MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd538b702eafb546e31e7c61cda67dfa95af9c27d89ccd1248f14ab81f1d9516. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd538b702eafb546e31e7c61cda67dfa95af9c27d89ccd1248f14ab81f1d9516
SHA3-384 hash: 79f1c8a66f5de284a3db879d051bfbbb659952fb8545c9e02e33004b26e755faa02f6c66bb7ea3152754e01e7059e2f1
SHA1 hash: eab14c480cfb898cf332bee7bd19cc1a6ab1a312
MD5 hash: f01ecf6bbf5c9b4a3d6a6ab76e65fe53
humanhash: island-aspen-bravo-skylark
File name:SecuriteInfo.com.Win32.PWSX-gen.20900.17681
Download: download sample
Signature AgentTesla
Create hunting rule
File size:864'256 bytes
First seen:2023-07-21 06:32:32 UTC
Last seen:2023-07-21 13:12:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:vRmmtKEDpzXjjbaePvTH3j+5lfikGF+5wg:v2E9zbaePvDa5tbQo
Threatray 5'087 similar samples on MalwareBazaar
TLSH T16605DF50B1B40B25E5BE6FF7208546080BF57597B13FD2298DD26CE97AA8F700A8271F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d4923292e2ccb4c0 (13 x AgentTesla, 7 x Formbook, 3 x Loki)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
270
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.20900.17681
Verdict:
Malicious activity
Analysis date:
2023-07-21 06:36:44 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/d5204356-c382-4546-aac1-49acf5dc620e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/427323/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.20900.17681.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/bd538b702eafb546e31e7c61cda67dfa95af9c27d89ccd1248f14ab81f1d9516
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4665898a-59ea-4239-a507-9393c22436ca
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277264
Signature
Adds a directory exclusion to Windows Defender
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Installs a global keyboard hook
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1277264 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 21/07/2023 Architecture: WINDOWS Score: 100 74 Found malware configuration 2->74 76 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->76 78 Sigma detected: Scheduled temp file as task from temp location 2->78 80 3 other signatures 2->80 7 SecuriteInfo.com.Win32.PWSX-gen.20900.17681.exe 7 2->7         started        11 RWJhhgvunBRV.exe 5 2->11         started        13 NpblqXP.exe 2->13         started        15 NpblqXP.exe 2->15         started        process3 file4 52 C:\Users\user\AppData\...\RWJhhgvunBRV.exe, PE32 7->52 dropped 54 C:\Users\...\RWJhhgvunBRV.exe:Zone.Identifier, ASCII 7->54 dropped 56 C:\Users\user\AppData\Local\...\tmpF93A.tmp, XML 7->56 dropped 58 SecuriteInfo.com.W...20900.17681.exe.log, ASCII 7->58 dropped 92 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->92 94 May check the online IP address of the machine 7->94 96 Contains functionality to register a low level keyboard hook 7->96 100 2 other signatures 7->100 17 SecuriteInfo.com.Win32.PWSX-gen.20900.17681.exe 17 10 7->17         started        22 powershell.exe 19 7->22         started        34 2 other processes 7->34 98 Multi AV Scanner detection for dropped file 11->98 24 RWJhhgvunBRV.exe 11->24         started        26 schtasks.exe 11->26         started        28 NpblqXP.exe 13->28         started        36 2 other processes 13->36 30 NpblqXP.exe 15->30         started        32 schtasks.exe 15->32         started        signatures5 process6 dnsIp7 60 agentbetking.com 23.94.150.194, 49690, 49693, 49700 AS-COLOCROSSINGUS United States 17->60 62 mail.agentbetking.com 17->62 68 3 other IPs or domains 17->68 48 C:\Users\user\AppData\Roaming\...48pblqXP.exe, PE32 17->48 dropped 50 C:\Users\user\...50pblqXP.exe:Zone.Identifier, ASCII 17->50 dropped 82 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->82 84 Tries to steal Mail credentials (via file / registry access) 17->84 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->86 38 conhost.exe 22->38         started        64 mail.agentbetking.com 24->64 66 api.ipify.org 24->66 88 Installs a global keyboard hook 24->88 40 conhost.exe 26->40         started        70 2 other IPs or domains 28->70 72 2 other IPs or domains 30->72 90 Tries to harvest and steal browser information (history, passwords, etc) 30->90 42 conhost.exe 32->42         started        44 conhost.exe 34->44         started        46 conhost.exe 36->46         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bd538b702eafb546e31e7c61cda67dfa95af9c27d89ccd1248f14ab81f1d9516/
Threat name:
Win32.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-07-21 04:31:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xvjyw4bov62unyy6prq43jt57kk27hbh3com2esi6fflqhy5sula._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1c4912d724ce2c46bef48e510e3203d1b460c77cc16f3fc2eaec561499b37302
AgentTesla
22f78673c87c878a5be8e407f697613d8b1dd28f08a2419e8be224fabc3f02ea
AgentTesla
2350cd7baba805daf4c4216695cad848c3df79edd54e23aea3f953c33572c65d
AgentTesla
7b4cf761f6d81b2808e88bd6239a3b15909c828ea709cf6f975f5caa6be7e472
AgentTesla
8668cd0f536fc0fb2d750d9d4ed492ac9435a32b7ade9f3e427af470bab09bf9
AgentTesla
876aefee92ee7079d9b36fd7f8a2f236399491f91aac1acd02a6fe9f2e504fc1
AgentTesla
a66814d509d2386f2dcff674de026b092a29bb4851710954496fe95fb2df8356
AgentTesla
b3cd9244d9b558968bf4b52e8c25a54b2b08a2d0e941c517e1c2d91be1e61e31
AgentTesla
d6318d749c05b8db21c9d1f0cdcbdc2000f25f56ee154f58004e86b782722a79
AgentTesla
+ 5'077 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230721-ha6x9acc99/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
8d896b0375c08e88573c87f5cdf05fab7730ffa94263fdf4c073d648cad33754
MD5 hash:
034d1cfc31b2fd685f2a4ea250d8e083
SHA1 hash:
f5831c79e45a10cc77f5921c97b4f41de44cba7e
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/300340b5-84a9-43dd-953d-f9c80a105fef/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/300340b5-84a9-43dd-953d-f9c80a105fef/
SH256 hash:
4a84c4b6a103f3c9709b857494bc07ff75fbc5ff2816fff7f345aa9da9d49387
MD5 hash:
2b50afa2eb24b5d062c8b1771596f0f6
SHA1 hash:
4187b701373378a207d68bff6804aec8a07a509f
Link:
https://www.unpac.me/results/300340b5-84a9-43dd-953d-f9c80a105fef/
SH256 hash:
eb9659fe647ed73c38a6ed5cf811392aa36230b6ff91a8588d1b5ab557757eb0
MD5 hash:
0364f8100802aade2ab6f4027e7e7c2c
SHA1 hash:
17830b30799b545cf25f676a407608ca4be4c17c
Link:
https://www.unpac.me/results/300340b5-84a9-43dd-953d-f9c80a105fef/
SH256 hash:
bd538b702eafb546e31e7c61cda67dfa95af9c27d89ccd1248f14ab81f1d9516
MD5 hash:
f01ecf6bbf5c9b4a3d6a6ab76e65fe53
SHA1 hash:
eab14c480cfb898cf332bee7bd19cc1a6ab1a312
Link:
https://www.unpac.me/results/300340b5-84a9-43dd-953d-f9c80a105fef/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bd538b702eaf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd538b702eafb546e31e7c61cda67dfa95af9c27d89ccd1248f14ab81f1d9516

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/427323/

Comments