3bf9dd057d9bd419350e6a49c2d611e107d3887f2e9cc30959
MD5 hash:
fe89b0ef9f866b9b355f1866186f989f
SHA1 hash:
6aaaf56c36f3db51495424d779533709118f88ac
Link:
https://www.unpac.me/results/23464196-a818-4ba6-995e-64f146af2748/
SH256 hash:
a32619cd26fbb97072657ec6a481d4f4fd6c51b72ea5ea0837006d9a8dd24800
MD5 hash:
a968d6ad57890d14a90d141bdf701a6f
SHA1 hash:
850a3b7eb6d6251385c22dd9ddf1103714ae63c7
Link:
https://www.unpac.me/results/23464196-a818-4ba6-995e-64f146af2748/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a32619cd26fb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a32619cd26fbb97072657ec6a481d4f4fd6c51b72ea5ea0837006d9a8dd24800

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/343752/

Comments