MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b75b70e73450fe7e7cd8537d8e53c9d7e978eb7b8f34b8e899f85591a2f83c75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b75b70e73450fe7e7cd8537d8e53c9d7e978eb7b8f34b8e899f85591a2f83c75
SHA3-384 hash: 094cc242971aa7279001d5b2e555a33cdba4c9c331cbad00dd209f2866fe1de04b7ee2a811f2fa2610593bb3d0c1b21c
SHA1 hash: 34331e7fc029d598b230752e0c26771ec5d1dc84
MD5 hash: 92f597e69cb9c8c73148eba848c24932
humanhash: november-floor-vegan-queen
File name:SOA-FEB_2023.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:770'048 bytes
First seen:2023-03-21 14:47:21 UTC
Last seen:2023-03-21 18:25:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:gtY2czJMiNSzY1En59o6YCxCSQ04PM4spP7GrRybX:pdMZn5S65z4spP7GrRyT
Threatray 1'505 similar samples on MalwareBazaar
TLSH T16EF46C1D3C6899E3C324E677DBE6C225B3A35F567723C96925C213620E0E346ADCB11E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 017896b3a3361821 (10 x Formbook, 9 x AgentTesla, 3 x SnakeKeylogger)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA-FEB_2023.exe
Verdict:
Malicious activity
Analysis date:
2023-03-21 14:47:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/032531a0-03f3-4820-8c78-11d17c6bf626

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo jigsaw packed
Link:
https://www.filescan.io/uploads/6419c3a328f6cfd59136d759/reports/ea0ace50-8a28-4a0e-8cb0-f2198e2d3b2e/overview
Verdict:
Malicious
Labled as:
Trojan.Olock.Generic
Link:
https://www.hybrid-analysis.com/sample/b75b70e73450fe7e7cd8537d8e53c9d7e978eb7b8f34b8e899f85591a2f83c75
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/13b4658a-9b09-46ce-bb6e-5e29d4245057
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1198640
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 831544 Sample: SOA-FEB_2023.exe Startdate: 21/03/2023 Architecture: WINDOWS Score: 100 70 Sigma detected: Scheduled temp file as task from temp location 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Yara detected AgentTesla 2->74 76 3 other signatures 2->76 7 SOA-FEB_2023.exe 4 2->7         started        11 YbzfPanjY.exe 3 2->11         started        13 PNGtqM.exe 2->13         started        15 PNGtqM.exe 2->15         started        process3 file4 50 C:\Users\user\AppData\Roaming\YbzfPanjY.exe, PE32 7->50 dropped 52 C:\Users\user\AppData\Local\...\tmp2034.tmp, XML 7->52 dropped 54 C:\Users\user\...\SOA-FEB_2023.exe.log, ASCII 7->54 dropped 88 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->88 90 May check the online IP address of the machine 7->90 92 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->92 94 Uses schtasks.exe or at.exe to add and modify task schedules 7->94 17 SOA-FEB_2023.exe 15 4 7->17         started        22 schtasks.exe 1 7->22         started        24 SOA-FEB_2023.exe 7->24         started        96 Multi AV Scanner detection for dropped file 11->96 98 Machine Learning detection for dropped file 11->98 100 Injects a PE file into a foreign processes 11->100 26 YbzfPanjY.exe 16 4 11->26         started        28 schtasks.exe 1 11->28         started        30 PNGtqM.exe 13->30         started        32 schtasks.exe 13->32         started        34 PNGtqM.exe 15->34         started        36 schtasks.exe 15->36         started        signatures5 process6 dnsIp7 56 api4.ipify.org 173.231.16.76, 443, 49707 WEBNXUS United States 17->56 62 5 other IPs or domains 17->62 46 C:\Users\user\...