MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b97a932fadd096c350b870e0a0d9865c0c3a0d28f236575509fb349e347c92b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b97a932fadd096c350b870e0a0d9865c0c3a0d28f236575509fb349e347c92b4
SHA3-384 hash: 45508e4251c3bbcf751bd0c37497496b295da90f7be2c257e2c63b28aeb57b612d9354681eb6da3f3ec3e89fae1a09e2
SHA1 hash: abd4c7feb4357c6bc72a18cf36c9e953d398116f
MD5 hash: 371bdacde39dede1227b620e61b78ff3
humanhash: grey-tennessee-stream-early
File name:SOA 6680085911.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:709'632 bytes
First seen:2023-06-28 07:40:18 UTC
Last seen:2023-06-30 07:29:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:zcj65qWT0l9tHn5CTZLOUzAA67m/0iYIj64YP6LCm/M27:Q6H6tZCVF67QBNj6HPAV0
Threatray 536 similar samples on MalwareBazaar
TLSH T121E4183C6B7D9A22C034C6B9CED584B3F2558F3AB411D52258867BB56722B921DC333E
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
7
# of downloads :
330
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SOA 6680085911.exe
Verdict:
Malicious activity
Analysis date:
2023-06-28 07:42:23 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/189f09b8-63ea-4374-b2fe-a8b92d7e2b3c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/403435/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.28191.3536.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/649be410313e9da61a5bb10f/reports/3b01633d-3d2e-4108-b97a-46d3ad8366b6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b97a932fadd096c350b870e0a0d9865c0c3a0d28f236575509fb349e347c92b4
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aab449be-9e7f-4d3f-babf-7b09374ee512
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1262525
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 895555 Sample: SOA_6680085911.exe Startdate: 28/06/2023 Architecture: WINDOWS Score: 100 79 Found malware configuration 2->79 81 Sigma detected: Scheduled temp file as task from temp location 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 4 other signatures 2->85 7 SOA_6680085911.exe 7 2->7         started        11 HZrzKLa.exe 5 2->11         started        13 OpWIH.exe 2->13         started        15 OpWIH.exe 2->15         started        process3 dnsIp4 55 C:\Users\user\AppData\Roaming\HZrzKLa.exe, PE32 7->55 dropped 57 C:\Users\user\...\HZrzKLa.exe:Zone.Identifier, ASCII 7->57 dropped 59 C:\Users\user\AppData\Local\...\tmp46AA.tmp, XML 7->59 dropped 61 C:\Users\user\...\SOA_6680085911.exe.log, ASCII 7->61 dropped 95 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->95 97 May check the online IP address of the machine 7->97 99 Uses schtasks.exe or at.exe to add and modify task schedules 7->99 101 Adds a directory exclusion to Windows Defender 7->101 18 SOA_6680085911.exe 17 5 7->18         started        23 powershell.exe 21 7->23         started        25 schtasks.exe 1 7->25         started        103 Multi AV Scanner detection for dropped file 11->103 105 Injects a PE file into a foreign processes 11->105 27 HZrzKLa.exe 11->27         started        29 schtasks.exe 1 11->29         started        31 OpWIH.exe 13->31         started        33 schtasks.exe 13->33         started        77 192.168.2.1 unknown unknown 15->77 35 OpWIH.exe 15->35         started        37 schtasks.exe 15->37         started        file5 signatures6 process7 dnsIp8 63 mail.opulent-elite.com 135.181.115.139, 49698, 49703, 49705 HETZNER-ASDE Germany 18->63 65 api4.ipify.org 64.185.227.155, 443, 49697, 49701 WEBNXUS United States 18->65 67 api.ipify.org 18->67 51 C:\Users\user\AppData\Roaming\...\OpWIH.exe, PE32 18->51 dropped 53 C:\Users\user\...