MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c046fa2c19c9ff918bc1918ec579fc4e01166553c97753ce85fe744561f0973d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c046fa2c19c9ff918bc1918ec579fc4e01166553c97753ce85fe744561f0973d
SHA3-384 hash: b347cd3e8494edc01423e5be68d254314a8a05ecbba09a383a634be85d200d1eb4725b338af913f1df53d7955f46d47a
SHA1 hash: bdc7da650fceadee267e748514226a014b69e219
MD5 hash: 896f5492112b8b5d20a126da6529fa10
humanhash: video-hawaii-alanine-kilo
File name:USD8,000.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:675'840 bytes
First seen:2023-04-18 10:49:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:7CRJXJTxign976BQXKdf3sqqjHNnSfb9CBwULkzSwHCL0UBtV:OXNxiy976BQ6d6NnUCBwU5oCL04tV
Threatray 200 similar samples on MalwareBazaar
TLSH T105E4F058E039ADB6E79D067A000436D9DB6466E77477CA3C07A6B4DAEBDF7012C840CB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 00e86871e8d4c400 (6 x AgentTesla, 1 x Loki)
Reporter madjack_red
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
231
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
USD8,000.exe
Verdict:
Malicious activity
Analysis date:
2023-04-18 10:51:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8f7ab891-9f71-4748-98fd-18a106950562

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382982/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/643e75dd000396b4e9992ce6/reports/7b634163-b5d4-4e1a-891f-1d263e78db39/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c046fa2c19c9ff918bc1918ec579fc4e01166553c97753ce85fe744561f0973d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97e8fd6b-982c-47f2-ab2e-3aa856d1da0b
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1215855
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 848779 Sample: USD8,000.exe Startdate: 18/04/2023 Architecture: WINDOWS Score: 100 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Sigma detected: Scheduled temp file as task from temp location 2->78 80 5 other signatures 2->80 7 USD8,000.exe 7 2->7         started        11 explorer.exe 2->11         started        13 KhQeAGGvrH.exe 5 2->13         started        15 explorer.exe 2->15         started        process3 file4 52 C:\Users\user\AppData\...\KhQeAGGvrH.exe, PE32 7->52 dropped 54 C:\Users\...\KhQeAGGvrH.exe:Zone.Identifier, ASCII 7->54 dropped 56 C:\Users\user\AppData\Local\...\tmp664C.tmp, XML 7->56 dropped 58 C:\Users\user\AppData\...\USD8,000.exe.log, CSV 7->58 dropped 94 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->94 96 May check the online IP address of the machine 7->96 98 Uses schtasks.exe or at.exe to add and modify task schedules 7->98 106 2 other signatures 7->106 17 USD8,000.exe 17 10 7->17         started        22 powershell.exe 19 7->22         started        34 3 other processes 7->34 100 System process connects to network (likely due to code injection or exploit) 11->100 102 Multi AV Scanner detection for dropped file 11->102 104 Machine Learning detection for dropped file 11->104 24 explorer.exe 11->24         started        36 2 other processes 11->36 26 KhQeAGGvrH.exe 13->26         started        28 schtasks.exe 1 13->28         started        30 explorer.exe 15->30         started        32 schtasks.exe 15->32         started        signatures5 process6 dnsIp7 60 toyscenter.cl 190.171.170.94, 49704, 49705, 49706 CTCCORPSATELEFONICAEMPRESASCL Chile 17->60 62 mail.toyscenter.cl 17->62 68 3 other IPs or domains 17->68 48 C:\Users\user\AppData\...\explorer.exe, PE32 17->48 dropped 50 C:\Users\...