MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c67364d7cdad141966f7e14ae1ab855568fd781d96ea847c5575359537312c17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA 12 File information Comments

SHA256 hash:	c67364d7cdad141966f7e14ae1ab855568fd781d96ea847c5575359537312c17
SHA3-384 hash:	3670f09c723dfd78997ce81e8b55617d3a63b86dd73ea228ff9e296d2f69793558b8f1f6b5b6e6f24e6776983173baa3
SHA1 hash:	df64cda83916f0313ee0b659353f172424ba187c
MD5 hash:	f9dbc840710615a02ff1f964aba0828e
humanhash:	johnny-nuts-lactose-rugby
File name:	RFQ-5662545178.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'185'792 bytes
First seen:	2024-03-25 17:52:32 UTC
Last seen:	2024-03-25 19:43:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	948cc502fe9226992dce9417f952fce3 (1'182 x CredentialFlusher, 446 x Formbook, 231 x AgentTesla)
ssdeep	24576:5qDEvCTbMWu7rQYlBQcBiT6rprG8aFoauhP3:5TvC/MTQYxsWR7aFVuhP
Threatray	2'660 similar samples on MalwareBazaar
TLSH	T1DC459E3273818322FF9B9D32CB5EF61D46786D260123A51FD39C2B79B9F0161463E662
TrID	68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 12.5% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	125ad212e9cd3682 (40 x AgentTesla, 21 x Loki, 19 x Heodo)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

591

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

c67364d7cdad141966f7e14ae1ab855568fd781d96ea847c5575359537312c17.exe

Verdict:

Malicious activity

Analysis date:

2024-03-25 17:53:46 UTC

Tags:

stealer agenttesla

Link:

https://app.any.run/tasks/58a2be16-f77f-4d14-88dd-9501dabd3660

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

autoit fingerprint keylogger lolbin packed shell32

Link:

https://www.filescan.io/uploads/6601ba0eb81a555db48f042d/reports/9fc31be0-0169-4ac7-a63a-698e3eba5640/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/c67364d7cdad141966f7e14ae1ab855568fd781d96ea847c5575359537312c17

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/88f295dd-2e90-4f7a-b41b-1f93797a5136

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1415362

Signature

Antivirus detection for URL or domain

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Found API chain indicative of sandbox detection

Found malware configuration

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c67364d7cdad141966f7e14ae1ab855568fd781d96ea847c5575359537312c17

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c67364d7cdad141966f7e14ae1ab855568fd781d96ea847c5575359537312c17/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2024-03-25 17:04:56 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yzzwjv6nvukbszxx4ffodk4fkvup26a5s3vii7cvou2zknzrfqlq._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

AgentTesla

1f900204674608d6536571629b7096726c395598825873805829006724cf593c

AgentTesla

25b36aa737b21d09321370e76dd2540604e24f5a7f0992df779790a1171d08ec

AgentTesla

719b90e90ec80dc97228c3bf8116c9a45fd3636a93e4d0c6917fb8de7f719ef8

AgentTesla

a56b22a39525ddd24a449fca6f955fa6618312e93a0e3bdac810eee9efc4616e

AgentTesla

+ 2'650 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/240325-wgaehshd51/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

3106366b7707bd8c118c96a884164cb6b73fa2b8ab5b7e7e5508c60505bd4289

MD5 hash:

9cae85703b7cbda39abbdc6cd7c66563

SHA1 hash:

e2729f7bd5d998055bd1b56dede972b3424f998e

Detections:

AgentTesla

INDICATOR_EXE_Packed_GEN01

Link:

https://www.unpac.me/results/9d125cac-4f6c-4a6c-b504-3163f0e39f90/

Parent samples :

46d8a62c1eb783055f088db45577025b48710ed5e69976ca8f6a055841c6b7a2
562875566b146aa19239518f5fd6ba3445ca98750e3acde3f77c4c92f6f097ad
c67364d7cdad141966f7e14ae1ab855568fd781d96ea847c5575359537312c17
20429c55a73afdab0975bb4aeac8d61bec3431479a91587850745adc350979d2

SH256 hash:

c67364d7cdad141966f7e14ae1ab855568fd781d96ea847c5575359537312c17

MD5 hash:

f9dbc840710615a02ff1f964aba0828e

SHA1 hash:

df64cda83916f0313ee0b659353f172424ba187c

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/9d125cac-4f6c-4a6c-b504-3163f0e39f90/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c67364d7cdad/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c67364d7cdad141966f7e14ae1ab855568fd781d96ea847c5575359537312c17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	AgentTeslaV4 Create hunting rule
Author:	kevoreilly
Description:	AgentTesla Payload

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	reverse_http Create hunting rule
Author:	CD_R0M_
Description:	Identify strings with http reversed (ptth)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Generic_Threat_9f4a80b2 Create hunting rule
Author:	Elastic Security

Rule name:	win_agent_tesla_bytecodes_sep_2023 Create hunting rule
Author:	Matthew @embee_research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::CopySid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::GetAce
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoCreateInstanceEx ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::mciSendStringW WINMM.dll::timeGetTime WINMM.dll::waveOutSetVolume
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateProcessW ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileExW KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW IPHLPAPI.DLL::IcmpCreateFile KERNEL32.dll::CreateFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LogonUserW ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_API	Supports Windows Networking	MPR.dll::WNetAddConnection2W MPR.dll::WNetUseConnectionW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::BlockInput USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample