MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c837d46a2947aa9bc4c5c85f524c6e7cd796a9d8d97f5e59fc952e396d6b9662. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c837d46a2947aa9bc4c5c85f524c6e7cd796a9d8d97f5e59fc952e396d6b9662
SHA3-384 hash: aded58088d0ec4be5a3e31861cc2eab3d1654791d5e88901207068a1b0d3ee6e612bf4e81d865a1b4b30fd119dffd9b3
SHA1 hash: 0f297811bc7773abf0d8a27f8163fef06633884d
MD5 hash: ec85a368488a7972f2a6977def2c95de
humanhash: california-nevada-monkey-mirror
File name:RFQ 1 DESCON - PORD-2022-0461.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:339'071 bytes
First seen:2022-10-11 07:34:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:HNeZmpOPi//S16vVaENu/XugOUtMQY0f2UWjxrCqswIVOjZJW8c:HNlpOPI/S16v+XpOUtMeFUxrCqswRzWL
Threatray 21'439 similar samples on MalwareBazaar
TLSH T18D74122423A5C6ABDDF61A330D767F3CCE6AA52304F9830B13445B5E7E21B86971E316
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318805/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Searching for the window
Sending a custom TCP request
Moving a file to the %temp% directory
Reading critical registry keys
Сreating synchronization primitives
DNS request
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42452/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63451ca91ddf36bcc3f45f78/reports/d77f0167-bbe7-43c7-8067-e1050dfc48e0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/550b638a-55f2-45ad-83fa-bc85ed5ce699
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1087734
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
Found hidden mapped module (file has been removed from disk)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 720314 Sample: RFQ 1 DESCON - PORD-2022-0461.exe Startdate: 11/10/2022 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for dropped file 2->45 47 7 other signatures 2->47 7 RFQ 1 DESCON - PORD-2022-0461.exe 18 2->7         started        process3 file4 23 C:\Users\user\AppData\Local\...\pwgggpgbk.exe, PE32 7->23 dropped 10 pwgggpgbk.exe 2 7->10         started        process5 file6 25 C:\Users\user\AppData\Local\Temp\C99E.tmp, PE32 10->25 dropped 27 C:\Users\user\AppData\Local\Temp\C519.tmp, PE32 10->27 dropped 49 Multi AV Scanner detection for dropped file 10->49 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->51 53 Machine Learning detection for dropped file 10->53 55 3 other signatures 10->55 14 pwgggpgbk.exe 17 3 10->14         started        19 WerFault.exe 23 11 10->19         started        21 pwgggpgbk.exe 10->21         started        signatures7 process8 dnsIp9 31 api.telegram.org 149.154.167.220, 443, 49699 TELEGRAMRU United Kingdom 14->31 29 C:\Users\user\AppData\...\tmpG244.tmp (copy), PE32 14->29 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Tries to steal Mail credentials (via file / registry access) 14->35 37 Tries to harvest and steal ftp login credentials 14->37 39 2 other signatures 14->39 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c837d46a2947aa9bc4c5c85f524c6e7cd796a9d8d97f5e59fc952e396d6b9662/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-11 07:35:10 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=za35i2rji6vjxrgfzbpvetdoptlznkoy3f7v4wp4suxds3llszra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
40eacf74e5f8d9b40c3a70ba66a6c30deee60c2843f94fe387ccb0dbb7a2cd59
AgentTesla
51c618c3e7e2fee52da462177f0dd44e5fbb3d6234edd8fbf5542c2dc51a8aee
AgentTesla
6713a526ffb1f9608dfb3769e696aff9908b0fc018447639c94c71f46dfe7ebe
AgentTesla
7813dfab45495b61483bf8b3ed97661dfadad39e080745a5c5fc841841a5602d
AgentTesla
ab91459253a14ca086ed1b79f0958b331fc09b7d611ef953ca85c045ff43024e
AgentTesla
b5de0c74c3c5e35b578d47b4e146d338982940f8bd0f213bc5548143db78079d
AgentTesla
+ 21'429 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221011-jeng5sccb8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5476182638:AAHvucVi8dazSUGu-Cignlmyn3Zlby23z50/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b6548500-d304-43fd-8570-881b5dca21fb
Unpacked files
SH256 hash:
38065d2a2d5c329081717faabbea7df30e9dca50455cf94d42cb3bd086dde80b
MD5 hash:
26d388adf0af439cfecf3661f67bad09
SHA1 hash:
8c0c3412032db1d85c52c140f43c0600c7d6ddff
Link:
https://www.unpac.me/results/eb019933-cf40-4a22-b263-4050ba496b22/
SH256 hash:
cc958b0b0578540f72049a2e88192087687d11e7bf4f96dbf447a68c0c5fb4ab
MD5 hash:
26e2515583077672af08e04b3be02648
SHA1 hash:
096af7ff8316d28e2fa27274907a8600aeee16f5
Link:
https://www.unpac.me/results/eb019933-cf40-4a22-b263-4050ba496b22/
SH256 hash:
af60587fb2a03111607b556067cf110d5251fedff34e8b88cb6aaf25237ce8f4
MD5 hash:
1c51b6a8ac37013f174fc503adab7b7d
SHA1 hash:
0ed45b6afd7a10e0eab848ff9715d3c6c6849068
Link:
https://www.unpac.me/results/eb019933-cf40-4a22-b263-4050ba496b22/
SH256 hash:
c837d46a2947aa9bc4c5c85f524c6e7cd796a9d8d97f5e59fc952e396d6b9662
MD5 hash:
ec85a368488a7972f2a6977def2c95de
SHA1 hash:
0f297811bc7773abf0d8a27f8163fef06633884d
Link:
https://www.unpac.me/results/eb019933-cf40-4a22-b263-4050ba496b22/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c837d46a2947/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c837d46a2947aa9bc4c5c85f524c6e7cd796a9d8d97f5e59fc952e396d6b9662

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe c837d46a2947aa9bc4c5c85f524c6e7cd796a9d8d97f5e59fc952e396d6b9662

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/318805/

Comments