MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c952b1693f30f3eb4a4106e1ed621b5dfa296e1d966700c116b7dc4f09a2abf3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c952b1693f30f3eb4a4106e1ed621b5dfa296e1d966700c116b7dc4f09a2abf3
SHA3-384 hash: 97795d415dac5df3d90d7f785a18f998f742bed147ccac7c0218c8331a3c9b3a78897a1e1736c31c70f66e997a0e97b4
SHA1 hash: 2a5023147b7e165142933cef5cc91e791796683b
MD5 hash: c93bb58bccedd6e6eeb4721867961b0f
humanhash: glucose-charlie-mockingbird-september
File name:SOA FROM UNIBEST.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:768'560 bytes
First seen:2024-01-16 18:38:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:iL0Fiho/g8S2c2kUS87GEUTI6kf8gE3XwHZ/GrjG5SKRU8ep98kwIb5mREGrg7RL:U0FvI8SkRSO3UToUgEwHZ/Oj+DRep2kd
TLSH T17BF42394E78CAC11C64D623AACB24524A734EEC3735383DBB94AB5743D77BF11906A83
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon c098988898888890 (9 x AgentTesla, 3 x Formbook, 2 x PureCrypter)
Reporter malwarelabnet
Tags:AgentTesla exe zgRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
346
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
c952b1693f30f3eb4a4106e1ed621b5dfa296e1d966700c116b7dc4f09a2abf3.exe
Verdict:
Malicious activity
Analysis date:
2024-01-16 18:41:03 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/d11cb7f2-23d2-43dd-8eae-e66fcae9402d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471201/
Detection(s):
Win.Packed.Seraph-10016137-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/65a6cd4c784d3498d74070ba/reports/25e13ccd-0c42-4cc3-8ef2-3ab03f53f73b/overview
Verdict:
Malicious
Labled as:
Trojan.Mardom.MN.Generic
Link:
https://www.hybrid-analysis.com/sample/c952b1693f30f3eb4a4106e1ed621b5dfa296e1d966700c116b7dc4f09a2abf3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/afea3d69-53a6-4f13-9a67-d2388003af63
Result
Threat name:
AgentTesla, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1375614
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Encrypted powershell cmdline option found
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1375614 Sample: SOA_FROM_UNIBEST.exe Startdate: 16/01/2024 Architecture: WINDOWS Score: 100 109 mail.clslk.com 2->109 111 clients1.google.com 2->111 113 clients.l.google.com 2->113 129 Found malware configuration 2->129 131 Malicious sample detected (through community Yara rule) 2->131 133 Antivirus detection for URL or domain 2->133 135 8 other signatures 2->135 11 SOA_FROM_UNIBEST.exe 1 6 2->11         started        15 soft.exe 4 2->15         started        17 boqXv.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 107 C:\Users\user\AppData\Roaming\soft.exe, PE32 11->107 dropped 161 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->161 163 Encrypted powershell cmdline option found 11->163 165 Creates multiple autostart registry keys 11->165 173 2 other signatures 11->173 22 SOA_FROM_UNIBEST.exe 1 5 11->22         started        27 powershell.exe 20 11->27         started        29 powershell.exe 23 11->29         started        167 Antivirus detection for dropped file 15->167 169 Multi AV Scanner detection for dropped file 15->169 171 Machine Learning detection for dropped file 15->171 31 cmd.exe 15->31         started        33 cmd.exe 17->33         started        115 127.0.0.1 unknown unknown 19->115 35 cmd.exe 19->35         started        37 cmd.exe 19->37         started        file6 signatures7 process8 dnsIp9 123 mail.clslk.com 50.87.253.239, 587 UNIFIEDLAYER-AS-1US United States 22->123 103 C:\Users\user\AppData\Roaming\...\boqXv.exe, PE32 22->103 dropped 105 C:\Users\user\...\boqXv.exe:Zone.Identifier, ASCII 22->105 dropped 137 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->137 139 Tries to steal Mail credentials (via file / registry access) 22->139 141 Creates multiple autostart registry keys 22->141 143 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->143 145 Potential dropper URLs found in powershell memory 27->145 39 conhost.exe 27->39         started        54 2 other processes 29->54 41 soft.exe 31->41         started        44 conhost.exe 31->44         started        46 boqXv.exe 33->46         started        48 conhost.exe 33->48         started        50 soft.exe 35->50         started        52 conhost.exe 35->52         started        57 2 other processes 37->57 file10 signatures11 process12 dnsIp13 59 soft.exe 41->59         started        73 2 other processes 41->73 62 boqXv.exe 46->62         started        75 2 other processes 46->75 147 Encrypted powershell cmdline option found 50->147 149 Injects a PE file into a foreign processes 50->149 64 soft.exe 50->64         started        66 powershell.exe 50->66         started        77 2 other processes 50->77 125 192.168.2.6, 443, 49337, 49699 unknown unknown 54->125 127 239.255.255.250 unknown Reserved 54->127 68 chrome.exe 54->68         started        71 powershell.exe 57->71         started        signatures14 process15 dnsIp16 151 Hides that the sample has been downloaded from the Internet (zone.identifier) 59->151 153 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 64->153 155 Tries to steal Mail credentials (via file / registry access) 64->155 157 Tries to harvest and steal browser information (history, passwords, etc) 64->157 159 Potential dropper URLs found in powershell memory 66->159 79 conhost.exe 66->79         started        117 clients.l.google.com 142.250.65.238, 443, 49710 GOOGLEUS United States 68->117 119 www.google.com 142.250.80.36, 443, 49714, 49715 GOOGLEUS United States 68->119 121 3 other IPs or domains 68->121 81 conhost.exe 71->81         started        83 chrome.exe 73->83         started        85 conhost.exe 73->85         started        87 conhost.exe 73->87         started        89 chrome.exe 75->89         started        95 2 other processes 75->95 91 chrome.exe 77->91         started        93 conhost.exe 77->93         started        signatures17 process18 process19 97 chrome.exe 83->97         started        99 chrome.exe 89->99         started        101 chrome.exe 91->101         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c952b1693f30f3eb4a4106e1ed621b5dfa296e1d966700c116b7dc4f09a2abf3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c952b1693f30f3eb4a4106e1ed621b5dfa296e1d966700c116b7dc4f09a2abf3/
Threat name:
ByteCode-MSIL.Trojan.Seraph
Create hunting rule
Status:
Malicious
First seen:
2024-01-16 11:27:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zfjlc2j7gdz6wssba3q62yq3lx5cs3q5sztqbqiww7oe6cncvpzq._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:zgrat keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240116-xal1eagfbk/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
c952b1693f30f3eb4a4106e1ed621b5dfa296e1d966700c116b7dc4f09a2abf3
MD5 hash:
c93bb58bccedd6e6eeb4721867961b0f
SHA1 hash:
2a5023147b7e165142933cef5cc91e791796683b
Link:
https://www.unpac.me/results/9993a4cd-28fc-4742-9830-63025d1c1cac/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c952b1693f30/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.23
Link:
https://yomi.yoroi.company/submissions/c952b1693f30f3eb4a4106e1ed621b5dfa296e1d966700c116b7dc4f09a2abf3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/471201/

Comments