MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4e17af67f0a7a0cc41e2a97e2c4b2491592f72efaf1d61cca890c1d76cae089. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4e17af67f0a7a0cc41e2a97e2c4b2491592f72efaf1d61cca890c1d76cae089
SHA3-384 hash: 2dbc9e02413dcd78db8dd350bb9b4bb56af3a3fda0a972961a9f0ade4030843667ba6118eb40a1424c0220bc1f7f158e
SHA1 hash: 96bd31273006a267b08c5220769fec0677250bd0
MD5 hash: 6ffe4bac4ff88ce75f0a33e77e552750
humanhash: ten-robert-november-may
File name:SecuriteInfo.com.Win32.PWSX-gen.48.11274
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'287'680 bytes
First seen:2023-11-17 06:18:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:DdlEFnxn1I636fvNSGTBiQDNnA8PsnjF8i8xj57:TEFnY6qldDNnA8eF98xj5
Threatray 6 similar samples on MalwareBazaar
TLSH T1885516385B9A0667FC78C7B6DBD08117B261AEE7B129DD24D8C233C65732B4264D423E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0021634b41490200 (2 x AgentTesla)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
355
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.48.11274
Verdict:
Malicious activity
Analysis date:
2023-11-17 06:21:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4e13c223-b5a4-4f10-bfb7-d69dc98d2c78

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/458909/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.48.11274.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
90%
Tags:
explorer fingerprint lolbin packed
Link:
https://www.filescan.io/uploads/655705d76fbed9188363cdc0/reports/49e62584-c539-45e5-b678-a97b329e45bb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b4e17af67f0a7a0cc41e2a97e2c4b2491592f72efaf1d61cca890c1d76cae089
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/86c28e79-c8d9-4360-a91f-ff3f404dd027
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1343992
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1343992 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 17/11/2023 Architecture: WINDOWS Score: 100 53 www.vaultedjewelry.com 2->53 55 parkingpage.namecheap.com 2->55 61 Malicious sample detected (through community Yara rule) 2->61 63 Sigma detected: Scheduled temp file as task from temp location 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 6 other signatures 2->67 11 vzQCNQiJLj.exe 5 2->11         started        14 SecuriteInfo.com.Win32.PWSX-gen.48.11274.exe 7 2->14         started        signatures3 process4 file5 73 Multi AV Scanner detection for dropped file 11->73 75 Machine Learning detection for dropped file 11->75 17 vzQCNQiJLj.exe 11->17         started        20 schtasks.exe 1 11->20         started        22 vzQCNQiJLj.exe 11->22         started        49 C:\Users\user\AppData\...\vzQCNQiJLj.exe, PE32 14->49 dropped 51 C:\Users\user\AppData\Local\...\tmp9D92.tmp, XML 14->51 dropped 77 Uses schtasks.exe or at.exe to add and modify task schedules 14->77 79 Adds a directory exclusion to Windows Defender 14->79 81 Injects a PE file into a foreign processes 14->81 24 powershell.exe 23 14->24         started        26 schtasks.exe 1 14->26         started        28 SecuriteInfo.com.Win32.PWSX-gen.48.11274.exe 14->28         started        signatures6 process7 signatures8 59 Maps a DLL or memory area into another process 17->59 30 MztOMxJupoG.exe 17->30 injected 33 conhost.exe 20->33         started        35 conhost.exe 24->35         started        37 conhost.exe 26->37         started        39 WerFault.exe 22 16 28->39         started        process9 signatures10 83 Maps a DLL or memory area into another process 30->83 41 help.exe 30->41         started        process11 signatures12 69 Maps a DLL or memory area into another process 41->69 71 Queues an APC in another process (thread injection) 41->71 44 MztOMxJupoG.exe 41->44 injected process13 dnsIp14 57 parkingpage.namecheap.com 91.195.240.19, 49718, 80 SEDO-ASDE Germany 44->57 47 WerFault.exe 44->47         started        process15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b4e17af67f0a7a0cc41e2a97e2c4b2491592f72efaf1d61cca890c1d76cae089
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4e17af67f0a7a0cc41e2a97e2c4b2491592f72efaf1d61cca890c1d76cae089/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-17 06:19:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wtqxv5t7bj5azra6fkl6frfsjekzf5zo7ly5mhgkregb25wk4ceq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
3f0f2b7e3062679b5ba9559637eee1d3ab15dea790fbf3c85b69fcccb3edc8bf
AgentTesla
6259c72f7177bd82ce39f46c99f6daac55cfdd4ba27a56f13bf29c3aa32a26d8
AgentTesla
65327a449adf03742f34bbba9782c91f87e542101d680a763235287498a4f942
AgentTesla
b4e17af67f0a7a0cc41e2a97e2c4b2491592f72efaf1d61cca890c1d76cae089
AgentTesla
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231117-g26k5aha7w/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
897b0805f35df1e407f4e0311ed7aba2b3c5c5c3b736a18e61789bc37566de86
MD5 hash:
2c712b30f200e738ba2b596a29dcafe9
SHA1 hash:
2db19bd3198a49dced59c196f792e8cdc491f48a
Link:
https://www.unpac.me/results/50587e5b-da20-41df-9392-11aa5185529d/
SH256 hash:
719bfa6c87c87b9b285e3a9a0d207e438ea8399337296595d4e7e67cd483e4d1
MD5 hash:
e7e636086e3ad67f5fa13e4cb3381e5a
SHA1 hash:
03f69e80759ce9cb796af48c33168b0d69170a64
Link:
https://www.unpac.me/results/50587e5b-da20-41df-9392-11aa5185529d/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/50587e5b-da20-41df-9392-11aa5185529d/
SH256 hash:
76482f1dc9b0639dd6b2d762e09101875e207e8c60e146a43ca182a4c13d6afa
MD5 hash:
9561bc00330bfa400784c1b3b2075d0b
SHA1 hash:
b98f0014f428085dea5ea44108d64d9119e3d698
Link:
https://www.unpac.me/results/50587e5b-da20-41df-9392-11aa5185529d/
SH256 hash:
7e02f0c36d709f81762dc41420c401a4304fcb696e0c25c103206d0016928167
MD5 hash:
282d8c560b5fccfb2e45c3a2f2d69d84
SHA1 hash:
41431c57ac6a01d9325e6853e3d88dd0c9ae8858
Link:
https://www.unpac.me/results/50587e5b-da20-41df-9392-11aa5185529d/
SH256 hash:
b4e17af67f0a7a0cc41e2a97e2c4b2491592f72efaf1d61cca890c1d76cae089
MD5 hash:
6ffe4bac4ff88ce75f0a33e77e552750
SHA1 hash:
96bd31273006a267b08c5220769fec0677250bd0
Link:
https://www.unpac.me/results/50587e5b-da20-41df-9392-11aa5185529d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b4e17af67f0a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4e17af67f0a7a0cc41e2a97e2c4b2491592f72efaf1d61cca890c1d76cae089

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/458909/

Comments