\PNGtqM.exe:Zone.Identifier, ASCII 17->46 dropped 78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->78 80 Tries to steal Mail credentials (via file / registry access) 17->80 82 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->82 38 conhost.exe 22->38         started        58 64.185.227.155, 443, 49708, 49713 WEBNXUS United States 26->58 64 2 other IPs or domains 26->64 48 C:\Users\user\AppData\Roaming\...\PNGtqM.exe, PE32 26->48 dropped 84 Installs a global keyboard hook 26->84 40 conhost.exe 28->40         started        60 104.237.62.211, 443, 49712 WEBNXUS United States 30->60 66 2 other IPs or domains 30->66 42 conhost.exe 32->42         started        68 2 other IPs or domains 34->68 86 Tries to harvest and steal browser information (history, passwords, etc) 34->86 44 conhost.exe 36->44         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b75b70e73450fe7e7cd8537d8e53c9d7e978eb7b8f34b8e899f85591a2f83c75/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-21 04:25:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w5nxbzzukd7h47gykn6y4u6j27uxr233r42lr2ez7bkzdixyhr2q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
065ca2568ff5b8dd327ef32472f962f10eddb43c642f3a0551a5071203d370aa
AgentTesla
22c8cdc1e38182a6d1c5ae7dde8b8c85054401cc2fe7a17a5edaf49af8524779
AgentTesla
321bcda7d38de0888c3bfe28e8f3488689ea9a7005645739a59cf5c66a72d00a
AgentTesla
76000176614d6ee212baf69e6589e97a94ed6ffe7ce762c6e40d3ae5aca30fd3
AgentTesla
a1e2e07c9b335493af4c7eb345f5e478d758efadb8ef2df597e08734c5ccffa1
AgentTesla
a6e90968f76ced3803d80c89af66fa1f76e6012b7a0a85a1ed53b71997537799
AgentTesla
ae9f0a09b1f95cb4ef05dc51e749a6b33e641a67cbf7cafc6fef41dbbd5b7671
AgentTesla
e7bd8b5e11ccc1b6d5480a7112ee3f3479f71531f54a4fabca748be32e65ae1b
AgentTesla
f95d3729e669fa3022b88892ec9d6b7b81d7bb4f9ea573660967dea575a55b2f
AgentTesla
f9b3b368ead42e40cc95eec1086d998fef8248e47985c15c45458c6415ffdca1
AgentTesla
+ 1'495 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230321-r6e9vabe89/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
ea8d4c91ec5bba5e1db6c17730d7ba5cdbb5ff3c1a777f70c90e91ce599d9b5d
MD5 hash:
27f5124bf8f451bca8d8a15c73c4f521
SHA1 hash:
5fd557e109b8fd1c3b362b64f0ba9f1600c07211
Link:
https://www.unpac.me/results/06fbbe81-70d1-4022-9b88-274814aa8084/
SH256 hash:
a6428d222e2e7c83bd6f77495385f6b29b9b7b0128575135367c61568c711b52
MD5 hash:
97091db33345eae98d88a96a2090dfbe
SHA1 hash:
1329fa1e2d4b399475f80917a46a5e889563f69b
Link:
https://www.unpac.me/results/06fbbe81-70d1-4022-9b88-274814aa8084/
SH256 hash:
8422d2665f57aeb9e33d026dba039ea113a4126d001469af48e90ea3de5857da
MD5 hash:
120d167eba339802ba6aef4c98f10e7c
SHA1 hash:
1320b9fa83c48b9df1a288f49bd2cc33d52f52d5
Link:
https://www.unpac.me/results/06fbbe81-70d1-4022-9b88-274814aa8084/
SH256 hash:
b75b70e73450fe7e7cd8537d8e53c9d7e978eb7b8f34b8e899f85591a2f83c75
MD5 hash:
92f597e69cb9c8c73148eba848c24932
SHA1 hash:
34331e7fc029d598b230752e0c26771ec5d1dc84
Link:
https://www.unpac.me/results/06fbbe81-70d1-4022-9b88-274814aa8084/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b75b70e73450/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/b75b70e73450fe7e7cd8537d8e53c9d7e978eb7b8f34b8e899f85591a2f83c75

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments