MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b079b00c1b21ed95667a8adb41808e9578a95cc5a4700f42d8cec8fe8ad399f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b079b00c1b21ed95667a8adb41808e9578a95cc5a4700f42d8cec8fe8ad399f9
SHA3-384 hash: e8b5d6512277eacec4d0448355dd8abb0f535d96021ad45cdb051a554ecdff3b77610e463df8fe4705a63d255dab51e9
SHA1 hash: c96d1e5d322cdc61d15451a9a6793879754a4d39
MD5 hash: d9cfb41825b905e18f487f84cd4c1f9e
humanhash: earth-nebraska-speaker-bluebird
File name:BL Z DTP_ ADU_0061883.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'149'952 bytes
First seen:2024-01-23 15:28:29 UTC
Last seen:2024-01-23 17:15:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 948cc502fe9226992dce9417f952fce3 (1'182 x CredentialFlusher, 446 x Formbook, 231 x AgentTesla)
ssdeep 24576:nqDEvCTbMWu7rQYlBQcBiT6rprG8af4o18/:nTvC/MTQYxsWR7af3
Threatray 4'601 similar samples on MalwareBazaar
TLSH T12535AF9333A3802AFED7A1BA5A85E10D46B95D1D081BA52F02540975F9F4E6C0F2FB73
TrID 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 4cc04a4c5c5a0004 (7 x AgentTesla, 4 x Smoke Loader, 2 x DarkCloud)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
307
Origin country :
CA CA
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/472526/
Detection(s):
SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Sending a custom TCP request
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit fingerprint keylogger masquerade packed
Link:
https://www.filescan.io/uploads/65afdb408dfc251a25fd910c/reports/32129a0f-8d71-48e7-9b61-3d6add5572b6/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/b079b00c1b21ed95667a8adb41808e9578a95cc5a4700f42d8cec8fe8ad399f9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/23896958-9573-40eb-9fbb-07292aea8479
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1379624
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found API chain indicative of sandbox detection
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b079b00c1b21ed95667a8adb41808e9578a95cc5a4700f42d8cec8fe8ad399f9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b079b00c1b21ed95667a8adb41808e9578a95cc5a4700f42d8cec8fe8ad399f9/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2024-01-23 12:27:53 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wb43ada3ehwzkzt2rlnudaeosv4ksxgfurya6qwyz3ep5cwtth4q._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
094579daf45aa63978c1687fe60d6bbf6b4cc230c7951ce8c5c7b2d085dcc968
AgentTesla
17903ff26a562a06c1f303b34ebad57d8cce0ee27f18551d0254d9164350b45e
AgentTesla
39398dda1f7f090e035802d37510feb5c1bba05add23263a4c95e6837a2174e3
AgentTesla
398c85003f5e9e47b109c4d6fd2efbc9a17f2501c2ebc4ebd0dc3fef2bbd2614
AgentTesla
51f24503d32c9e10a2e7afe027d438380d007cd1566e5399cc52b039cacdb2ea
AgentTesla
c9be1ff9d80d934774556669459ad3242500a745531ba25f7c874f32f318cdd1
AgentTesla
ee69b74d0f0dd59fcd87304863626efb727ad6255bc29a7d48b7a441390dff1a
AgentTesla
+ 4'591 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240123-swwphscbg2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
33a7df2807036a7086b46dde88e6615ce70e29c7b2509ded9ea0df1ab62118d5
MD5 hash:
84fff5dc052a3c2f3f475c4bb25d06e7
SHA1 hash:
f102f0876683e2098c5e70025c7599691ede8966
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/1100a1ca-ad89-47d5-ae07-171ed85f3b1a/
Parent samples :
b079b00c1b21ed95667a8adb41808e9578a95cc5a4700f42d8cec8fe8ad399f9
04540ec89a71f6cdfc4ed659499c1f35f2d225dc9a744f96bdb0f0b87bb9e4c1
5935f2e81b5ba5c74b0eb4a6d2611a84977f04758746c9d6f08fcfed011344d7
f2289f7072a9783c0c180de6cf3dd36f5f18f2254941d379b8de9b607e7f1bdd
f60c861179349e1c012be77ca6fd60414a54461e55a2efcc0a1ac6963184b492
334ffa72021633390095748425d9c555405ad89f298e98af31b642e9aebd5967
37c682dcc881282426e7c3471d95869c867ab1d8278ea8e6ee3f2ec2471ddcdd
36fc887a49c7e4cb95161f870bff4157c1864f00a3466cde4571733bf3663c96
da40689154fc12d96ac9859396fc1820973cec02182de34982f84735a29e9e64
8c1566a413229aaae51d1bfb7626ff778614be13e1ec13d4e36ce8f4d0a85205
SH256 hash:
b079b00c1b21ed95667a8adb41808e9578a95cc5a4700f42d8cec8fe8ad399f9
MD5 hash:
d9cfb41825b905e18f487f84cd4c1f9e
SHA1 hash:
c96d1e5d322cdc61d15451a9a6793879754a4d39
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/1100a1ca-ad89-47d5-ae07-171ed85f3b1a/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b079b00c1b21/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b079b00c1b21ed95667a8adb41808e9578a95cc5a4700f42d8cec8fe8ad399f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/472526/

Comments