\OpWIH.exe:Zone.Identifier, ASCII 18->53 dropped 87 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->87 89 Tries to steal Mail credentials (via file / registry access) 18->89 91 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->91 39 conhost.exe 23->39         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        69 api.ipify.org 27->69 45 conhost.exe 29->45         started        71 173.231.16.76, 443, 49702, 49704 WEBNXUS United States 31->71 73 api.ipify.org 31->73 47 conhost.exe 33->47         started        75 api.ipify.org 35->75 93 Tries to harvest and steal browser information (history, passwords, etc) 35->93 49 conhost.exe 37->49         started        file9 signatures10 process11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b97a932fadd096c350b870e0a0d9865c0c3a0d28f236575509fb349e347c92b4/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-28 07:33:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xf5jgl5n2clmgufyodqkbwmglqgdudji6i3fovij7m2j4nd4sk2a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b21c2bec0bcf3df0a9d83d5c3e708d0a9590b8a5bf85371d9a826d7bba3b457
AgentTesla
3128342e14d0e3fdf92828d146cc86bc6f52520cd792b043f72e20eddb022e10
AgentTesla
377ecccf20a10a0f9fb02b2d614ae682826322aabdaf217b1cf0f9b0ff14ece4
AgentTesla
61e75e123449c092c36171ad72de1ddbce425c8a82de0704f868295fab5df3a1
AgentTesla
7806b747871480b540e81ab255b9f18a97d7fd8ee150b2c85484acf08174b5ca
AgentTesla
903ea42c02e8a30f6ad63666de0748b4fd4c2758c220b39af57269d1eebebb9d
AgentTesla
9ab4351395cfc81d8afabb133e442989b54696cad65e22de72d58398505762bd
AgentTesla
a74174da27ad7415025fd5f70ec71f0b9d87ec0b3227b7bc7355cc0fe82269e1
AgentTesla
bda1a08d1c632950d8a4980f501b78336a1f0602919365d40c62b3d2877041b4
AgentTesla
d53118397cd7dbd982acbf2b19245c70d8b1b5c1331acefc540d38c347865c55
AgentTesla
+ 526 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230628-jh4crshf6t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
8022eb6a31ff09510ea4bc66e3a92f6f5ef5cd23412d10e12207e93ec38c3672
MD5 hash:
14ee8b8b7e47469317d1012f0898b111
SHA1 hash:
c6da4e2f1ab8c277129026648cbf97d8d6126245
Link:
https://www.unpac.me/results/012b2f31-59a9-48d2-8f9a-a832d6cd7964/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/012b2f31-59a9-48d2-8f9a-a832d6cd7964/
SH256 hash:
a70dad25705c02e71ccc76bae4febec38f500741dd11820c8d7480c56233cc93
MD5 hash:
ab8c7b1ea9aaf9486241509ea07f9626
SHA1 hash:
6c29fa43361de141a360e4c4cbc5c4614e4f154e
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/012b2f31-59a9-48d2-8f9a-a832d6cd7964/
Parent samples :
b97a932fadd096c350b870e0a0d9865c0c3a0d28f236575509fb349e347c92b4
6ac53fdae8e1f8f64b9bdc321f0690935f29e26605451b268119cda2a41b6bda
01a7195a65b73ce39d09234ab7266977e307fd0c66efb4ef5219dc3677df90df
c34e7d631363ca2e25efa585c43abffbbed3219195715a6f5f39a8b50f287127
51f801db0d98833131185353dd344e17d432aa84caa8ad27df9a5851cdb30f2b
SH256 hash:
86badf94ab9497481c775b96b82b1de5cbaef310dda7f0b6952ba10dda8a2221
MD5 hash:
3b67c0f90335a93a7553b9568ad570f6
SHA1 hash:
5e7f40d7d25e19c77afd1a23f70f2dea4b40b1b6
Link:
https://www.unpac.me/results/012b2f31-59a9-48d2-8f9a-a832d6cd7964/
SH256 hash:
8022eb6a31ff09510ea4bc66e3a92f6f5ef5cd23412d10e12207e93ec38c3672
MD5 hash:
14ee8b8b7e47469317d1012f0898b111
SHA1 hash:
c6da4e2f1ab8c277129026648cbf97d8d6126245
Link:
https://www.unpac.me/results/012b2f31-59a9-48d2-8f9a-a832d6cd7964/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/012b2f31-59a9-48d2-8f9a-a832d6cd7964/
SH256 hash:
a70dad25705c02e71ccc76bae4febec38f500741dd11820c8d7480c56233cc93
MD5 hash:
ab8c7b1ea9aaf9486241509ea07f9626
SHA1 hash:
6c29fa43361de141a360e4c4cbc5c4614e4f154e
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/012b2f31-59a9-48d2-8f9a-a832d6cd7964/
Parent samples :
b97a932fadd096c350b870e0a0d9865c0c3a0d28f236575509fb349e347c92b4
6ac53fdae8e1f8f64b9bdc321f0690935f29e26605451b268119cda2a41b6bda
