MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5ae679843b00396ed2349a9ce7d3d0dc077defb4f83c89489d4c2065863e0f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5ae679843b00396ed2349a9ce7d3d0dc077defb4f83c89489d4c2065863e0f7
SHA3-384 hash: e8fd79613b3a6cd3ff412746ade50f1d20f10332c31b0b3bfb50a9ba620086bb9599bef94c03fa7df19808d05d30f10e
SHA1 hash: 2c45a26972f4b3fc0d82af52ac55124997ea0b0d
MD5 hash: e3851631069614440bca9ad8776c6973
humanhash: montana-pasta-alanine-quebec
File name:MiladGroup_Loader.ps1
Download: download sample
Signature AgentTesla
Create hunting rule
File size:472 bytes
First seen:2023-07-02 00:16:29 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12:s8AdjL4sT27L87HGrdvhIW+45WHF7vQnD5j+CrBiAWIMUI:WosT27LmGrdB+4UF7vmD4GBTmJ
Threatray 17 similar samples on MalwareBazaar
TLSH T137F0DC135DD16165C208C61AF4AFC3176892DD08A8D2B5D2AEE48807EC4324A99B9E12
Reporter Anonymous
Tags:AgentTesla ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
CA CA
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Heur.BZC.PZQ.Boxter.928.9C6F61B5.1569.16161.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/64a0c1ff204315fbc16c21f1/reports/9a43ba50-b4df-4cd8-aaba-a170100c7af6/overview
Verdict:
Malicious
Labled as:
BZC.PZQ.Boxter.928
Link:
https://www.hybrid-analysis.com/sample/a5ae679843b00396ed2349a9ce7d3d0dc077defb4f83c89489d4c2065863e0f7
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1264734
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 897771 Sample: MiladGroup_Loader.ps1 Startdate: 02/07/2023 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for domain / URL 2->40 42 Found malware configuration 2->42 44 Antivirus detection for URL or domain 2->44 46 5 other signatures 2->46 7 powershell.exe 14 20 2->7         started        process3 dnsIp4 36 107.175.113.210, 49698, 80 AS-COLOCROSSINGUS United States 7->36 30 C:\nmcn.exe, PE32+ 7->30 dropped 56 Powershell drops PE file 7->56 12 nmcn.exe 14 3 7->12         started        16 powershell.exe 2 7->16         started        18 conhost.exe 7->18         started        file5 signatures6 process7 dnsIp8 38 kyliansuperm92139124.sbs 188.114.96.7, 443, 49699 CLOUDFLARENETUS European Union 12->38 58 Multi AV Scanner detection for dropped file 12->58 60 Machine Learning detection for dropped file 12->60 62 Writes to foreign memory regions 12->62 64 Injects a PE file into a foreign processes 12->64 20 jsc.exe 15 2 12->20         started        24 RegAsm.exe 12->24         started        26 aspnet_regbrowsers.exe 12->26         started        28 AddInUtil.exe 12->28         started        signatures9 process10 dnsIp11 32 api4.ipify.org 104.237.62.211, 443, 49700 WEBNXUS United States 20->32 34 api.ipify.org 20->34 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->48 50 May check the online IP address of the machine 20->50 52 Tries to steal Mail credentials (via file / registry access) 20->52 54 2 other signatures 20->54 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5ae679843b00396ed2349a9ce7d3d0dc077defb4f83c89489d4c2065863e0f7/
Threat name:
Script-PowerShell.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2023-07-02 00:17:04 UTC
File Type:
Text (PowerShell)
AV detection:
5 of 37 (13.51%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uwxgpgcdwabzn3jdjgu447j5bxahpxx3j6b4rfej2tbamwdd4d3q._file
Verdict:
malicious
Similar samples:
1201be819db6d09ce9bd23656c5bbd7430e0420f30c39afe37b3a4662581f143
AgentTesla
312a01b589aea6e8dfc11fdd5a362228970074eeec1a97d36f23f99b48b586f0
AgentTesla
65831b6a853bb664e7f189003da9cdda832e5bcf647c1e262b3bc80acb715814
AgentTesla
66c869949719a64950f5aaf24a687b04bdc73d8690264cad8861716129f3c216
AgentTesla
8182fd64aabdf1d67f00c87fe9d90fa7d52be56284738995446f82890205dc93
AgentTesla
877dcc901ba5abacac399a8f33ccaffa321eb4306a3a10f16fa9a2d183374cd7
AgentTesla
ab8674f0baf9cc51bdb639626664be6917a3682aa7ea25b7c233b673800513b0
AgentTesla
b82291de6b50625fbe64293024d4b7d3f1bc874e14d8a6c613b56cf4c5854d30
AgentTesla
fbbad7f1ea80336f2d11ec3df5d547fedcca56d3def4eb369f605122b02f3f34
AgentTesla
+ 7 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230702-ak2ghsbc5v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6186587654:AAGCfYz_-Ywr0jS403I82r-XCvl_CsLT1L0/
Dropper Extraction:
http://107.175.113.210/976/nmcn.exe
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a5ae679843b0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5ae679843b00396ed2349a9ce7d3d0dc077defb4f83c89489d4c2065863e0f7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

PowerShell (PS) ps1 a5ae679843b00396ed2349a9ce7d3d0dc077defb4f83c89489d4c2065863e0f7

(this sample)

AgentTesla

Executable exe 8182fd64aabdf1d67f00c87fe9d90fa7d52be56284738995446f82890205dc93

  
URLhaus
https://urlhaus.abuse.ch/url/2674880/
anyrun
any.run
https://app.any.run/tasks/4d7e2635-faa3-486c-8f6c-a008da63bc1b
  
Dropping
SHA256 8182fd64aabdf1d67f00c87fe9d90fa7d52be56284738995446f82890205dc93
  
Delivery method
Distributed via web download

Comments