\explorer.exe:Zone.Identifier, ASCII 17->50 dropped 82 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->82 84 Tries to steal Mail credentials (via file / registry access) 17->84 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->86 38 conhost.exe 22->38         started        70 2 other IPs or domains 24->70 64 mail.toyscenter.cl 26->64 66 api.ipify.org 26->66 40 conhost.exe 28->40         started        72 2 other IPs or domains 30->72 88 System process connects to network (likely due to code injection or exploit) 30->88 90 Tries to harvest and steal browser information (history, passwords, etc) 30->90 92 Installs a global keyboard hook 30->92 42 conhost.exe 32->42         started        44 conhost.exe 34->44         started        46 conhost.exe 36->46         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c046fa2c19c9ff918bc1918ec579fc4e01166553c97753ce85fe744561f0973d/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-04-17 04:28:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ybdpulazzh7zdc6bsghmk6p4jyarmzktzf3vhtuf7z2ekypqs46q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2272345c34a9a89b1bc3803e5904206aa662690621cd6efd210f92c94811c1de
AgentTesla
397ca8a839fae5e6c07fd3036a25e5df37220967ad381ca181da0a97354ed8cd
AgentTesla
52208dce9b01e32cd33278444f09b15ba8163a919c73d3d5e33401ce6520c7d2
AgentTesla
74e026864737309f9d0055cd6fd0bed4fc1889f058440d5e9f21df3bb96f2b9c
AgentTesla
80d1e76ebf4aa4d65e93a673bc3fc94fc6b36d507f4ca0f63c7863282b5e723d
AgentTesla
a036acc68623b42509e807b81be7270e1fc0c626aa15d8164d2f52bd321be1fd
AgentTesla
c70ed8b0ed3a434cadb2b4fcb796b3f6fb7266a3661c0a60ebe87a1e39613e21
AgentTesla
d89323dd840c86ee64285f6353eee84089b4c242df329b9b5f0c42a6b8944eb5
AgentTesla
f128c12c1f7a5f1d321e716497c03def8bc09e6efb47fa900f134a81559d3ffa
AgentTesla
fe5c1951ae2974e208a94346ba859a9ed7a30393880d4041315f35a3dd90bf38
AgentTesla
+ 190 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230418-mw9ngsah69/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
dbb8420610501e8a57b16161c393b99fbedaf370d2bd2c4b26b736fb7d2c6e64
MD5 hash:
250d30d379eb92258637dcfc9e02f72b
SHA1 hash:
fa9bd9a5a7cc21a2fb3ec0a3765234eb91953078
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/f65f5b56-83ce-4c1c-bb57-866655e1d33e/
SH256 hash:
0fd1f00d94aff36ad8f02077efb33ddf269985ea37038aae554ff6202fdc020f
MD5 hash:
8dfd8e44c82066f4aeeff652fa2a33c5
SHA1 hash:
b844952e48ecab0e7ab2e3d5e38a20629399f94c
Link:
https://www.unpac.me/results/f65f5b56-83ce-4c1c-bb57-866655e1d33e/
SH256 hash:
5f5c9d9f1cfb2cd2bfebb85675192d16f160583d6d35eaa3eb8425c1abd7164e
MD5 hash:
08f6a5442e82573f6743606768fb8c83
SHA1 hash:
793633cbbd4f30ae831f712241446768f495716d
Link:
https://www.unpac.me/results/f65f5b56-83ce-4c1c-bb57-866655e1d33e/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/f65f5b56-83ce-4c1c-bb57-866655e1d33e/
SH256 hash:
2a39e4c0717179b219cdef7b518d1f4ab8c01b2dd9e495a59ff8387b04b2e60c
MD5 hash:
e379d1904961c1fb8edaa3daa3004079
SHA1 hash:
19a58c643927cbb375271b439846b08fe1719592
Link:
https://www.unpac.me/results/f65f5b56-83ce-4c1c-bb57-866655e1d33e/
SH256 hash:
c046fa2c19c9ff918bc1918ec579fc4e01166553c97753ce85fe744561f0973d
MD5 hash:
896f5492112b8b5d20a126da6529fa10
SHA1 hash:
bdc7da650fceadee267e748514226a014b69e219
Link:
https://www.unpac.me/results/f65f5b56-83ce-4c1c-bb57-866655e1d33e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c046fa2c19c9ff918bc1918ec579fc4e01166553c97753ce85fe744561f0973d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/382982/

Comments