MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b082cba27efc5e6d925e816ac7ea0bbdcfa83b322cc3c340047e985389857da7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b082cba27efc5e6d925e816ac7ea0bbdcfa83b322cc3c340047e985389857da7
SHA3-384 hash: 92bf63a138eb2995b6bd6552b7c5f93b9c3fa1f91ebdd664eea2e9edfa9a391cad70c3816c0db5bda7a2eb3afa379e73
SHA1 hash: b9cbf54a123163c2fe664a9467ad2a54a25b5b63
MD5 hash: 9f017c7852b97b971acd3acf0047f7e1
humanhash: vegan-romeo-alanine-island
File name:9f017c7852b97b971acd3acf0047f7e1
Download: download sample
Signature AgentTesla
Create hunting rule
File size:604'160 bytes
First seen:2023-04-19 09:41:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:yOnbqjctfGzFBjz4+OPynIy0c/BadY0cXJdTV0BwjGw7cUU36+opoWqJH:yJEfGPjz4ry/5uY0cZYwKwbao9mH
Threatray 2'267 similar samples on MalwareBazaar
TLSH T178D4E0299136AEF2E6AD0B7200103AD9DF70A5D37872C63C0F9678D6DB9F7092D94187
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
246
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO230102.doc
Verdict:
Malicious activity
Analysis date:
2023-04-19 08:16:51 UTC
Tags:
exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/09351145-d279-4907-994c-d2c49acbe864

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383253/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Variant.Lazy.331348.16159.29075.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/643fb76f7a31c790ffdbd3b8/reports/76898218-895c-4062-9bf5-a79eaa04e202/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b082cba27efc5e6d925e816ac7ea0bbdcfa83b322cc3c340047e985389857da7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ee1b8cd3-663f-4e46-8d05-58cdb98cc560
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1216832
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b082cba27efc5e6d925e816ac7ea0bbdcfa83b322cc3c340047e985389857da7/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-04-19 09:42:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wcbmxit67rpg3es6qfvmp2qlxxh2qozsftb4gqaep2mfhcmfpwtq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
21d455342573c58b10724e61e0fefadd32fd934b573b8f6f655e52e08dadc8bf
AgentTesla
5088e12afee933210f05783a3a9fe64d8491142988107daa84c3628f79af185a
AgentTesla
52208dce9b01e32cd33278444f09b15ba8163a919c73d3d5e33401ce6520c7d2
AgentTesla
52d3c96b710026a47745d1f5d8001e0d3c57eff2c8067466af44a36bacd0eea4
AgentTesla
61abb254011d46a438c4e736cef97d8a2a51483f9fe6903f693479cd7df643bf
AgentTesla
80d1e76ebf4aa4d65e93a673bc3fc94fc6b36d507f4ca0f63c7863282b5e723d
AgentTesla
a15153863ec4bed33ce7f014da9861ef349b152b46a5978d5c03b5fe75544aea
AgentTesla
ab9c917e122563e1c30825d5630c74a667f559112924c9bae5b04456073131ca
AgentTesla
cfe9a5c61a337677133e024d05f571e038c970fac99e7a9c4c96a6f13d1d0d84
AgentTesla
+ 2'257 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230419-lpb8zabe7w/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
4ca5f5178dee0f87a944fc81027472953a61c5b605e6a11a00fe4396c81d56c9
MD5 hash:
1e7635b1491974494c1ce16aadf0e7cb
SHA1 hash:
ec642e6fafb59e26aea6f7e8d14690a761afdc58
Link:
https://www.unpac.me/results/4bb33e2a-0945-4572-b3c1-86b8d03f7913/
SH256 hash:
0fd1f00d94aff36ad8f02077efb33ddf269985ea37038aae554ff6202fdc020f
MD5 hash:
8dfd8e44c82066f4aeeff652fa2a33c5
SHA1 hash:
b844952e48ecab0e7ab2e3d5e38a20629399f94c
Link:
https://www.unpac.me/results/4bb33e2a-0945-4572-b3c1-86b8d03f7913/
SH256 hash:
571208eeb5424ce9f6734b704a8553182f943b2bb9901aaded1daef63f0225ff
MD5 hash:
39e35a185ece06451a021d6df93fc63c
SHA1 hash:
4f2b57b8172582a567fac0e2bd196a80b22e1932
Link:
https://www.unpac.me/results/4bb33e2a-0945-4572-b3c1-86b8d03f7913/
SH256 hash:
26e36843f19583368b5b8914bd1be4b4e852bcffe3c750fd566e096e4d885919
MD5 hash:
6c96ea3888cf596cbc097893a22e9f75
SHA1 hash:
46a6bccfe3b5a5900abbdbc7ad658c4acb766347
Link:
https://www.unpac.me/results/4bb33e2a-0945-4572-b3c1-86b8d03f7913/
SH256 hash:
a2452f342b511727771a0479c466c66acfa976b74b2202e6defcee6b8e17e396
MD5 hash:
9d26bd9e641e935d5cef0ca8cb9a378c
SHA1 hash:
2a1ecfd0da8d68034e80e06d4367741c0ec8d241
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/4bb33e2a-0945-4572-b3c1-86b8d03f7913/
SH256 hash:
b082cba27efc5e6d925e816ac7ea0bbdcfa83b322cc3c340047e985389857da7
MD5 hash:
9f017c7852b97b971acd3acf0047f7e1
SHA1 hash:
b9cbf54a123163c2fe664a9467ad2a54a25b5b63
Link:
https://www.unpac.me/results/4bb33e2a-0945-4572-b3c1-86b8d03f7913/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b082cba27efc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b082cba27efc5e6d925e816ac7ea0bbdcfa83b322cc3c340047e985389857da7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe b082cba27efc5e6d925e816ac7ea0bbdcfa83b322cc3c340047e985389857da7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2613497/
Cape
Cape
https://www.capesandbox.com/analysis/383253/

Comments


Avatar
zbet commented on 2023-04-19 09:41:32 UTC

url : hxxp://208.67.105.179/johnzx.exe