MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a75f2034e8cf618c7ccb7016dbfa873c2b7a83b1818f62281594164e48af34d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a75f2034e8cf618c7ccb7016dbfa873c2b7a83b1818f62281594164e48af34d1
SHA3-384 hash: b5e46475a34331d58785ea3bdb09555c209ce6631718f7186f63286afc0466117058a891d4b0d2b65b468c7f7b584932
SHA1 hash: 3f9ba2f8c12eddf59b99ba9340086e88788e8cc8
MD5 hash: 30de63b534b6914cfe3b2fc81dca2dc6
humanhash: chicken-football-coffee-tennessee
File name:INC 718 130 KSI_CSP-7.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:574'464 bytes
First seen:2023-04-18 10:18:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:y9fNX73sxJwV6Id2oHmlXzuLgNckbwWEAM/CFHtpG2OJ:Gd7cwVNr+bwN2hS7
Threatray 2'211 similar samples on MalwareBazaar
TLSH T162C4F059C171AEE3E2DD0A36000426DEDF30A1E378B7C63C479675A6DB9F7191C9818B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter TeamDreier
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INC 718 130 KSI_CSP-7.exe
Verdict:
Malicious activity
Analysis date:
2023-04-18 10:21:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c50ed65e-f1d7-4b65-8a85-f28a9580147d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382974/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/643e6e99000396b4e9992aa7/reports/46dc78ff-ee81-4b08-b3c8-875ff6caf303/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a75f2034e8cf618c7ccb7016dbfa873c2b7a83b1818f62281594164e48af34d1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c96dbdd-75b9-4261-b6bf-a89677adbe4e
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1215118
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a75f2034e8cf618c7ccb7016dbfa873c2b7a83b1818f62281594164e48af34d1/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-17 13:32:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u5psanhiz5qyy7gloalnx6uhhqvxva5rqghwekavsqle4sfpgtiq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
15521c63c4acf711edeacb072031aaf7c8eec1b8dfdaf364ffd3e9f71fa66cff
AgentTesla
1ca3575bdfb30ebbb970d00611808d9de9816763aa135d2e22a5b208cd4d3b23
AgentTesla
3f9a3906d05707bc7faba452982b42c6f8244b99e906a9009fefdf3209ab83b9
AgentTesla
54d2d443952347ccc724a8f39806ff9fca252511b2fca91e2fd6c9998612ed32
AgentTesla
58c82c6759d1284e35311a76db2c5c81db938ac0722ab97ee5c56ac75caefe13
AgentTesla
74f0cd3a4b819ccc977a778fccba82e096dec880a6dba59641fedbdcfb4f7292
AgentTesla
8382a6ee4216faec05fbd17a082a85a05c4878ba1dbc440744439a5011eea035
AgentTesla
8a737bbbfd9a311f50f79ce1c47f6f86a40dcf3372e801e669e5fe9568bad3fe
AgentTesla
94c89d127587016abb2f7926c8eb23c10665787301fc7f5ca711b6bc02e60a88
AgentTesla
bf71bd90c11bb97f08391a42466582b08c5089cf47ea9075dc7e1a24d1b97016
AgentTesla
+ 2'201 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230418-mchewsce91/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
9711921b83a4beb1720ab0ac9c2cc9fdef191d652d5411351e58ac70fa915be7
MD5 hash:
09079036ddef6a238cca20080258d70b
SHA1 hash:
a71ab727ca8347bb27f44d83e47a7bdb87cd8482
Link:
https://www.unpac.me/results/285d72cf-aab9-4e9b-a937-8043d8bc380c/
SH256 hash:
27d86f099f69dbfe52d4243f4bdfa5da56ec6f0e9680a28958cdf11c75ec1e3c
MD5 hash:
c907d6cbe4dee120b6c9813d3dbc676c
SHA1 hash:
99eef8762b52ab87e5f1455168beb57d8d608aed
Link:
https://www.unpac.me/results/285d72cf-aab9-4e9b-a937-8043d8bc380c/
SH256 hash:
c8808b69b0f4d52c253e35b001da94086786b34162fd51daa3f17eda94bac7f0
MD5 hash:
da56041df789c24cb2a36a364431f766
SHA1 hash:
876e6c579d1092a76ce90c500c43af0cf11724a4
Link:
https://www.unpac.me/results/285d72cf-aab9-4e9b-a937-8043d8bc380c/
SH256 hash:
05b37b4f31612a4e7d360bc6317422c0945f82b071afc241b58cd3ac72da12ac
MD5 hash:
d2ba439e0a9fa77a2bcc01e411b40d18
SHA1 hash:
59797ff8d300fdacf923b161b59bbce5eb493bc7
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/285d72cf-aab9-4e9b-a937-8043d8bc380c/
SH256 hash:
48fa69381a8585fb1823153eac76d122191e02086f001865e148b303438962e4
MD5 hash:
fc4aa145f7c4267a4bfb046fa2e5016d
SHA1 hash:
2eefa2e8315608042e73b36de423525b6fdab0ea
Link:
https://www.unpac.me/results/285d72cf-aab9-4e9b-a937-8043d8bc380c/
SH256 hash:
a75f2034e8cf618c7ccb7016dbfa873c2b7a83b1818f62281594164e48af34d1
MD5 hash:
30de63b534b6914cfe3b2fc81dca2dc6
SHA1 hash:
3f9ba2f8c12eddf59b99ba9340086e88788e8cc8
Link:
https://www.unpac.me/results/285d72cf-aab9-4e9b-a937-8043d8bc380c/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a75f2034e8cf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a75f2034e8cf618c7ccb7016dbfa873c2b7a83b1818f62281594164e48af34d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe a75f2034e8cf618c7ccb7016dbfa873c2b7a83b1818f62281594164e48af34d1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382974/

Comments