MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b077c634471ee290e38f9e3ced5375888f93890e6b0840b8db2c1691175019ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b077c634471ee290e38f9e3ced5375888f93890e6b0840b8db2c1691175019ee
SHA3-384 hash: 41d8eb3a810c3cbaffa32d51d8b8e64da3f227f337f1d6450780f5b7292c79b48cd0f5312d855506b0b7644440771976
SHA1 hash: eacb35c401ddeb85fda32afbde69f80c6ef0d23c
MD5 hash: 9e0337bc403a707cfc2630e327135bf6
humanhash: california-mississippi-ack-saturn
File name:SOA 720592.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:386'086 bytes
First seen:2022-11-24 03:18:31 UTC
Last seen:2022-11-24 12:39:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ab6770b0a8635b9d92a5838920cfe770 (84 x Formbook, 30 x AgentTesla, 15 x Loki)
ssdeep 6144:QBn15fnxMA/DPnzso/2ZwVNliUVoTEe2elmBUEhDs6+zICi7IFNeRqdEu2M7rCe+:g9Jrnt+AVVUEejo3+zICdHeqSuJrIB
Threatray 20'002 similar samples on MalwareBazaar
TLSH T19A8423803BF199B7FB9353320F66A36193FD6364666221934F8806FB96134CB7E43285
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SOA 720592.exe
Verdict:
Malicious activity
Analysis date:
2022-11-24 03:21:27 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/87676103-a3ad-42c1-b02e-1cb62bfb3362

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337886/
Detection(s):
Sanesecurity.Rogue.0hr.20221124-0235.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/637ee2a694f9bac087b33071/reports/79298a97-5b05-43a3-bedb-b4642e9aa0f3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fbfccc5d-ecb5-41bb-9e5f-88c70c4d841f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1120243
Signature
.NET source code contains very large array initializations
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 752960 Sample: SOA 720592.exe Startdate: 24/11/2022 Architecture: WINDOWS Score: 96 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected AgentTesla 2->50 52 2 other signatures 2->52 8 SOA 720592.exe 19 2->8         started        11 vxpwynvdqukoxg.exe 1 2->11         started        14 vxpwynvdqukoxg.exe 1 2->14         started        process3 file4 38 C:\Users\user\AppData\Local\Temp\wpmvk.exe, PE32 8->38 dropped 16 wpmvk.exe 1 3 8->16         started        54 Multi AV Scanner detection for dropped file 11->54 20 WerFault.exe 10 11->20         started        22 conhost.exe 11->22         started        24 WerFault.exe 10 14->24         started        26 conhost.exe 14->26         started        signatures5 process6 file7 36 C:\Users\user\AppData\...\vxpwynvdqukoxg.exe, PE32 16->36 dropped 40 Multi AV Scanner detection for dropped file 16->40 42 Maps a DLL or memory area into another process 16->42 44 Sample uses process hollowing technique 16->44 28 wpmvk.exe 2 16->28         started        30 WMIADAP.exe 2 16->30         started        32 conhost.exe 16->32         started        signatures8 process9 process10 34 WerFault.exe 20 9 28->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b077c634471ee290e38f9e3ced5375888f93890e6b0840b8db2c1691175019ee/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-23 23:39:49 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 40 (55.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wb34mnchd3rjby4pty6o2u3vrchzhcionmeebog3fqljcf2qdhxa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05793491a0160fba57cf1219dd69f0c49a1fd9a43cafe0f78590c1e526f298c6
AgentTesla
19036261b89b27743d0b8c2353751f57b256357525068f67b166608b1eb33268
AgentTesla
19de4d4d72c8afbd254b044dff3b4959036a10fb75a1c79deb85fd4a29cfc802
AgentTesla
3315dba57b06d3e95fdab93ad09e5a67755b7ecf81274b0907cfe2e051e36b3b
AgentTesla
91b511bb7a9d86543503ce39dbda14d12f86d8d704a7e97c070356a182902bf7
AgentTesla
9f660ff6e3caee11f67955164f6960a03343ab34ff7d234c004579aee754d9ce
AgentTesla
d19f7c46b3fa82c6f7902bdc4679d13f9933f72c2826e817bff08e7d0869a92c
AgentTesla
dbae317e9d39fb5a987c2d0dc6d08c171615c0e9042f576ca4075ddda49fa515
AgentTesla
e2150f160d11a8a7917b38060171eceeb1d68209ca5c81394682b0d828f35ac9
AgentTesla
ef93be06b93e89bc68dd92ca713f40e320a654c49a241a6884785acf964b8ba9
AgentTesla
+ 19'992 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221124-dt6pdadg79/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/36f4bab7-7228-46cd-9ca6-09ce43a9126a
Unpacked files
SH256 hash:
4a2f751ade893e4047bed1fde647496804a95f05b115923987896ec942e5e76c
MD5 hash:
e78da4f5ee29898248aaf59d6aebd206
SHA1 hash:
2edc93509848eecea7a2bc01b36b58be74faa4a6
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/b9951258-cf32-4f26-bcab-20a0c2ba5c7e/
Parent samples :
b077c634471ee290e38f9e3ced5375888f93890e6b0840b8db2c1691175019ee
d254745ca2edd62c5e9d3231b3131ae065b2e1759fe9916df96e6c14af59a99e
SH256 hash:
b2e6c2cc4d8fb2f25efc1d20e2dcd1b49386c0ccd6c80f98e34d2d652ec6e918
MD5 hash:
b651f6f55b6b76cb9ca06e49841ecc0b
SHA1 hash:
856ca9e92aa007125319ed298b48b1bf5a2f6f4c
Link:
https://www.unpac.me/results/b9951258-cf32-4f26-bcab-20a0c2ba5c7e/
SH256 hash:
b077c634471ee290e38f9e3ced5375888f93890e6b0840b8db2c1691175019ee
MD5 hash:
9e0337bc403a707cfc2630e327135bf6
SHA1 hash:
eacb35c401ddeb85fda32afbde69f80c6ef0d23c
Link:
https://www.unpac.me/results/b9951258-cf32-4f26-bcab-20a0c2ba5c7e/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b077c634471e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/b077c634471ee290e38f9e3ced5375888f93890e6b0840b8db2c1691175019ee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 5c0301dc15876b4c27e831d6204407c9791abc75d5f02a47c2d354763fb1b28c

AgentTesla

Executable exe b077c634471ee290e38f9e3ced5375888f93890e6b0840b8db2c1691175019ee

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/337886/
  
Dropped by
SHA256 5c0301dc15876b4c27e831d6204407c9791abc75d5f02a47c2d354763fb1b28c
  
Dropped by
MD5 27eec396b7ec7833f526d3306af6a42d
  
Dropped by
SHA256 b0705fc74ec81631a877977bc1c21d82b9e99e57bbfab042178207bd7abf0684
  
Dropped by
MD5 f5d25a09faec5e848e881bbaaf6134dd

Comments