01a7195a65b73ce39d09234ab7266977e307fd0c66efb4ef5219dc3677df90df
c34e7d631363ca2e25efa585c43abffbbed3219195715a6f5f39a8b50f287127
51f801db0d98833131185353dd344e17d432aa84caa8ad27df9a5851cdb30f2b
SH256 hash:
86badf94ab9497481c775b96b82b1de5cbaef310dda7f0b6952ba10dda8a2221
MD5 hash:
3b67c0f90335a93a7553b9568ad570f6
SHA1 hash:
5e7f40d7d25e19c77afd1a23f70f2dea4b40b1b6
Link:
https://www.unpac.me/results/012b2f31-59a9-48d2-8f9a-a832d6cd7964/
SH256 hash:
8022eb6a31ff09510ea4bc66e3a92f6f5ef5cd23412d10e12207e93ec38c3672
MD5 hash:
14ee8b8b7e47469317d1012f0898b111
SHA1 hash:
c6da4e2f1ab8c277129026648cbf97d8d6126245
Link:
https://www.unpac.me/results/012b2f31-59a9-48d2-8f9a-a832d6cd7964/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/012b2f31-59a9-48d2-8f9a-a832d6cd7964/
SH256 hash:
8022eb6a31ff09510ea4bc66e3a92f6f5ef5cd23412d10e12207e93ec38c3672
MD5 hash:
14ee8b8b7e47469317d1012f0898b111
SHA1 hash:
c6da4e2f1ab8c277129026648cbf97d8d6126245
Link:
https://www.unpac.me/results/012b2f31-59a9-48d2-8f9a-a832d6cd7964/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/012b2f31-59a9-48d2-8f9a-a832d6cd7964/
SH256 hash:
a70dad25705c02e71ccc76bae4febec38f500741dd11820c8d7480c56233cc93
MD5 hash:
ab8c7b1ea9aaf9486241509ea07f9626
SHA1 hash:
6c29fa43361de141a360e4c4cbc5c4614e4f154e
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/012b2f31-59a9-48d2-8f9a-a832d6cd7964/
Parent samples :
b97a932fadd096c350b870e0a0d9865c0c3a0d28f236575509fb349e347c92b4
6ac53fdae8e1f8f64b9bdc321f0690935f29e26605451b268119cda2a41b6bda
01a7195a65b73ce39d09234ab7266977e307fd0c66efb4ef5219dc3677df90df
c34e7d631363ca2e25efa585c43abffbbed3219195715a6f5f39a8b50f287127
51f801db0d98833131185353dd344e17d432aa84caa8ad27df9a5851cdb30f2b
SH256 hash:
a70dad25705c02e71ccc76bae4febec38f500741dd11820c8d7480c56233cc93
MD5 hash:
ab8c7b1ea9aaf9486241509ea07f9626
SHA1 hash:
6c29fa43361de141a360e4c4cbc5c4614e4f154e
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/012b2f31-59a9-48d2-8f9a-a832d6cd7964/
Parent samples :
b97a932fadd096c350b870e0a0d9865c0c3a0d28f236575509fb349e347c92b4
6ac53fdae8e1f8f64b9bdc321f0690935f29e26605451b268119cda2a41b6bda
01a7195a65b73ce39d09234ab7266977e307fd0c66efb4ef5219dc3677df90df
c34e7d631363ca2e25efa585c43abffbbed3219195715a6f5f39a8b50f287127
51f801db0d98833131185353dd344e17d432aa84caa8ad27df9a5851cdb30f2b
SH256 hash:
86badf94ab9497481c775b96b82b1de5cbaef310dda7f0b6952ba10dda8a2221
MD5 hash:
3b67c0f90335a93a7553b9568ad570f6
SHA1 hash:
5e7f40d7d25e19c77afd1a23f70f2dea4b40b1b6
Link:
https://www.unpac.me/results/012b2f31-59a9-48d2-8f9a-a832d6cd7964/
SH256 hash:
86badf94ab9497481c775b96b82b1de5cbaef310dda7f0b6952ba10dda8a2221
MD5 hash:
3b67c0f90335a93a7553b9568ad570f6
SHA1 hash:
5e7f40d7d25e19c77afd1a23f70f2dea4b40b1b6
Link:
https://www.unpac.me/results/012b2f31-59a9-48d2-8f9a-a832d6cd7964/
SH256 hash:
b97a932fadd096c350b870e0a0d9865c0c3a0d28f236575509fb349e347c92b4
MD5 hash:
371bdacde39dede1227b620e61b78ff3
SHA1 hash:
abd4c7feb4357c6bc72a18cf36c9e953d398116f
Link:
https://www.unpac.me/results/012b2f31-59a9-48d2-8f9a-a832d6cd7964/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b97a932fadd0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip ffb4e52f0da5c1e91f6286f5124afad7d02c54f490a966396cf05f760799467b

AgentTesla

Executable exe b97a932fadd096c350b870e0a0d9865c0c3a0d28f236575509fb349e347c92b4

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 ffb4e52f0da5c1e91f6286f5124afad7d02c54f490a966396cf05f760799467b
Cape
Cape
https://www.capesandbox.com/analysis/403435/
  
Dropped by
SHA256 c822631e89dfa72f54732a1bf4fcdda08039fa4f1ca159ea7d423c2d1a0bb630
  
Dropped by
MD5 6c8df164e3bd5b2881d622f0838ff974
  
Dropped by
MD5 a1dbcf02aee7989effee2506d10c6cd9

Comments