MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5592e770b7d303941e3eeefcd68cc0f3abd1f67423c073dff03f4f954a9dbde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5592e770b7d303941e3eeefcd68cc0f3abd1f67423c073dff03f4f954a9dbde
SHA3-384 hash: 0bd518ed750d0d612d8bb4df8a3bd6cce64e92d220d7c78b4188a8b53f82c71707b9601eb7f62771a90526bc0d1259d8
SHA1 hash: 1c0e51a46cfb58ca36c75648670e389838d572a7
MD5 hash: 74ceba819ff4255b384ddb12bf6b418e
humanhash: skylark-sierra-robin-arkansas
File name:EO-230807.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:443'392 bytes
First seen:2023-10-06 06:21:56 UTC
Last seen:2023-10-09 05:28:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:wqh6w0lX1Bn8e+GWimmHqsuB9B9rd2l8tvEFn4AacYPahZN:fcXlb8ekzRrm8NEFngcYPahZ
Threatray 34 similar samples on MalwareBazaar
TLSH T17694E50B7A4B9DF6C78F173AC19716041BB8D7427363D74F398A23AA78433A99E02157
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
298
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
EO-230807.exe
Verdict:
Malicious activity
Analysis date:
2023-10-06 06:27:37 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/831d2836-e737-4965-a0a3-f647410a2589

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Rogue.0hr.20231006-0137.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Sending a custom TCP request
Creating a window
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin packed replace
Link:
https://www.filescan.io/uploads/651fa78c426c8727d6f08327/reports/bdf8a507-2976-42f9-b25e-96f1307b7353/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/b5592e770b7d303941e3eeefcd68cc0f3abd1f67423c073dff03f4f954a9dbde
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e1159adf-7ba0-4637-9ce7-1f0c21eb22fa
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1320735
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1320735 Sample: EO-230807.exe Startdate: 06/10/2023 Architecture: WINDOWS Score: 100 28 mail.fardarlogistics.com 2->28 30 qu.ax 2->30 42 Snort IDS alert for network traffic 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 6 other signatures 2->48 7 Hggdggyr.exe 14 5 2->7         started        10 EO-230807.exe 16 5 2->10         started        14 Hggdggyr.exe 4 2->14         started        signatures3 process4 dnsIp5 50 Antivirus detection for dropped file 7->50 52 Multi AV Scanner detection for dropped file 7->52 54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->54 56 Machine Learning detection for dropped file 7->56 16 Hggdggyr.exe 2 7->16         started        34 qu.ax 92.118.112.119, 443, 49683, 49685 GUDAEV-ASRU Russian Federation 10->34 26 C:\Users\user\AppData\Roaming\Hggdggyr.exe, PE32 10->26 dropped 58 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->58 60 Injects a PE file into a foreign processes 10->60 19 EO-230807.exe 2 10->19         started        22 Hggdggyr.exe 14->22         started        24 Hggdggyr.exe 14->24         started        file6 signatures7 process8 dnsIp9 32 mail.fardarlogistics.com 192.185.16.184, 49684, 49690, 49693 UNIFIEDLAYER-AS-1US United States 19->32 36 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->36 38 Tries to steal Mail credentials (via file / registry access) 22->38 40 Tries to harvest and steal browser information (history, passwords, etc) 22->40 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5592e770b7d303941e3eeefcd68cc0f3abd1f67423c073dff03f4f954a9dbde/
Threat name:
ByteCode-MSIL.Trojan.Negasteal
Create hunting rule
Status:
Suspicious
First seen:
2023-10-05 21:58:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wvms45ylpuydsqpd53x422gmb45l2h3hii6aopp7ap2psvfj3ppa._file
Verdict:
malicious
Similar samples:
007cfdd9d19a225b749811f15daee02016824bfd2fbb63934ff4df18ed59eeff
AgentTesla
2a10de68cf32f00733275b4d66276226c82e362b06e8bc1e3af88232f59ebb4e
AgentTesla
5c7e18764c02e02117f91213a2f66e63265d3ed30c0ea8ae1c9be8ff5ee4ba43
AgentTesla
6490e5498bf6ca3c0b3cb40d581e019e8c4135fd8bc49580c30160f6b02450c6
AgentTesla
b0dae00efdb8e3e23450b7c29f558a85a82f5a95fa2a94718ee9afc7ea4ad5f0
AgentTesla
c0539fd02ca0184925a932a9e926c681dc9c81b5de4624250f2dd885ca5c4763
AgentTesla
db6d0d7d8fbb083af05032fa8d3d516cf789f2f81fc651749e77bb4f7ba4e5ee
AgentTesla
f4ec042b3b9d605d34a32d37c19a100e50f1ab5242f02f826d683ee6f742810a
AgentTesla
+ 24 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/231006-g4wtpshd7y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
b5592e770b7d303941e3eeefcd68cc0f3abd1f67423c073dff03f4f954a9dbde
MD5 hash:
74ceba819ff4255b384ddb12bf6b418e
SHA1 hash:
1c0e51a46cfb58ca36c75648670e389838d572a7
Link:
https://www.unpac.me/results/01652c4b-7392-443b-aa67-c3cf8089847f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b5592e770b7d303941e3eeefcd68cc0f3abd1f67423c073dff03f4f954a9dbde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 750fef97bf5708b90acd6ad8ac68a9966cce0c7b7f863f109cd27459918f38ac

AgentTesla

Executable exe b5592e770b7d303941e3eeefcd68cc0f3abd1f67423c073dff03f4f954a9dbde

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 750fef97bf5708b90acd6ad8ac68a9966cce0c7b7f863f109cd27459918f38ac
  
Dropped by
MD5 6ac26e4355854a513df3b11a9072f6a2

Comments