MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a445a43ad0e6079bae384dc89c31a742ca0d4de5e3ca5fedf95e670328ed68e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a445a43ad0e6079bae384dc89c31a742ca0d4de5e3ca5fedf95e670328ed68e6
SHA3-384 hash: f89d33884cf34d2d7b09d6f7e562301f7556e2468e1220e359dbf28120c33f876e9a041cd759f9989e5839a3f5756404
SHA1 hash: 133a2ee01094924bf944e3db5f18dc27b0fe55cd
MD5 hash: d56ed7d6212ec1bad5597151376c90c2
humanhash: stream-hawaii-white-mexico
File name:AWB ref #HQ3720811880911.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:651'264 bytes
First seen:2023-05-25 08:35:00 UTC
Last seen:2023-05-29 09:53:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:S2N8jiZ4zypIPsWtPplTY6RhKuWku71b5YH4RlnL3jra/09tQO/5lN7/UjTFDJ:S2N8jiZ4zypIPsWJTDE1ku9yHIXS4xDI
Threatray 1'758 similar samples on MalwareBazaar
TLSH T1C2D40180767DAB06E87B97F5040485B4433E9D6BB233E30B4EA7B0DB5A54B441B41F6B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
241
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AWB ref #HQ3720811880911.exe
Verdict:
Malicious activity
Analysis date:
2023-05-25 08:57:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ef5e19ff-749c-4ac4-979a-724343731ca6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/391467/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/646f1dbfcf634b8f311b25dc/reports/8209af0b-3e03-4f1a-bdb3-9c66612fe107/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a445a43ad0e6079bae384dc89c31a742ca0d4de5e3ca5fedf95e670328ed68e6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/af379f06-553c-4a67-835a-e9624fcbdd9f
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1242350
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 875362 Sample: AWB_ref_#HQ3720811880911.exe Startdate: 25/05/2023 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 5 other signatures 2->57 7 AWB_ref_#HQ3720811880911.exe 7 2->7         started        11 isXBnqqrwzuiJS.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\isXBnqqrwzuiJS.exe, PE32 7->31 dropped 33 C:\...\isXBnqqrwzuiJS.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp1145.tmp, XML 7->35 dropped 37 C:\Users\...\AWB_ref_#HQ3720811880911.exe.log, ASCII 7->37 dropped 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->59 61 May check the online IP address of the machine 7->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 7->63 65 Adds a directory exclusion to Windows Defender 7->65 13 AWB_ref_#HQ3720811880911.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 21 isXBnqqrwzuiJS.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 smtp.yandex.ru 77.88.21.158, 49698, 49700, 587 YANDEXRU Russian Federation 13->39 41 api4.ipify.org 173.231.16.76, 443, 49697 WEBNXUS United States 13->41 49 2 other IPs or domains 13->49 71 Installs a global keyboard hook 13->71 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        43 64.185.227.155, 443, 49699 WEBNXUS United States 21->43 45 smtp.yandex.com 21->45 47 api.ipify.org 21->47 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->73 75 Tries to steal Mail credentials (via file / registry access) 21->75 77 Tries to harvest and steal browser information (history, passwords, etc) 21->77 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a445a43ad0e6079bae384dc89c31a742ca0d4de5e3ca5fedf95e670328ed68e6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-24 11:32:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=urc2iowq4ydzxlryjxejymnhilfa2tpf4pff73pzlztqgkhnndta._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2fe3221aa9dff870b2112bf96ed78c99ef06d99dedc3b103f061cced424c1cff
AgentTesla
31261a3dd67894580c9377da5cfd7f25e02cbded114c4c73ebd14941c911805a
AgentTesla
41250765ce8be9fb830cfd0ca91b82a7018d7859b6cd90a80de2f83eb365cc2b
AgentTesla
63b5c9b4340cab3bacf97fd686e3990fef6f00eb6e2f75770d2d8711d09c2464
AgentTesla
701a8cc94a1cab0f2870b4739f00cd41230525ee120cd906187bb0bc74bf6ac4
AgentTesla
7a8572538d238ecc9522afd19cdbf90ba4562b3c075f2b4d6b070e29fc565f0b
AgentTesla
a29611641a2f20fafa07843982a24baf1e253bf03439d0905b61e816339158f9
AgentTesla
ac18f1cbdf0303e840e4da9594405257df6300374d748956c8378b07181c6129
AgentTesla
c67f1aa3ba774093756918e8dc2a2064e1d8e39a91f09c01d55ad38e73ef5a3e
AgentTesla
f328c0cde7df997ea2fd271bd3096b93f28fb6d93b06e5894209684b9f58873e
AgentTesla
+ 1'748 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230525-kg1qxsgh86/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/18195afc-afc3-4c65-8c6d-b7dd2b56f880/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
c5c666ff41d823f62a8debf8e0f23e0357c96d1567a5d6d2d4e1d0440561b135
MD5 hash:
2216e1fe716fce9ceab6ef7bf26397af
SHA1 hash:
90ff14738990624f59db488ba51faede4bf4a61b
Link:
https://www.unpac.me/results/18195afc-afc3-4c65-8c6d-b7dd2b56f880/
SH256 hash:
aee7c50fbd255797daf1902bc83b5e5a27433d87d2c302641415b019b641edb0
MD5 hash:
fa8bd26e4b0a506304022c562bf96b9b
SHA1 hash:
6726695e1ae56522a16cea17073d45a46730d328
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/18195afc-afc3-4c65-8c6d-b7dd2b56f880/
Parent samples :
a445a43ad0e6079bae384dc89c31a742ca0d4de5e3ca5fedf95e670328ed68e6
539b70f704ffff9cf973a032e01e39d31613a4ce7cd9939d84746d587d0a7ac9
e3c4132afd02885bbedaba92c4e53d022bfd4a642cdeaa3daf717b73efabeca2
SH256 hash:
15b53d4b676d520ab9ceda6279103faecb03908f6e1042f51c8d229c9c21dbb9
MD5 hash:
9be1bebd352dca1b9d5dcc1810a89269
SHA1 hash:
3d5beeb208234abe14f15aad60fdcb63f479b1c8
Link:
https://www.unpac.me/results/18195afc-afc3-4c65-8c6d-b7dd2b56f880/
SH256 hash:
a518e0fddabae1e59f933566cb54e592331404d5362976f3ef81a1432dac4ffb
MD5 hash:
de906fce89f615f303ddfb80c1b37b35
SHA1 hash:
3568e3f9f0731da9a3294f4f8de61f95dc3eec31
Link:
https://www.unpac.me/results/18195afc-afc3-4c65-8c6d-b7dd2b56f880/
SH256 hash:
a445a43ad0e6079bae384dc89c31a742ca0d4de5e3ca5fedf95e670328ed68e6
MD5 hash:
d56ed7d6212ec1bad5597151376c90c2
SHA1 hash:
133a2ee01094924bf944e3db5f18dc27b0fe55cd
Link:
https://www.unpac.me/results/18195afc-afc3-4c65-8c6d-b7dd2b56f880/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a445a43ad0e6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe a445a43ad0e6079bae384dc89c31a742ca0d4de5e3ca5fedf95e670328ed68e6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/391467/

Comments