MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c87ce160161f10cdcc365345ef885138d741cff464feb748a396ad6af249231e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c87ce160161f10cdcc365345ef885138d741cff464feb748a396ad6af249231e
SHA3-384 hash: 88435909af46ce7f7917198ebf4d9b6d4ba2c7b3fe042ef170743703bd2c69189b3a1401f2fc3d624693c09ab2a32eff
SHA1 hash: 1f24b88741a1ffa06314a996058568c932f720aa
MD5 hash: 9d92efb96db3743b53c645d8acf5697b
humanhash: triple-twelve-six-lactose
File name:Fiyat 10243975 forKARDAG A.S..exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:663'040 bytes
First seen:2023-08-07 13:24:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:0t+kVpCbocVYWJZLVu8Yq5bN3Tdwvge1dOkWHAd7sls/s4Q3Ubjv:e+oC8cyW8w5bNG1dTE2IsFQ
Threatray 839 similar samples on MalwareBazaar
TLSH T1EEE41255D068C3A5F9BC4BF968658C350377BEAA5A34E32D0E5974FF2932F8B8421813
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon a526637266a55616 (4 x AgentTesla, 1 x StormKitty, 1 x MassLogger)
Reporter abuse_ch
Tags:AgentTesla exe geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Fiyat 10243975 forKARDAG A.S..exe
Verdict:
Malicious activity
Analysis date:
2023-08-07 13:35:28 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/e719dae4-00c2-49de-9b75-2ac95b5970f2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/441099/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1995.23339.25243.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c87ce160161f10cdcc365345ef885138d741cff464feb748a396ad6af249231e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/175c4d5a-f328-4209-b313-8eb385caf6cc
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1287142
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1287142 Sample: Fiyat_10243975_forKARDAG_A.S..exe Startdate: 07/08/2023 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Sigma detected: Scheduled temp file as task from temp location 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 4 other signatures 2->47 7 Fiyat_10243975_forKARDAG_A.S..exe 7 2->7         started        11 HlCrenIHsSFqA.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\HlCrenIHsSFqA.exe, PE32 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp173A.tmp, XML 7->37 dropped 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->49 51 Uses schtasks.exe or at.exe to add and modify task schedules 7->51 53 Adds a directory exclusion to Windows Defender 7->53 13 Fiyat_10243975_forKARDAG_A.S..exe 7 7->13         started        17 powershell.exe 17 7->17         started        19 powershell.exe 19 7->19         started        21 schtasks.exe 1 7->21         started        55 Multi AV Scanner detection for dropped file 11->55 57 Machine Learning detection for dropped file 11->57 59 Injects a PE file into a foreign processes 11->59 23 HlCrenIHsSFqA.exe 11->23         started        25 schtasks.exe 11->25         started        signatures5 process6 dnsIp7 39 mail.icdanismanlik.com 78.135.107.25, 49699, 49700, 49701 PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR Turkey 13->39 61 Installs a global keyboard hook 13->61 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->63 65 Tries to steal Mail credentials (via file / registry access) 23->65 67 Tries to harvest and steal browser information (history, passwords, etc) 23->67 33 conhost.exe 25->33         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c87ce160161f10cdcc365345ef885138d741cff464feb748a396ad6af249231e/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-08-07 03:24:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
14 of 38 (36.84%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zb6ocyawd4im3tbwknc67ccrhdludt7umt7losfds2wwv4sjempa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03e156f16efbda2a891a6519a282ad085325d498695287ee92ad056f7d1c2422
AgentTesla
1f896398b69e22be7442bfd778d704b1e3b0961a51a8307e175d0876f8b67055
AgentTesla
2c02305910d1d64b8128f8519f65a75a9d33a27cfc21de77bbd087fde9bef580
AgentTesla
3441f09f92a9f9234013c0a3484c812f4cde252c191f4212bc24c81f04e7874f
AgentTesla
363b5b951382bb7c9af26fadf9a61541d5a2d4e733adcb40fbc87e18579fd69f
AgentTesla
5ca7bc5b2b3f9d48d7f4bc33093a47215dab1224c60a8d5226bdc03df48f12fe
AgentTesla
903e8bc85723320489960259f907195dbc38fe33cd5471b509a4655583dc02e7
AgentTesla
d50ad11cd990b8a013247eaa4f0a7b1b0044720d56ea2c9834d9560d54e90a22
AgentTesla
dd6d6790b18937e7f2ca0a99e4a7dca9a4f268aa3245ef319ba943d2f432a0fd
AgentTesla
fe0dc5415b9e4a0aaab85349ca18704f10b02a3f5fe6de959b3e39d12a9a07a2
AgentTesla
+ 829 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230807-qnysssfe22/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
504410fd6158a7346f5a2e7b7714203b329d46dab5d129719410d5c325122804
MD5 hash:
74ed681a2d7aed1dae5627d4367474f8
SHA1 hash:
cad2df636d3f0710f69fdb18cbae03a332341dd3
Link:
https://www.unpac.me/results/4feef0db-b44e-46e9-844c-d4a6ac34cb39/
SH256 hash:
aecfc867cdd9f02bbd0639efb3f7c2c9d84eb52acc96d1c2e64b6faefedf0163
MD5 hash:
5afc9d227e5f5078a1709c60214791bb
SHA1 hash:
741d9a701e371803283dd5cb30f35dcb381f6d94
Link:
https://www.unpac.me/results/4feef0db-b44e-46e9-844c-d4a6ac34cb39/
SH256 hash:
acb4f2181a20567f3a024b4919e95a204633c49dd5fa694e73b2c508b2517f62
MD5 hash:
54382de0119d4daa02ec3edd0312168d
SHA1 hash:
0451e80a80e731f260afd2e7c60d9d79069b0a3b
Link:
https://www.unpac.me/results/4feef0db-b44e-46e9-844c-d4a6ac34cb39/
SH256 hash:
c87ce160161f10cdcc365345ef885138d741cff464feb748a396ad6af249231e
MD5 hash:
9d92efb96db3743b53c645d8acf5697b
SHA1 hash:
1f24b88741a1ffa06314a996058568c932f720aa
Link:
https://www.unpac.me/results/4feef0db-b44e-46e9-844c-d4a6ac34cb39/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c87ce160161f10cdcc365345ef885138d741cff464feb748a396ad6af249231e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe c87ce160161f10cdcc365345ef885138d741cff464feb748a396ad6af249231e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/441099/

Comments