MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1a5b664300ebe7d44ae27b9bae5b44c74faf5cf6b049a69127534ba55a43930. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1a5b664300ebe7d44ae27b9bae5b44c74faf5cf6b049a69127534ba55a43930
SHA3-384 hash: db5d928bbc0920ee6e6b5ea3355ea812d66dac959e8a4aa039dad92ca38cfe943508d6b2681eb003ea72412f73e24e13
SHA1 hash: 5c98e5d46992aef10df38553c12528f5ea518db2
MD5 hash: 49090fa137c16750bc4883a15bc136c0
humanhash: eight-stairway-cola-bakerloo
File name:49090fa137c16750bc4883a15bc136c0
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'646'080 bytes
First seen:2023-01-24 16:46:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:qWM8HgMQjZVeSyEG7sCZ1cO0WEKh3uYErwLzdNi8nraFVOVXrtKq+oh:S8MZkSisTHW/3uYF0FVutDh
Threatray 20'701 similar samples on MalwareBazaar
TLSH T1A47512A7307DD2E2F99D3CF46A58672125B26D860634F093D69F7ED2EAB3613C1081D2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 59dadadcdcdad758 (26 x AgentTesla, 2 x AsyncRAT, 1 x SnakeKeylogger)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DTL067520003470xls.exe
Verdict:
Malicious activity
Analysis date:
2023-01-24 10:28:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aee37472-9168-46e4-a38f-d28d0698999a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/356482/
Detection(s):
SecuriteInfo.com.Variant.Barys.22132.6845.5970.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys bladabindi packed
Link:
https://www.filescan.io/uploads/63d00b865544893406852a31/reports/ce1dd2c8-92a4-460f-ac0a-ce0ee958274f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/315320da-4bdf-4b8c-8084-d82af2466466
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1158087
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 790820 Sample: xbg2Upk64H.exe Startdate: 24/01/2023 Architecture: WINDOWS Score: 100 60 api.telegram.org 2->60 68 Snort IDS alert for network traffic 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus / Scanner detection for submitted sample 2->72 74 9 other signatures 2->74 8 Efjolqt.exe 2 2->8         started        11 xbg2Upk64H.exe 1 5 2->11         started        14 Efjolqt.exe 1 2->14         started        signatures3 process4 file5 76 Antivirus detection for dropped file 8->76 78 Multi AV Scanner detection for dropped file 8->78 80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->80 82 Machine Learning detection for dropped file 8->82 16 Efjolqt.exe 8->16         started        20 powershell.exe 13 8->20         started        22 Efjolqt.exe 8->22         started        42 C:\Users\user\AppData\Roaming\...fjolqt.exe, PE32 11->42 dropped 44 C:\Users\user\...fjolqt.exe:Zone.Identifier, ASCII 11->44 dropped 46 C:\Users\user\AppData\...\xbg2Upk64H.exe.log, ASCII 11->46 dropped 84 May check the online IP address of the machine 11->84 86 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->86 88 Encrypted powershell cmdline option found 11->88 24 xbg2Upk64H.exe 15 2 11->24         started        26 powershell.exe 16 11->26         started        90 Injects a PE file into a foreign processes 14->90 28 Efjolqt.exe 14->28         started        30 powershell.exe 14->30         started        32 Efjolqt.exe 14->32         started        34 Efjolqt.exe 14->34         started        signatures6 process7 dnsIp8 48 192.168.2.1 unknown unknown 16->48 50 api.ipify.org 16->50 62 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->62 64 Tries to steal Mail credentials (via file / registry access) 16->64 66 Tries to harvest and steal browser information (history, passwords, etc) 16->66 36 conhost.exe 20->36         started        52 api4.ipify.org 64.185.227.155, 443, 49701, 49714 WEBNXUS United States 24->52 54 api.telegram.org 149.154.167.220, 443, 49709, 49717 TELEGRAMRU United Kingdom 24->54 56 api.ipify.org 24->56 38 conhost.exe 26->38         started        58 api.ipify.org 28->58 40 conhost.exe 30->40         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1a5b664300ebe7d44ae27b9bae5b44c74faf5cf6b049a69127534ba55a43930/
Threat name:
Win32.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2023-01-24 14:04:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wgs3mzbqb27h2rfoe643vznujr2pv5opnmcju2isou2luvneheya._file
Verdict:
malicious
Similar samples:
01b0e10d7351007133aa2a5f1cef379b855706256fb70f327990ea142df772ad
AgentTesla
106e615cf4c53bf171b4dfc288bdddb82e3eddb407399bc18488cd2483f9d871
AgentTesla
24902a43196fd02d2939443510181c165980bd71e889dcff559ca25153c76d81
AgentTesla
2a5098792b07f38355f0e06fee170432226013a21bc18c129212bb868e98f478
AgentTesla
54c9982441a435a8b22d24586a27be74cf0613498ccbc7f27440a12881e843cc
AgentTesla
6a38cb877dc57efa24fe27df01e1a11c4006ff7f9faa20a68aebbf6f3984ffcd
AgentTesla
8ee64c1e736af072147a203e1db12d28b06cbc25e022092291dbcc47d65da67f
AgentTesla
a7d2bd1e968aea0e81664aa5aabd428a57d12bc8573611543ad72a57661180b8
AgentTesla
c5a38850fd0174c6c0464695cb4a01e8b75b1d3010df4c05a6b70c595ff3cb5e
AgentTesla
f68f6359b82ece4191c3215acc5425859c1cfa4ea8130ec73ea01640c05b3475
AgentTesla
+ 20'691 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection persistence spyware stealer
Link:
https://tria.ge/reports/230124-t91q3aec6w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
ff8c24bce1eb009f0d5c47a09b96caf02726c285cea0d635082ad4da27e63d1b
MD5 hash:
9d6ec6072ee1814a4a01d1eb3fb67ba1
SHA1 hash:
d0b416de1c900b6bcb35dc182b2e8744f16c3289
Link:
https://www.unpac.me/results/0e80a20c-141b-4547-9b79-899c9a388ba2/
SH256 hash:
0eaf24e7420cabbf136a6de4f091065f1d41c262374303849cc07ecb9d779a6a
MD5 hash:
de076e9b4ed2149edc0c9d401491d9dc
SHA1 hash:
a6c5f3909ea68abbb1ad001d041aeb75a9c32677
Link:
https://www.unpac.me/results/0e80a20c-141b-4547-9b79-899c9a388ba2/
SH256 hash:
3222fd17c73c6b3764284e2c201d1f535b72ad7f4527c6ef105a09bc089772a9
MD5 hash:
7a669cc32a43f419e9cc018516495396
SHA1 hash:
4b9945b0780da13153896e85de6df77211bb23d3
Link:
https://www.unpac.me/results/0e80a20c-141b-4547-9b79-899c9a388ba2/
SH256 hash:
b1a5b664300ebe7d44ae27b9bae5b44c74faf5cf6b049a69127534ba55a43930
MD5 hash:
49090fa137c16750bc4883a15bc136c0
SHA1 hash:
5c98e5d46992aef10df38553c12528f5ea518db2
Link:
https://www.unpac.me/results/0e80a20c-141b-4547-9b79-899c9a388ba2/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b1a5b664300e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1a5b664300ebe7d44ae27b9bae5b44c74faf5cf6b049a69127534ba55a43930

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe b1a5b664300ebe7d44ae27b9bae5b44c74faf5cf6b049a69127534ba55a43930

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2517276/
Cape
Cape
https://www.capesandbox.com/analysis/356482/

Comments


Avatar
zbet commented on 2023-01-24 16:46:06 UTC

url : hxxp://3.65.2.139/sch/DTL067520003470xls.exe