MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b574d17071016f07f3485f62a3ada8e8557eaa3b21a32fe52e6e52be8cc7b2c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b574d17071016f07f3485f62a3ada8e8557eaa3b21a32fe52e6e52be8cc7b2c1
SHA3-384 hash: 06af4f0ee2b8c2416391b54e3894b04180008e663f970830eb4cec0c2384bc7d43cf0eee9129a21fc3f6cb54bb8d4342
SHA1 hash: f28ee10848e9d2fc0be3a5d296622ff292bcb5c6
MD5 hash: ceef1b2842c9b7d4d229628cc26d2566
humanhash: leopard-six-west-mountain
File name:recordatori...242146238.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:583'168 bytes
First seen:2023-09-28 09:27:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:X2iN4yiRJU/WcDxL2ZCUWgxSwITM1iobNA1m2cHSDkAYb:X19FecxLxWcoRGm2U
Threatray 5'623 similar samples on MalwareBazaar
TLSH T1E4C401212AE94B99DA79A7F98832941093B655BF3233E74C4DC375CB06B6F804311FA7
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
recordatori...242146238.exe
Verdict:
Malicious activity
Analysis date:
2023-09-28 09:29:43 UTC
Tags:
snake evasion
Link:
https://app.any.run/tasks/418d345b-0dd2-40d8-bba6-2c6449043acf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/451741/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6515472283a0c6425d018d72/reports/1e7158da-4e76-48e6-a31a-a6bcc31384ac/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/b574d17071016f07f3485f62a3ada8e8557eaa3b21a32fe52e6e52be8cc7b2c1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c6da521-e222-4ba4-9ffc-3df08cbf3ab5
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1315733
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b574d17071016f07f3485f62a3ada8e8557eaa3b21a32fe52e6e52be8cc7b2c1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-28 09:28:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wv2nc4drafxqp42il5rkhlni5bkx5kr3egrs7zjonzjl5dghwlaq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
52c6ffb87121554941e0039dc10e44aff96df0880d038bab6cc736d99814d0c2
AgentTesla
68cd899c048a9b097d438260f9a92513b6cc42fc203c8126df2bb35b86c50671
AgentTesla
9c999d23bb8110f85cc977e9a697c7eb3387dbe27ae0dba92c141986893946d3
AgentTesla
a33eafbcec3736e5d47d6c951a6824ed67a0e124131425f04e2e03864edf8502
AgentTesla
b82242cf60b9f23d227f5dda48fd1e959dbc0a0bd06bccb279ff3531783873ec
AgentTesla
d9eefd6741e692541008b7d71cde7d92662a6088247791f8a48e41b953324196
AgentTesla
df8944cca7e607a5fe6765794fbd8c009de24cc170a99cd0cb7055b177b6a217
AgentTesla
e47b7ff50e6e7dd47087235ad782bdc84255e2642e80744d34ae027a2db13aec
AgentTesla
e61dc30af3bae04f163df687e66592073621fd84933988e36105405f38053c45
AgentTesla
+ 5'613 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230928-lfbwvaab4s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
f013dee239399ed629c6dbaafa432849e3e27c1040454faef250e234cd792c0d
MD5 hash:
b42f335ac26600bd56657f49e4386042
SHA1 hash:
f4b3d78aa4d65c575df3b2836535f405f5c34bc7
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/9e8cf134-577a-4226-9127-5b0497c2a014/
SH256 hash:
a655be43f79d44bf3e6720e6e1aa99b8fd94785cd46707d9a0dd48a10e4d20c8
MD5 hash:
7c2c98a1bc1af93e1bc1e0c933915b8e
SHA1 hash:
c5c3a2e553fdfa9010cf11b582fe3399c5551ffd
Link:
https://www.unpac.me/results/9e8cf134-577a-4226-9127-5b0497c2a014/
SH256 hash:
d21fa4b393f2b2a4e06618e8fed6f69dd809792f8d0d081b6475766bd09f4ef0
MD5 hash:
46c0065b6c2bcfde21d3e7feaa0a3f57
SHA1 hash:
5d3f499f1b4ec69e7af103af0f97d5a9a5772431
Link:
https://www.unpac.me/results/9e8cf134-577a-4226-9127-5b0497c2a014/
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/9e8cf134-577a-4226-9127-5b0497c2a014/
SH256 hash:
b574d17071016f07f3485f62a3ada8e8557eaa3b21a32fe52e6e52be8cc7b2c1
MD5 hash:
ceef1b2842c9b7d4d229628cc26d2566
SHA1 hash:
f28ee10848e9d2fc0be3a5d296622ff292bcb5c6
Link:
https://www.unpac.me/results/9e8cf134-577a-4226-9127-5b0497c2a014/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b574d1707101/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b574d17071016f07f3485f62a3ada8e8557eaa3b21a32fe52e6e52be8cc7b2c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe b574d17071016f07f3485f62a3ada8e8557eaa3b21a32fe52e6e52be8cc7b2c1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/451741/

Comments