MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a830eaba9888a6fa0a3cbf85da3636f1c41ae7a0372cbc5cfab0efd197894fc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a830eaba9888a6fa0a3cbf85da3636f1c41ae7a0372cbc5cfab0efd197894fc9
SHA3-384 hash: a180cbfe63a4a168d8631785ef7b6d7df2c78b209410adb043a43302e59434e49cf6a196b53bd2405e5c9e0432230204
SHA1 hash: e35676639aba9364817bf6ac5183bd74673a1a4c
MD5 hash: fac38120fdd7a0f28f3bda0a3bdbfc63
humanhash: mars-coffee-illinois-vermont
File name:PO.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'846'784 bytes
First seen:2023-10-23 13:05:18 UTC
Last seen:2023-10-23 13:34:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:3XHFtpAqXyB5V+jdfiwUyz3dEluQI+Ns44c:n5AqXuVwdfiwUyREljI+N94c
Threatray 238 similar samples on MalwareBazaar
TLSH T1998539866A7ACD22C9900737C096F2B11F5CDD86A363F21726CD7EB33DB2B569D04246
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 31f098b29298f031 (53 x AgentTesla, 30 x Formbook, 12 x RedLineStealer)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
319
Origin country :
US US
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
PO.exe
Verdict:
Malicious activity
Analysis date:
2023-10-23 13:08:31 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/46211564-b213-451f-9825-06db460fcec4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.15605.6920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin packed
Link:
https://www.filescan.io/uploads/65366fbb4678fc28dfc6127b/reports/18bd7241-ecf7-4c02-ae11-043af9d10bab/overview
Verdict:
Malicious
Labled as:
Ser.Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/a830eaba9888a6fa0a3cbf85da3636f1c41ae7a0372cbc5cfab0efd197894fc9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1bfa0a93-7b5f-4a40-96a1-dddfc0b25f46
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1330585
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1330585 Sample: PO.exe Startdate: 23/10/2023 Architecture: WINDOWS Score: 100 27 api.telegram.org 2->27 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 7 other signatures 2->45 7 PO.exe 3 2->7         started        10 WindowSecurityxy.exe 3 2->10         started        12 WindowSecurityxy.exe 2 2->12         started        signatures3 process4 signatures5 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->47 49 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->49 51 Injects a PE file into a foreign processes 7->51 53 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->53 14 PO.exe 16 5 7->14         started        55 Antivirus detection for dropped file 10->55 57 Machine Learning detection for dropped file 10->57 19 WindowSecurityxy.exe 14 2 10->19         started        21 WindowSecurityxy.exe 12->21         started        process6 dnsIp7 29 api.telegram.org 149.154.167.220, 443, 49736, 49737 TELEGRAMRU United Kingdom 14->29 23 C:\Users\user\...\WindowSecurityxy.exe, PE32 14->23 dropped 25 C:\...\WindowSecurityxy.exe:Zone.Identifier, ASCII 14->25 dropped 31 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->31 33 Tries to steal Mail credentials (via file / registry access) 14->33 35 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->35 37 Tries to harvest and steal browser information (history, passwords, etc) 21->37 file8 signatures9
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a830eaba9888a6fa0a3cbf85da3636f1c41ae7a0372cbc5cfab0efd197894fc9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a830eaba9888a6fa0a3cbf85da3636f1c41ae7a0372cbc5cfab0efd197894fc9/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2023-10-23 14:01:38 UTC
AV detection:
16 of 22 (72.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vayovouyrctpucr4x6c5unrw6hcbvz5ag4wlyxh2wdx5df4jj7eq._file
Verdict:
malicious
Similar samples:
02522d0f348287c34fe5151fcd556f2f9fb9efe532af705638ea0f2a39dd2434
AgentTesla
1ecf4a80641db7366f049cd1a60eb75d36eb68578d5e71e4e72d2474aa9be7bc
AgentTesla
4bc7979e8e63f880e9f4d7be6e59e55c059f5de3377837fcac7d167e3d4fc19f
AgentTesla
4e4c154f0500990e897ca9650eafd3c6255ba4df3b4bc620c6ba27b718278392
AgentTesla
6e006fa2cf49e2c52add436f266e2f62fb53ec936dd3caf536749d859240d6ae
AgentTesla
72e5420f9ce8e361479ffa0959e14c29d10b3112c0cbafbde4554506d1bd665a
AgentTesla
b916d475339eb0e64ad8e4e8bf897adb317c8add907ca4f72c1b7fda76cd8550
AgentTesla
e3918d1a379ce63babeab599ef8897ce97001017680702dfc8b5ca8ff1808b54
AgentTesla
ff7cea1471a8650fec0cf17b7006d68320702939027341f922389672bfe88115
AgentTesla
+ 228 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/231023-qb3afsgg9t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6311067514:AAHtnKwRJ8RKolbkTazsjWf3lM-wf1iwgaU/
Unpacked files
SH256 hash:
7919381b9f924b93d2faa076804198f2b053c1c5f5a073043a95ebff94ebb235
MD5 hash:
56c75a5aab2665e3e3970db01f147848
SHA1 hash:
f81a3b2a4eb7eceec52948dd4a644b3a8853d205
Link:
https://www.unpac.me/results/4e14a8d7-4e6c-472b-b83e-a8a290d763d4/
SH256 hash:
b8987fa07ef62d34407c61840c55d89e71e756ca28cb049769e6ce91e2c8aaef
MD5 hash:
522fcbc7a909503bccfb9b4f8c7695cb
SHA1 hash:
93e0fcb1fa81b41aabac3306facb78055172f9ef
Link:
https://www.unpac.me/results/4e14a8d7-4e6c-472b-b83e-a8a290d763d4/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/4e14a8d7-4e6c-472b-b83e-a8a290d763d4/
SH256 hash:
a830eaba9888a6fa0a3cbf85da3636f1c41ae7a0372cbc5cfab0efd197894fc9
MD5 hash:
fac38120fdd7a0f28f3bda0a3bdbfc63
SHA1 hash:
e35676639aba9364817bf6ac5183bd74673a1a4c
Link:
https://www.unpac.me/results/4e14a8d7-4e6c-472b-b83e-a8a290d763d4/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments