MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c74e0ff43aec86ebf78328a3ad0540af860a662f37081e87ccdb393f29e61389. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c74e0ff43aec86ebf78328a3ad0540af860a662f37081e87ccdb393f29e61389
SHA3-384 hash: 510f546e5a659f76ed606d457c0e46f72f4210e167a235d15f1fdc07f23d90d65e8de9f3d1c9e9fe6640246e2a07f840
SHA1 hash: adc56729653f738673d1554c16647ec8fcd8b3b8
MD5 hash: 76bc277c0ca7cc671aad0439576a0261
humanhash: sixteen-red-india-fillet
File name:SUBR002409261040923_ppwk.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:668'968 bytes
First seen:2023-09-05 13:11:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep 12288:nTKNhKBtTo5XV6H4P/x38yUTRz/5x9AN4Y5Z:nToKXToE4x81Vz/5xCN4Y7
Threatray 5'453 similar samples on MalwareBazaar
TLSH T1AFE4E0516620CD82C0D0D6F2A9B2C561BEC5EFFCE5A0DD0731B53A5B76B01A0F77AA90
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
US US
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SUBR002409261040923_ppwk.exe
Verdict:
Malicious activity
Analysis date:
2023-09-05 13:14:29 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/f6a88014-ff19-465a-8c80-4081ead14562

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446335/
Detection(s):
SecuriteInfo.com.Gen.Variant.Garf.7.4470.15171.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file
Creating a process from a recently created file
Launching a process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64f729242a262962b793d53b/reports/7b08968d-e0bb-40bc-a265-5f19c2ff1526/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c74e0ff43aec86ebf78328a3ad0540af860a662f37081e87ccdb393f29e61389
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/feea6913-e87a-4f0f-a80d-8a0411d3d6a3
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1303543
Signature
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suspicious powershell command line found
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1303543 Sample: SUBR002409261040923_ppwk.exe Startdate: 05/09/2023 Architecture: WINDOWS Score: 100 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected GuLoader 2->30 8 SUBR002409261040923_ppwk.exe 1 21 2->8         started        process3 process4 10 powershell.exe 12 8->10         started        signatures5 40 Suspicious powershell command line found 10->40 42 Very long command line found 10->42 44 Found suspicious powershell code related to unpacking or dynamic code loading 10->44 13 powershell.exe 13 10->13         started        16 conhost.exe 10->16         started        process6 signatures7 46 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->46 48 Writes to foreign memory regions 13->48 50 Tries to detect Any.run 13->50 52 Maps a DLL or memory area into another process 13->52 18 CasPol.exe 15 10 13->18         started        process8 dnsIp9 22 api4.ipify.org 104.237.62.212, 443, 49783 WEBNXUS United States 18->22 24 googlehosted.l.googleusercontent.com 142.250.217.193, 443, 49782 GOOGLEUS United States 18->24 26 4 other IPs or domains 18->26 32 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->32 34 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->34 36 May check the online IP address of the machine 18->36 38 3 other signatures 18->38 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c74e0ff43aec86ebf78328a3ad0540af860a662f37081e87ccdb393f29e61389/
Threat name:
Win32.Trojan.Garf
Create hunting rule
Status:
Malicious
First seen:
2023-09-04 07:50:37 UTC
AV detection:
7 of 37 (18.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y5ha75b25sdox54dfcr22bkav6dauzrpg4eb5b6m3m4t6kpgcoeq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
47764a3fd4c9b5502c0f927992cfd4a3c7e16b70228b613c08ec60733ce8f60c
AgentTesla
513b504d6939f1a106cf21f1f4029ab30c5f701fbcf63881b1a5df7466ed2eb1
AgentTesla
628e749249520c025d931f4e78c48d9fc450362f60f7ad7d31f1e4e58927cfb0
AgentTesla
7abcf6dd45f7dd04716c72f511eac0642bb2401da536123698f117b0896816f3
AgentTesla
988de5533ea7c98cdc0974eeb98cc650bdc4f991df9c8f0f85c5a7d4e7611b45
AgentTesla
9f8dd7a2f5e56970c9e6aa9af1c62b9d1d2ee03ca5dc33f9d6d376edd3bc0cdd
AgentTesla
eb617190b27e7449ed078297a96bf5b8b11e02e0f3bf1fa2bc947cac60e8590c
AgentTesla
+ 5'443 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230905-qfh3dafe51/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks QEMU agent file
AgentTesla
Unpacked files
SH256 hash:
c74e0ff43aec86ebf78328a3ad0540af860a662f37081e87ccdb393f29e61389
MD5 hash:
76bc277c0ca7cc671aad0439576a0261
SHA1 hash:
adc56729653f738673d1554c16647ec8fcd8b3b8
Link:
https://www.unpac.me/results/078e8672-8742-4e93-b418-c1ab29881e3f/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c74e0ff43aec/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c74e0ff43aec86ebf78328a3ad0540af860a662f37081e87ccdb393f29e61389

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/446335/

Comments