MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b19287554476eb30a0fc187661f92e5bac1419d64c51febfd412c451ec00ac5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b19287554476eb30a0fc187661f92e5bac1419d64c51febfd412c451ec00ac5f
SHA3-384 hash: 3b9b5c1e4bb83a708cafecbbfcf37e4d4979b3aeeba96da1ee9f6d59db48f8fdbeb32c3fa339a474b79cdea932df4502
SHA1 hash: d788b896b9d9c5f3629cebc45a49738997046967
MD5 hash: 6948c873f1715f83a4ae41ef9a30fbbd
humanhash: blue-three-comet-four
File name:Solicitud de presupuesto.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'285'632 bytes
First seen:2024-02-01 12:07:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:EAHnh+eWsN3skA4RV1Hom2KXMmHarAuuNTljhggpr5:Th+ZkldoPK8YaHunhr
Threatray 171 similar samples on MalwareBazaar
TLSH T1B855BF0273E980B6FFBB42735B66F21516BCBD694133851F23981E7878B42B1163E762
TrID 63.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
11.6% (.EXE) Win64 Executable (generic) (10523/12/4)
7.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b0f4e8b28e8eb28e (1 x AgentTesla)
Reporter TeamDreier
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b19287554476eb30a0fc187661f92e5bac1419d64c51febfd412c451ec00ac5f.zip
Verdict:
Malicious activity
Analysis date:
2024-02-01 12:15:04 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/ed68aa33-bf14-4559-8458-acdd500c57d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474032/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.71421737.19079.23595.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit fingerprint keylogger lolbin packed shell32
Link:
https://www.filescan.io/uploads/65bb89b51f6a03f0c4e5cdde/reports/477ff60f-a404-45fd-98fb-f6719c256053/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b19287554476eb30a0fc187661f92e5bac1419d64c51febfd412c451ec00ac5f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a4bf9c73-36fc-4d20-900d-7b3bc92c7b0b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1384849
Signature
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b19287554476eb30a0fc187661f92e5bac1419d64c51febfd412c451ec00ac5f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b19287554476eb30a0fc187661f92e5bac1419d64c51febfd412c451ec00ac5f/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-01-30 12:53:59 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wgjiovkeo3vtbih4db3gd6jolowbigowjri75p6uclcfd3aavrpq._file
Verdict:
malicious
Similar samples:
1915126c27ba8566c624491bd2613215021cc2b28e5e6f3af69e9e994327f3ac
AgentTesla
1c27a36f09916fc04a5b43b2a7a0869d62e31d5c28a315257caf661b428fe221
AgentTesla
23906739f99511519d539a4fa691df58369028cb908ba5a442270a0551d1be3f
AgentTesla
6d1cfff093998c807b9c5dc3fd122adbea40c5bad0cad4cbe10b43932c28bdd9
AgentTesla
7380330a17df5cc5829d8c39cb616c59491145c1379c044aae3dec0edc87b54d
AgentTesla
cab1e1538f9de2a9a663d7ceebc17a2cdc200fb2c09c5567ef9f273e5bcffdf6
AgentTesla
f60f32ec899bcb92fd50491a8c32f0548afbd4dc02462dfa373d484b4b161a86
AgentTesla
+ 161 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240201-paw7dafaan/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
AutoIT Executable
Suspicious use of SetThreadContext
Drops startup file
Executes dropped EXE
Loads dropped DLL
AgentTesla
Unpacked files
SH256 hash:
83ee9100f073d51af5cfa8e059a31e8430c82805177e92d00e28c56284e3839e
MD5 hash:
e392a3a67ea28a2ea7aa0015b3702304
SHA1 hash:
3a2338cceae1e189cf6179407a16b43905db0dc6
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/2eb2313e-38e2-4901-96c8-0ba329c3f717/
Parent samples :
1da06dbf7432150c205edce8a852c8e6e4a6bb1140220c45dc5c659fd4050f21
6c0bf9706a231ab73f37008ba8902f487e12e2a860c27b1b9ce14a68150f9965
8450b093f12a16ae8beef65c25855f746157881351aba20be881dec58bfde7aa
18124311d320512f787d554a1236375b142d6860b55b93a9afb53c4a519b6d60
020006147733cd39dbed723e787cb597c9d65332eeb5792a30c0bdba0fca5df5
b19287554476eb30a0fc187661f92e5bac1419d64c51febfd412c451ec00ac5f
c9241559f23410420e3cc5aca086d56b5b09f6f93dfa00a89c3596f2b4d80a2a
21c452504d916f5345197db3809edd44eee4dafafb15879f778fa4c7470ad266
SH256 hash:
6981d7c16b8948108311edcd20c9b6a71408ffeef5e07652434353c8c7df85f9
MD5 hash:
a7fa41e2b610dcbe174b41fcbd7f2478
SHA1 hash:
287997f2dcb21bc65802bc39eac26b1898adfc92
Detections:
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/2eb2313e-38e2-4901-96c8-0ba329c3f717/
SH256 hash:
b19287554476eb30a0fc187661f92e5bac1419d64c51febfd412c451ec00ac5f
MD5 hash:
6948c873f1715f83a4ae41ef9a30fbbd
SHA1 hash:
d788b896b9d9c5f3629cebc45a49738997046967
Detections:
AutoIT_Compiled
Create hunting rule
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/2eb2313e-38e2-4901-96c8-0ba329c3f717/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b19287554476eb30a0fc187661f92e5bac1419d64c51febfd412c451ec00ac5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe b19287554476eb30a0fc187661f92e5bac1419d64c51febfd412c451ec00ac5f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/474032/

Comments