MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a83423d3a684c1defbb7b445d0594e8074f803fbb4b170a3450e3879aa619886. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	a83423d3a684c1defbb7b445d0594e8074f803fbb4b170a3450e3879aa619886
SHA3-384 hash:	5c8395bc4d81ef960c4fe4406736613b4029473719334b3b364a2484077c154039e1c5138375aef402b667247b0e5066
SHA1 hash:	4efc8b61727d0831036df2222fd7610d45918032
MD5 hash:	dd329b3815943cb003f5b91d1a68a036
humanhash:	fruit-wyoming-ohio-three
File name:	41570002689_20230609_05352297_HesapOzeti.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	763'904 bytes
First seen:	2023-06-09 13:19:16 UTC
Last seen:	2023-06-15 19:07:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:hNPWR28Le0cY+Yg9fb9XqYCUvCAzJJUo3h3YRa+AzCBFYfx:h5+xL9Rk9UUvCAh3h3bxx
Threatray	2'524 similar samples on MalwareBazaar
TLSH	T1A0F4016C1EA6845ECC823B7CCD303BB5D2E95D957173C24B9FA3B9589F37A0C0981692
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	4f87aaacacaa834f (15 x AgentTesla, 1 x AsyncRAT, 1 x Loki)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

306

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

41570002689_20230609_05352297_HesapOzeti.exe

Verdict:

Malicious activity

Analysis date:

2023-06-09 13:20:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8d9961b1-da51-469e-9ed8-8c4f2daca593

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/397402/

Detection(s):

Sanesecurity.Rogue.0hr.20230609-0934.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Creating a process with a hidden window

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

clipbanker comodo darkkomet packed

Link:

https://www.filescan.io/uploads/6483270460dff9842c54f569/reports/ed32f311-6d56-4be9-9454-a797dba19f1b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/a83423d3a684c1defbb7b445d0594e8074f803fbb4b170a3450e3879aa619886

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/27385ae6-0e7c-4b12-8ecc-06b479a7568e

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1251955

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Scheduled temp file as task from temp location

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/a83423d3a684c1defbb7b445d0594e8074f803fbb4b170a3450e3879aa619886/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-06-09 00:36:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 37 (48.65%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=va2chu5gqta5565xwrc5awkoqb2pqa73wsyxbi2fby4htktbtcda._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

25300a6afdd9084a8ea11d4881387ab2545652380643603f8e5fb1da74d57486

AgentTesla

43e9db6b9ba0f48665e26a37880216e9b9135177bbb280b1b0143d2295b9a53d

AgentTesla

4a1731baffae0aeb7576bbe744f7c4bec60f3a8865fb6f9ed597f50f6c9e4c09

AgentTesla

690bf56c513b3b1e8ef7eb1cabd0e7ae3caf33e6d4442264ec5b17c74b9c5d92

AgentTesla

8699f030698874a541a877ae7068bde48d11e74fd9a6c817d45885e1815e0dcd

AgentTesla

9f090c60579dab06ddcae55533aad49e67b857d77a7f39074105267870f0dca5

AgentTesla

a4d917b6696ddef08d0f4ea5a2dcaa8de85e639684a5f869e353c2c80315e2d7

AgentTesla

ec138fd03e6239e84fa8751411c8dfec0fb3ebff47e0deb9f7aad7e3b3cfd744

AgentTesla

f94d390deeb6e7c8738fc693de22e0a49e4d57681759dde58102ebeea443463c

AgentTesla

+ 2'514 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230609-qk384sda5t/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

740e7b7c52b009a96ac47a0cebe652c6aa97803f0f2b73ace74aa4aa16d59cbd

MD5 hash:

d78a9d6094814337deec16d021405148

SHA1 hash:

ff2acaf75cbb3db9b7e1752e635a19ee19eceb16

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/23510ea9-abb8-4370-a8f8-22a7fbbae7e8/

Parent samples :

b1bf6e4993200202d88ce1ad2a2eaf60f8a1b5665b1873eee7f4220f9a31eb4c
fb012706e028ca770d05ae4580045de7450d40b069bc8f8a250e292746b45b90
8838925ac19a77ed2817ed8e52b6b9db02d58987dd10774eac576f839df1c5f5
c336b24aeca365ef88005a1bdf4daeee797b2ae2c0976b3db1fa4cd7c9290b87
8e3f656f70978440245c238870f316ccdbfbadff73350dd6d204c9035cc00357
3706066f775904b6ac4d07b179d3f7846c15c085ddeff5633c72a555d9529748
43b2d95b4ca603f5007a2d5a389b02d19df2103077146ba3aef9fbd82f2e0770
99fb5779f548068f16297af0c00a4d67ba8c32555a608d22b6b4f66dd420e5b7
fd7a04ef2040fb5bc9216fe5deebd9cf7d1190e7fbdc0e15a42a6c8b639de167
af4fbd837568e98c2a396d6f678b2ac9844653278c191af886c939844f9f2f3b
62d84fe295553d606c20def616280682b67dac3747ffe3ff4eb2337d2d01a4e8
2ac859e404e799bec8c46de362bc5af79bfb5ba455b9dd8832f4198f05692d7a
dcc8f01c079ede8b283839c41ab3eb1668d7a37183d3af2dce5d962ef0835e05
1a90138e87d6691efc22705cfd6b4003a434a5b55125b0c6663ef39206a501f1
9ffbaa54e1ce485cafb5c9eba276d6d18be8d95511838d3e65a4e08cdbdf0a4c
2f8c73b98c4878c743b2e0d5ec8e67ee1b6a0cf931d1ac69fa48a9600d869510
67aa6dd3cfc208be2bf9bc11b9e2ab4dd59f594653f4f073c8b96b5f5872c286
8086b51ee5ff64002102bf80e36b81650ba576903fc00965e1a947ae013aa9c0
05ec15a8743d17229f8749eefbd23092870a62b8befad9881b2d4dc63b0b194b
2eff68c23c7347d6a7614ae78fb7860aa81cebc0037d9c2a95fb795c2e2b3d6f
c533150826bd6cd5b29cc1ec1b552091e976f7ec10044796f947bc262023d9bf
3dcb0606b40e8a5d64da878ee28ae32fcb1c6072aa9a238057548f34c8cdc59b
80975a26a4f83ef73e1ea0280bb003b7f64daec835bf476077eda08c756a5671
b3fac580e11f2a319aa3a2122fa47f08dee0d8c8bb1967cc5b0a548493de7781
f94d390deeb6e7c8738fc693de22e0a49e4d57681759dde58102ebeea443463c
43e9db6b9ba0f48665e26a37880216e9b9135177bbb280b1b0143d2295b9a53d
0bf1609dcbb7c573bfce2b0333c56ff2db52dd54fe98a278e57a99b46dbfbe68
4a1731baffae0aeb7576bbe744f7c4bec60f3a8865fb6f9ed597f50f6c9e4c09
ec138fd03e6239e84fa8751411c8dfec0fb3ebff47e0deb9f7aad7e3b3cfd744
a4d917b6696ddef08d0f4ea5a2dcaa8de85e639684a5f869e353c2c80315e2d7
a83423d3a684c1defbb7b445d0594e8074f803fbb4b170a3450e3879aa619886
06b2ab16e068ff058fd7b142d331ca7b694c4a311320c6a6aaee7acdd38b2402
8b9f62091a55888570c94edca554a69a8b28909113b022021372e936e2c567d9
7cdadb18edcd84c6223b48a00dc074dfec26f8416b754acc87f1231ede8bc42c
ca779382008cbe0bc0ed6b46f21edcb095d7e3ff6cd56e192b5c7259a60a3729
e77034ca0f5612915367f7d97ba20d7452594622ce20078eee74df276173ef47
3d9b67b5dc857a2663548b9335d48dde0a880f6b61490f0cced767399a166f2b
a3646df57e935938fdf32f977fe40f1cff32a25ecfb8d086c08cedff9f7d7f1d
b750afd55ac6a1bb83126243c9fee3c8fb3ea328f3ef7dbed27d25572e374eb5
b5e595f70f317fc0c3916b7f0294681db744ec05ab7013cfb770c1f656018c8e
912e8de60b256356d9d56d77bd1441e5b7692af26fb320e7645bf5edde861baf
c1c41ec1f495a0b825d766f3cbff298777033bb1447d7ccbec6a03bbe0bd54ca
62804130bd52854d369a3586de018287087aa07d7b5d5e3e851122be331b1200
1b6b62b3f96553b8800f1c2c38ef1dde521a149715534f1fa19d02a9df8722bf
dd48767cfb22ef37bba35b4e630122994f00f156e2bdc63d59bbae9a8c36d6f1
fa89df8e9ce2ef14867f975a2fa4f9e3153f02ddbe261c33922826683482b3be
f6ef6dd1439771a20f55663c0b199a57f16da75e9249731916db75aca2265d50
e81901a970e6242560a0a44bc37bfa54a19174920f1f1ea032aeecc2008f2884
6b64730d26c6e0c4ec3db4e89ac886fbaf8cd4decf695c44201a8dc45b3d9f5a
94a5965ad18abb09e0e0e2ea434c021c0c4dbc20df6381196ac41b4ef356fe8a
b7ae1c2109159bbab425688f0735a3fc8c9d623c78ef409f3bebace05bb1ecab
c443575783b8c82cbbcf60290fe58b8093bb2be9e71dfe3abca851efc08519cf
8c36d1b83a2d060b222898c7b06c04b2b316db233dd58e6551bba8096520592d
348adfb8653e9a39c662e8bb76909d27fd2b79430826658ae8166140006391f3
40a3aac33840e3fa650b9a42daa9ecabaf27f36dbc94b41ce1620817ff188b67
d81ba294e8f5bd20984715efb925abe3df619def7254f554afd09242bea903e6
73efb6c1b43b24a695e351ae599855ecc01e30a90c4999c6f6c93bcfb8329291
000518a2ac056e4e5907aa1eab5b5c4e61b728583a4f77322a6c85190993f4df
c719c3f4ed747b4f467656f57a3eebcfbdaf116e86e78581038607e5830bbd15
80ce21fcc805697cd3d617fb8599d9e20a300a7e1428c0b160db85f166db5be3

