MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1b6a939640d928b6a41b8f188a42a68d9167434768abe20b94b74f2a632df30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	c1b6a939640d928b6a41b8f188a42a68d9167434768abe20b94b74f2a632df30
SHA3-384 hash:	e79ac4df5c32e108c3e209a74313643529a232cc3c4301f224e4098be1a44f8db6959f696149c1cfef74fb6e44bacd31
SHA1 hash:	911dc0d7e70c1cdbbbf2fc4e8a5d212e4ec0c375
MD5 hash:	443015316fada7ff64578b88c26d66fb
humanhash:	nebraska-aspen-victor-avocado
File name:	SecuriteInfo.com.Win32.PWSX-gen.11374.8890
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	911'872 bytes
First seen:	2023-09-26 21:36:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:MUeaOS9s9WcVb+BZXScuiXSdiqeH4/ZbAyTcZsLFzkkG8vg+SJFI8kHzcfjAUbKp:r9s9WEEXqU4/ZsezBfE7p
Threatray	5'826 similar samples on MalwareBazaar
TLSH	T1CC159D9C3650B5DFC46BC9768AA42C60EA117CBA871BD203A01735ADE93CA97CF145F3
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	f8e4c688b4e46ca4 (7 x AgentTesla, 1 x Formbook)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

280

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.11374.8890

Verdict:

Malicious activity

Analysis date:

2023-09-26 21:39:47 UTC

Tags:

stealer agenttesla

Link:

https://app.any.run/tasks/500e7bc0-2543-4f8f-aa9f-08a31234b374

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/451361/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

SecuriteInfo.com.Win32.PWSX-gen.11374.8890.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/65134f0133582f234e03f728/reports/b1170c0b-6fd8-4ee7-94b2-ab5dcf68e10f/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/c1b6a939640d928b6a41b8f188a42a68d9167434768abe20b94b74f2a632df30

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/640e54d2-f497-4297-9414-8966487c72d1

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1314831

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/c1b6a939640d928b6a41b8f188a42a68d9167434768abe20b94b74f2a632df30/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2023-09-26 19:32:42 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 34 (52.94%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yg3ksolebwjiw2sbxdyyrjbkndmrm5buo2fl4ifzjn2pfjrs34ya._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

411fc006ebe1724a6bab93d977e183ad283f648960c7dacb3eccfccf689967dc

AgentTesla

4e3d57bec4f060ce042685c2eab68373d297ef3506a2a53e65efebefa5f084fd

AgentTesla

71f8edc498c92c37c5c6dffc98969e8cdab7d4f95466163dca68e72d1b1badaf

AgentTesla

90f4dbe5a1ecd502432550851c0f7997d84d3796dc632a77299231582ae05999

AgentTesla

b4073b9936abd8f87ba521d74ecfed8e16ba3582bbf80a51da0da0c1982814ad

AgentTesla

dc72c3da125cac80b5cafb89d523c7b77b357f551fa4366efcd1fd83b568e942

AgentTesla

f03f1ae3d3d6bde555d9bc841f8b11ee27459cb9937ae50298b24acb3190552e

AgentTesla

+ 5'816 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230926-1gfzhsfb76/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot6630175295:AAFfPbc9vQVIP0-AF7WS0h2m7ua55ypd_gE/

Unpacked files

SH256 hash:

8166edc6402990e60b92312dd5e6347d8579bfff3958e37bed5cebc316705c5b

MD5 hash:

5cad89fc586f13bd55a4788c995ec3d9

SHA1 hash:

e767585176f1a7ca61ca7a8b732f791a4f883c45

Link:

https://www.unpac.me/results/eb901653-3d05-4049-a0ea-f6e09c7916ed/

SH256 hash:

9db51ad0c5807a5193ed76bc569ac48b685385fe8517538918d9870fd2c318a4

MD5 hash:

b28777279f9d286ef691351d2c5e16fb

SHA1 hash:

c0809893b67b425ea0015dc34ee0306f3ec6ea93

Link:

https://www.unpac.me/results/eb901653-3d05-4049-a0ea-f6e09c7916ed/

SH256 hash:

513d832b6414ca92f71ea7abb910113140519f343c8fee079825d19bec37cae6

MD5 hash:

128feef2cd97a2ee0d369655ab39f214

SHA1 hash:

90d82fff31ca1510bdc670c400faa2893c918341

Link:

https://www.unpac.me/results/eb901653-3d05-4049-a0ea-f6e09c7916ed/

SH256 hash:

bb86efa9d9b1b6b5d65e2f3e12cc0b5075c6ff1dadf08985f738cfc1201c43ad

MD5 hash:

5474c43e0c919094308ee937798eb3ca

SHA1 hash:

33a16615d1c7ea6a8d658d3b6288f19f31ec9f65

Link:

https://www.unpac.me/results/eb901653-3d05-4049-a0ea-f6e09c7916ed/

SH256 hash:

c1b6a939640d928b6a41b8f188a42a68d9167434768abe20b94b74f2a632df30

MD5 hash:

443015316fada7ff64578b88c26d66fb

SHA1 hash:

911dc0d7e70c1cdbbbf2fc4e8a5d212e4ec0c375

Link:

https://www.unpac.me/results/eb901653-3d05-4049-a0ea-f6e09c7916ed/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c1b6a939640d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.70

Link:

https://yomi.yoroi.company/submissions/c1b6a939640d928b6a41b8f188a42a68d9167434768abe20b94b74f2a632df30

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/451361/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample