MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be0844c44e24e3abe80a169bf181bfdd2e26cd402f10329c62b6175467a83937. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be0844c44e24e3abe80a169bf181bfdd2e26cd402f10329c62b6175467a83937
SHA3-384 hash: e79e5aecb050d67eda2dc169ac837e0f54db40210fa2eb3605e5c422f2b15593b6adf5f787f11b34fb6fdb33d7fedbda
SHA1 hash: c1facdcf9e546158041c2aeddd74257fc28ec58d
MD5 hash: 0c95b75279999d69391477a183c458b7
humanhash: berlin-louisiana-berlin-green
File name:SecuriteInfo.com.Win32.CrypterX-gen.13490.7335
Download: download sample
Signature AgentTesla
Create hunting rule
File size:809'984 bytes
First seen:2023-08-22 11:42:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:wyczkOpgmYXdB2wi6gXlD1u64troNAeeCWKdvs:wre8V6gvujtroreCWoU
Threatray 5'573 similar samples on MalwareBazaar
TLSH T1EF05D03477642F62C3E7393BA744C4938752C0F95F6428FB2C6F2068184FA7A5919B6E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.CrypterX-gen.13490.7335
Verdict:
Malicious activity
Analysis date:
2023-08-22 11:44:46 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/c2d082ca-68ef-4407-babe-a840899a0a10

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/444143/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.13490.7335.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Mardom.MN.Generic
Link:
https://www.hybrid-analysis.com/sample/be0844c44e24e3abe80a169bf181bfdd2e26cd402f10329c62b6175467a83937
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2fd7895f-5690-4ed8-815f-f99f0da5b735
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1295113
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1295113 Sample: SecuriteInfo.com.Win32.Cryp... Startdate: 22/08/2023 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 6 other signatures 2->53 6 SecuriteInfo.com.Win32.CrypterX-gen.13490.7335.exe 1 5 2->6         started        10 Weizlxwrj.exe 5 2->10         started        12 Weizlxwrj.exe 4 2->12         started        14 2 other processes 2->14 process3 file4 31 C:\Users\user\AppData\Roaming\Weizlxwrj.exe, PE32 6->31 dropped 71 Creates multiple autostart registry keys 6->71 73 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 6->73 75 Writes to foreign memory regions 6->75 77 Injects a PE file into a foreign processes 6->77 16 MSBuild.exe 17 4 6->16         started        79 Antivirus detection for dropped file 10->79 81 Multi AV Scanner detection for dropped file 10->81 83 Machine Learning detection for dropped file 10->83 21 MSBuild.exe 10->21         started        23 MSBuild.exe 12->23         started        25 conhost.exe 14->25         started        27 conhost.exe 14->27         started        signatures5 process6 dnsIp7 33 api4.ipify.org 64.185.227.156, 443, 49708, 49745 WEBNXUS United States 16->33 35 quartieri97italy.com.ng 104.194.10.93, 49711, 49746, 49749 RELIABLESITEUS United States 16->35 45 3 other IPs or domains 16->45 29 C:\Users\user\AppData\Roaming\...\yStNrF.exe, PE32 16->29 dropped 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->57 59 May check the online IP address of the machine 16->59 61 Creates multiple autostart registry keys 16->61 37 mail.quartieri97italy.com.ng 21->37 39 api.ipify.org 21->39 63 Installs a global keyboard hook 21->63 41 mail.quartieri97italy.com.ng 23->41 43 api.ipify.org 23->43 65 Tries to steal Mail credentials (via file / registry access) 23->65 67 Tries to harvest and steal browser information (history, passwords, etc) 23->67 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->69 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be0844c44e24e3abe80a169bf181bfdd2e26cd402f10329c62b6175467a83937/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-08-22 11:43:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
25 of 36 (69.44%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xyeejrcoetr2x2akc2n7dan73uxcntkaf4idfhdcwylviz5ihe3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
143152208fb2b0e16a666019a6d0c0a4c8b5177707d24d1a1bb97568f34bd089
AgentTesla
1b3a82f21226cf22c6b935eeb7ca17fc2c36ec65cbf1f4fc32cc8b79fb3252d8
AgentTesla
2627e96c1ea96adf04b4709b5cdb2fe6b9cd9b82ff959cdde4e61a4acb9cbf4d
AgentTesla
478d51fa24c69ccaa66567cbcdf3105f7c302bbba2b88db7cfee19fe84acf64f
AgentTesla
54a5be7cfb6c0e4eb1673fc7d158b93094378a55f403afa84b82604bf06a9d5b
AgentTesla
891506e9adca3e63194bd09965a91917768320436f7b5d940a4ae7a1d334f831
AgentTesla
9bee15aa43bcdb1c361ba488354de254e7860b9f006ad7ce7602adc6d7667e62
AgentTesla
9f733ddfdc69ff2f98222d9852a8fa88a1c2b36fbabe0044249fa6ab03d2a883
AgentTesla
a073440250210a9a498868af360fb2e9dc8bd35458891a4bad3972c9aa4b4ca7
AgentTesla
bc6ac708586d3cd72851c365708a555068339aa2d10b4d031c5ed15bc4269d2b
AgentTesla
+ 5'563 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/230822-nvkteadd9z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Unpacked files
SH256 hash:
fb076204ca6c707f579223ee1191815b2977a01159619d47bec34e768d90836d
MD5 hash:
50b58d0edee24aa4f51d4e23410870fd
SHA1 hash:
d25b1938e0d5f5c1d1beadbc0a87219ae175b49c
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/9306a46e-f27d-49a5-8abf-79214bbd175e/
SH256 hash:
114ff364950aa3e4e10a09777e8411a37faeeb904436d47d60074e4018aa3dac
MD5 hash:
42c0df5ca242335cfdf8dd3ffd7f1b70
SHA1 hash:
bc96d5ce7058fcc876a6db9ecca540cf9e54ab32
Link:
https://www.unpac.me/results/9306a46e-f27d-49a5-8abf-79214bbd175e/
SH256 hash:
205ded00cc65f1cf6560e6170c6a5685c7bd8f76a67034a63812e90f4a22e2e5
MD5 hash:
66526932acfe5cef75bd7dffc31906c9
SHA1 hash:
b131e6951ebc9babb28e8df2e6adb5342f2297a3
Link:
https://www.unpac.me/results/9306a46e-f27d-49a5-8abf-79214bbd175e/
SH256 hash:
70bd2d82b3917133eae22adfd8c34b8371551ad97f5965cab8c19d560d92ff27
MD5 hash:
2fa3740a51d269eaff7a2c9b638e554c
SHA1 hash:
0636ab48b3bb820627250585c39479e86efad9fe
Link:
https://www.unpac.me/results/9306a46e-f27d-49a5-8abf-79214bbd175e/
SH256 hash:
be0844c44e24e3abe80a169bf181bfdd2e26cd402f10329c62b6175467a83937
MD5 hash:
0c95b75279999d69391477a183c458b7
SHA1 hash:
c1facdcf9e546158041c2aeddd74257fc28ec58d
Link:
https://www.unpac.me/results/9306a46e-f27d-49a5-8abf-79214bbd175e/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/be0844c44e24/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/be0844c44e24e3abe80a169bf181bfdd2e26cd402f10329c62b6175467a83937

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/444143/

Comments