SH256 hash:

75cdacd72273d5d154d5650f297e27810cf0733748df1ee8aae91773f29ce6fd

MD5 hash:

36301fc5c2e31fe289b94783a0ed9fa7

SHA1 hash:

72b948b0e9522e722c8ad2538c99f57c35f536a4

Link:

https://www.unpac.me/results/23510ea9-abb8-4370-a8f8-22a7fbbae7e8/

SH256 hash:

e4659c6c4d6d106ff97a1f581f380f5efab800d77a952452b5859bacf715584d

MD5 hash:

bcc1a409b89bfb01867bdfa69d3fff56

SHA1 hash:

e742b2f9bcf6612352a0be18e612ebf906d019bb

Link:

https://www.unpac.me/results/23510ea9-abb8-4370-a8f8-22a7fbbae7e8/

SH256 hash:

c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d

MD5 hash:

9390df6c9a6111978dee5414bc42eda6

SHA1 hash:

d3cb1c366b9e466afa93eb369838a04d30777795

Link:

https://www.unpac.me/results/23510ea9-abb8-4370-a8f8-22a7fbbae7e8/

SH256 hash:

cad9d5158bd4148003f9393e3b89ea98951360112337f191af3fc7ed9d9fac34

MD5 hash:

cebb2b71aadd6adf6c4b077193e0522b

SHA1 hash:

b705fe3184e6e0a48cf7e30dbe9d1bf317e83a45

Link:

https://www.unpac.me/results/23510ea9-abb8-4370-a8f8-22a7fbbae7e8/

SH256 hash:

a83423d3a684c1defbb7b445d0594e8074f803fbb4b170a3450e3879aa619886

MD5 hash:

dd329b3815943cb003f5b91d1a68a036

SHA1 hash:

4efc8b61727d0831036df2222fd7610d45918032

Link:

https://www.unpac.me/results/23510ea9-abb8-4370-a8f8-22a7fbbae7e8/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a83423d3a684/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a83423d3a684c1defbb7b445d0594e8074f803fbb4b170a3450e3879aa619886

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/397402/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample