MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a94bcff5683c5d1b1a3cead3d8236c98590ba2ea9b9018d4cc5ff9b67f08dc4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a94bcff5683c5d1b1a3cead3d8236c98590ba2ea9b9018d4cc5ff9b67f08dc4e
SHA3-384 hash: 9d11f4a73bda12301d0283d9ace659a455146f4574918ab7d6d42998108a841d02bec0d466c047ba1b4abaaf5ae46f54
SHA1 hash: aa50651bfc4f3c2be45f42dda737ac8f5a42b6f5
MD5 hash: 6fac1d175f51ebf8890cc785e2eefdaf
humanhash: skylark-bacon-texas-echo
File name:Doc.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:737'280 bytes
First seen:2023-10-05 08:29:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:XMYnQ3j67SESV1eXl8OhA90G/zoEVEKM3vmVFw3Bzfm8nH9X4OvJq4BTaeec7KEC:XBGpOP9f5nH9IO8IeN9EPOQ+zYe
Threatray 73 similar samples on MalwareBazaar
TLSH T10DF4E0D5B7D9FCCCF7D6693688B480004175BD4B78AAC65F7C4536A890F3383229AE1A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f08f898c8e8a8fb0 (37 x SnakeKeylogger, 19 x AgentTesla, 17 x AveMariaRAT)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Doc.exe
Verdict:
Malicious activity
Analysis date:
2023-10-05 08:36:34 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/9b567b50-b871-4785-9e0e-29c584ebfabc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/651e740d426c8727d6ee8159/reports/df4bf260-a30b-4978-8633-b8f4527c8afb/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/a94bcff5683c5d1b1a3cead3d8236c98590ba2ea9b9018d4cc5ff9b67f08dc4e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9dd880a6-7ae8-49a0-bf93-109ad163d159
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1320004
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the startup folder
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Copy file to startup via Powershell
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1320004 Sample: Doc.exe Startdate: 05/10/2023 Architecture: WINDOWS Score: 100 32 zqamcx.com 2->32 34 mail.zqamcx.com 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for dropped file 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 11 other signatures 2->42 8 Doc.exe 3 2->8         started        11 anydesk.exe.exe 3 2->11         started        signatures3 process4 signatures5 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->44 46 Bypasses PowerShell execution policy 8->46 13 powershell.exe 11 8->13         started        17 Doc.exe 2 8->17         started        20 anydesk.exe.exe 2 11->20         started        22 powershell.exe 9 11->22         started        process6 dnsIp7 28 C:\Users\user\AppData\...\anydesk.exe.exe, PE32 13->28 dropped 48 Drops PE files to the startup folder 13->48 50 Powershell drops PE file 13->50 24 conhost.exe 13->24         started        30 zqamcx.com 78.110.166.82, 49690, 49692, 587 UKSERVERS-ASUKDedicatedServersHostingandCo-Location United Kingdom 17->30 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->52 54 Tries to steal Mail credentials (via file / registry access) 20->54 56 Tries to harvest and steal browser information (history, passwords, etc) 20->56 26 conhost.exe 22->26         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a94bcff5683c5d1b1a3cead3d8236c98590ba2ea9b9018d4cc5ff9b67f08dc4e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-10-05 00:15:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vff475lihrorwgr45lj5qi3mtbmqxixktoibrvgml743m7yi3rha._file
Verdict:
malicious
Similar samples:
4894c3f698e1101a02c7af04e0fd81e36a0d91c0ce7c7003234e7bc18906f024
AgentTesla
4d845e9e862b6cc61cf4909f4c16c2330483ba62d32c977c0080020a841bf3e1
AgentTesla
5c7e18764c02e02117f91213a2f66e63265d3ed30c0ea8ae1c9be8ff5ee4ba43
AgentTesla
6c83949ffec3d4b7b6ca9b809640068415a8cef56ed7c81528a616da7838a762
AgentTesla
76e3dbab3672c60e088f0f847a6689b6d89b188fb8352dea1c3aae92677ad776
AgentTesla
a55bc4f0b6518131e8b5a86cadfe4c15201753ca1e14b0fc36692ae802298c7a
AgentTesla
db6d0d7d8fbb083af05032fa8d3d516cf789f2f81fc651749e77bb4f7ba4e5ee
AgentTesla
+ 63 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/231005-kd5wgahf5y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
7c79b34216f9ee3296cd025d08f57d4392026382ded0913f87015114a7b88a62
MD5 hash:
c40e52aa0571c6220213a5a5b9316d01
SHA1 hash:
f431138fccaecdcecc43cc50d3603fb476e9b054
Link:
https://www.unpac.me/results/35bf28d9-31b9-4802-8254-b6df0432c6e2/
SH256 hash:
b0a5bde203404c5a11167cd0f11a60c039dd4766c2d20b7b0f1564563a951d04
MD5 hash:
1c35586d4dc1efccead9458191b70caa
SHA1 hash:
ef22b6acf15ea63518272a5e751afeb5640f1bff
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
Link:
https://www.unpac.me/results/35bf28d9-31b9-4802-8254-b6df0432c6e2/
Parent samples :
8bfbe6c64b3e9bb5ea1eef4bd87874cf7c9521eb55aeb5c0becee6c06ebd5d69
a94bcff5683c5d1b1a3cead3d8236c98590ba2ea9b9018d4cc5ff9b67f08dc4e
SH256 hash:
198a65f6a3f780f1a022f030629e8561c31cc555a113f570a566d40d1ee56a05
MD5 hash:
9b3a1b5d3ffe9fb9db6c5aaefa1ae076
SHA1 hash:
0da05e4c72430da0d061a02cd6cf50c41e6bd83a
Link:
https://www.unpac.me/results/35bf28d9-31b9-4802-8254-b6df0432c6e2/
SH256 hash:
a94bcff5683c5d1b1a3cead3d8236c98590ba2ea9b9018d4cc5ff9b67f08dc4e
MD5 hash:
6fac1d175f51ebf8890cc785e2eefdaf
SHA1 hash:
aa50651bfc4f3c2be45f42dda737ac8f5a42b6f5
Link:
https://www.unpac.me/results/35bf28d9-31b9-4802-8254-b6df0432c6e2/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a94bcff5683c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a94bcff5683c5d1b1a3cead3d8236c98590ba2ea9b9018d4cc5ff9b67f08dc4e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar d6f191b1c4d023ae1572b4eddd36b3448046596584f9ae6ab1329d6575695fe3

AgentTesla

Executable exe a94bcff5683c5d1b1a3cead3d8236c98590ba2ea9b9018d4cc5ff9b67f08dc4e

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 d6f191b1c4d023ae1572b4eddd36b3448046596584f9ae6ab1329d6575695fe3
  
Dropped by
MD5 99e4ff48cf1939933e20e741ff65fc0c

Comments