MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 acc56d676d67ab62bebb9226f1689228a8c9bbd1a5855f6ce8dbdf8088c61ac3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: acc56d676d67ab62bebb9226f1689228a8c9bbd1a5855f6ce8dbdf8088c61ac3
SHA3-384 hash: c280c571bd530bcb001bdd5a3c60763c6ad8d3f96b7d5fa93fec6af906352b454a3cff6ac08a3249525dc0aeeef8f801
SHA1 hash: 29ad34cd49277b83d22333eb625b0ea69cd342d0
MD5 hash: 6b32d401f9ce817a1f4ba9a1a5b3686c
humanhash: nuts-montana-blue-xray
File name:INQUIRY LIST.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:745'984 bytes
First seen:2023-05-01 00:02:34 UTC
Last seen:2023-05-13 22:52:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:xOX9xnueUElNzvxsXxs2egQVtALF1Kp09rxEQ4llF9yU4tibHDASg77pypQeQU7:W93UElnshsipMp0UllFAUaibHS77ReZ
TLSH T111F4AD569014C84FFE56DB70C1B9FFA4A6F0FD73A4D5102223B93989DAB9F021E4D268
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e0e2aba3a5b8b8a8 (38 x AgentTesla, 18 x SnakeKeylogger, 14 x Formbook)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
227
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
INQUIRY LIST.exe
Verdict:
Malicious activity
Analysis date:
2023-05-01 00:04:52 UTC
Tags:
rat agenttesla trojan
Link:
https://app.any.run/tasks/ef3e82d3-3091-4785-8b9c-b8de2d8ec804

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/385758/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.Spynoon-9939401-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed strictor
Link:
https://www.filescan.io/uploads/644f01b71facab193c66deed/reports/08ef5dc5-8ee3-4b16-af6a-2fab1a72f423/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/acc56d676d67ab62bebb9226f1689228a8c9bbd1a5855f6ce8dbdf8088c61ac3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/09814a11-48cf-4a1c-8e16-bf51479adf43
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1223839
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 856792 Sample: INQUIRY_LIST.exe Startdate: 01/05/2023 Architecture: WINDOWS Score: 100 62 Snort IDS alert for network traffic 2->62 64 Found malware configuration 2->64 66 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->66 68 6 other signatures 2->68 7 INQUIRY_LIST.exe 7 2->7         started        11 PykPpJEcPxqN.exe 5 2->11         started        13 bUhSoz.exe 2->13         started        15 bUhSoz.exe 2->15         started        process3 file4 52 C:\Users\user\AppData\...\PykPpJEcPxqN.exe, PE32 7->52 dropped 54 C:\Users\...\PykPpJEcPxqN.exe:Zone.Identifier, ASCII 7->54 dropped 56 C:\Users\user\AppData\Local\...\tmpA368.tmp, XML 7->56 dropped 58 C:\Users\user\...\INQUIRY_LIST.exe.log, CSV 7->58 dropped 80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->80 82 Uses schtasks.exe or at.exe to add and modify task schedules 7->82 84 Adds a directory exclusion to Windows Defender 7->84 17 INQUIRY_LIST.exe 2 10 7->17         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        86 Multi AV Scanner detection for dropped file 11->86 88 Machine Learning detection for dropped file 11->88 26 PykPpJEcPxqN.exe 11->26         started        36 2 other processes 11->36 28 bUhSoz.exe 13->28         started        30 schtasks.exe 13->30         started        32 bUhSoz.exe 15->32         started        34 schtasks.exe 15->34         started        signatures5 process6 dnsIp7 60 host43.registrar-servers.com 198.54.116.10, 49695, 49696, 49698 NAMECHEAP-NETUS United States 17->60 48 C:\Users\user\AppData\Roaming\...\bUhSoz.exe, PE32 17->48 dropped 50 C:\Users\user\...\bUhSoz.exe:Zone.Identifier, ASCII 17->50 dropped 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->70 72 Tries to steal Mail credentials (via file / registry access) 17->72 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->74 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        76 Installs a global keyboard hook 26->76 42 conhost.exe 30->42         started        78 Tries to harvest and steal browser information (history, passwords, etc) 32->78 44 conhost.exe 34->44         started        46 conhost.exe 36->46         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/acc56d676d67ab62bebb9226f1689228a8c9bbd1a5855f6ce8dbdf8088c61ac3/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-04-28 07:29:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
20 of 23 (86.96%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vtcw2z3nm6vwfpv3sitpc2esfcumto6ruwcv63hi3ppybcggdlbq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230501-ab15dsde7t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
af0925e4c632166ff87032bc43ea4f85a3805db3782a49724d125f44c0731114
MD5 hash:
b9897ba5e468e516e162fd3790a9ddbc
SHA1 hash:
db264c796e4a36a45af11e8a7bf71cf0dadce0f0
Link:
https://www.unpac.me/results/18725cbd-9123-440d-a165-9ce068c0458d/
SH256 hash:
4f6f3c8b1ba67c3484f7490e30afad552e681b52a2e821ca0bad58a52c3c83e9
MD5 hash:
dcbec433c0196a4956c3d2a3ff7c3fda
SHA1 hash:
96f5f455efcd60e19d13276a3cdc684910851c5e
Link:
https://www.unpac.me/results/18725cbd-9123-440d-a165-9ce068c0458d/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/18725cbd-9123-440d-a165-9ce068c0458d/
SH256 hash:
36f4263b699a8e20e5385fe1184d0a6957795d8452bde8f5c9dff6bd4810df9c
MD5 hash:
e57c5dab6602f95c1854bffdfbeaff3e
SHA1 hash:
7dd0e2a2b654289b54f18532a2da595c3cde3ff8
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/18725cbd-9123-440d-a165-9ce068c0458d/
Parent samples :
9c5a321ef423a10c264e0bc599091753b279c557b18b2f655bcd4eaf7d883ee5
acc56d676d67ab62bebb9226f1689228a8c9bbd1a5855f6ce8dbdf8088c61ac3
16e67e79d382c4480603832ba0b3073208224e0e5078e3dd1e108a7b98a0f690
0276c4e5558a9efceff121f87c071ecbc5ebba665c850973b9bd5793d5e91fec
SH256 hash:
0554616d833e5c1c22d31ede3ac1ddfde7a59c6a48ded5b970371c4b3105d82d
MD5 hash:
bbcf74f25cb885446d6f65add271aa62
SHA1 hash:
71bfd6769dac9d080d28f9c4b1dbf4548aa472eb
Link:
https://www.unpac.me/results/18725cbd-9123-440d-a165-9ce068c0458d/
SH256 hash:
acc56d676d67ab62bebb9226f1689228a8c9bbd1a5855f6ce8dbdf8088c61ac3
MD5 hash:
6b32d401f9ce817a1f4ba9a1a5b3686c
SHA1 hash:
29ad34cd49277b83d22333eb625b0ea69cd342d0
Link:
https://www.unpac.me/results/18725cbd-9123-440d-a165-9ce068c0458d/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/acc56d676d67/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/acc56d676d67ab62bebb9226f1689228a8c9bbd1a5855f6ce8dbdf8088c61ac3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/385758/

Comments