MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c120ee7f7c516e3fa159a51144f4c29ca693c0bc726bb953f2cd493f1736cd23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c120ee7f7c516e3fa159a51144f4c29ca693c0bc726bb953f2cd493f1736cd23
SHA3-384 hash: b6e8450e9d08120ef0e24468d28c29d9c9732e6e16c964911d53e3e716bcfe74fab00de2ce7d2cc78876825c85a0f7bd
SHA1 hash: 92b54f48fa1b7e59e2c563ba8254a49af0c12617
MD5 hash: ab56062f34be6231548dc9e794f20784
humanhash: aspen-ohio-robert-massachusetts
File name:SecuriteInfo.com.FileRepMalware.14787.4952
Download: download sample
Signature AgentTesla
Create hunting rule
File size:310'622 bytes
First seen:2022-12-12 13:35:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 97318da386948415d08cef4a9006d669 (71 x Formbook, 35 x SnakeKeylogger, 26 x AgentTesla)
ssdeep 6144:9kwPUUdXRhE9KecOxQMAoQPiegzylR0w9ZX4rEW:FbExQMwFgoFFW
Threatray 20'670 similar samples on MalwareBazaar
TLSH T13664239956F0D9E3DA434677FE6BBBABB7F0A52C05007A4B231C9F5E0916AC3081A4C5
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Exploit.CVE-2018-0798.4.3863.8720
Verdict:
Malicious activity
Analysis date:
2022-12-12 10:40:07 UTC
Tags:
exploit cve-2017-11882 agenttesla
Link:
https://app.any.run/tasks/bdf9f202-b2f5-4181-af0c-db10c25bc327

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/345450/
Detection(s):
SecuriteInfo.com.FileRepMalware.14787.4952.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Creating a window
Reading critical registry keys
Setting a keyboard event handler
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63972e439a505ad9423f31be/reports/2c86f965-b869-485c-8bbc-82f0f5651318/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e37f883a-2327-461b-a2c8-70389182498a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1132661
Signature
.NET source code contains very large array initializations
Contains functionality to register a low level keyboard hook
Detected unpacking (creates a PE file in dynamic memory)
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c120ee7f7c516e3fa159a51144f4c29ca693c0bc726bb953f2cd493f1736cd23/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2022-12-12 09:31:16 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yeqo4734kfxd7ikzuuiuj5gctstjhqf4ojv3su7szvet6fzwzurq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
b077c634471ee290e38f9e3ced5375888f93890e6b0840b8db2c1691175019ee
AgentTesla
d077b3075b08a6f6ae384794e0ddd8c6e509a029440ec56f1669288730e70898
AgentTesla
d254745ca2edd62c5e9d3231b3131ae065b2e1759fe9916df96e6c14af59a99e
AgentTesla
f5d4ebc19dcb1a8676ba1459a04606b5b94e3e1a02bf11393c18e0980e8da2f8
AgentTesla
+ 20'660 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221212-qv874sbd77/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/374508e4-bc25-481f-8b2e-fbd90b605237
Unpacked files
SH256 hash:
bb03d4ee3bba9271bf35ad266aacda19a5c4df069d5b95e48d3a81f66d54f715
MD5 hash:
03a249335f87a20eb693f18ecb4a318f
SHA1 hash:
a803cd0b5c256590993bc7bd7cf0794d42403975
Link:
https://www.unpac.me/results/8de726a3-b817-4da1-b672-46a754d696c3/
SH256 hash:
622cc5f0183308f4516ae2de9d29de8f8e700f705e04d3059b39c3958b55251b
MD5 hash:
b1dabc2a4435232ed7272171f0e50c65
SHA1 hash:
68fcb47379a72b2b052da4b537e74728943e80de
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/8de726a3-b817-4da1-b672-46a754d696c3/
Parent samples :
af869e0c2e147216c4bdc3ab8d27932722ed1beb43ea5f2b362eade332096a65
b7394e25936c4fd44716fcdcce914a35c0cdb0980e4527035681df4f800520e7
08d1ba78580736780e23563d6a5bb870da832e7d25683c987553b1560ae70007
3ccaf74f465a79ec320fdb7e44ae09551f4348efd3bf8bf7b3638cc0c1cd8492
c120ee7f7c516e3fa159a51144f4c29ca693c0bc726bb953f2cd493f1736cd23
SH256 hash:
c120ee7f7c516e3fa159a51144f4c29ca693c0bc726bb953f2cd493f1736cd23
MD5 hash:
ab56062f34be6231548dc9e794f20784
SHA1 hash:
92b54f48fa1b7e59e2c563ba8254a49af0c12617
Link:
https://www.unpac.me/results/8de726a3-b817-4da1-b672-46a754d696c3/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c120ee7f7c51/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/c120ee7f7c516e3fa159a51144f4c29ca693c0bc726bb953f2cd493f1736cd23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_d3ac2b2f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe c120ee7f7c516e3fa159a51144f4c29ca693c0bc726bb953f2cd493f1736cd23

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2454782/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/345450/

Comments