MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c95eabd64c7bd54273fcee058c9af7b19d4183fe1c6745f2753bd1aac0bd3abe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c95eabd64c7bd54273fcee058c9af7b19d4183fe1c6745f2753bd1aac0bd3abe
SHA3-384 hash: 64823945e8895f799513925aa6ef5fc59af252b7babe5a110b894d1b0efa14dcce82eb8a46cd97cb47a754a30f5264f7
SHA1 hash: 9992e9934ae19a570a36a36f16615a7816c3c8cb
MD5 hash: 74171776b29e523f9afd4d075fc55c63
humanhash: florida-don-july-social
File name:c95eabd64c7bd54273fcee058c9af7b19d4183fe1c6745f2753bd1aac0bd3abe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:625'152 bytes
First seen:2023-05-14 09:58:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Np9SLLBpPCVAJ58T38qQKEVlN8nzLRVo7sEBsZn1f9/fxi:Np9Sx+XuKwv8zLRVoQEBsJ1f9/5
Threatray 3'484 similar samples on MalwareBazaar
TLSH T1E4D4D074619E8B55E02ED7F12478BCB1037134F3A9E9C5380FA2A6C4CE6BF501995E8B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter petikvx
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c95eabd64c7bd54273fcee058c9af7b19d4183fe1c6745f2753bd1aac0bd3abe
Verdict:
Malicious activity
Analysis date:
2023-05-14 10:09:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/966c591f-03d5-4ddb-96f8-669132b50cf0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/389368/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66553135.29141.6601.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo jigsaw packed
Link:
https://www.filescan.io/uploads/6460b0ee9afafccc175d35c5/reports/258da8ba-3e19-4d4e-8230-e7482bf8b389/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c95eabd64c7bd54273fcee058c9af7b19d4183fe1c6745f2753bd1aac0bd3abe
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/27c9ff9d-cee8-4e09-a4fe-5ae6f52d60ef
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1232750
Signature
.NET source code contains potential unpacker
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 865752 Sample: 7TbprrlEPS.exe Startdate: 14/05/2023 Architecture: WINDOWS Score: 100 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 5 other signatures 2->63 6 7TbprrlEPS.exe 3 2->6         started        10 TKQShz.exe 3 2->10         started        12 TKQShz.exe 2 2->12         started        process3 file4 27 C:\Users\user\AppData\...\7TbprrlEPS.exe.log, ASCII 6->27 dropped 65 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->65 67 May check the online IP address of the machine 6->67 69 Injects a PE file into a foreign processes 6->69 14 7TbprrlEPS.exe 17 5 6->14         started        71 Multi AV Scanner detection for dropped file 10->71 73 Machine Learning detection for dropped file 10->73 19 TKQShz.exe 14 2 10->19         started        21 TKQShz.exe 10->21         started        23 TKQShz.exe 12->23         started        25 TKQShz.exe 12->25         started        signatures5 process6 dnsIp7 33 mail.ungaplc.com 14->33 43 2 other IPs or domains 14->43 29 C:\Users\user\AppData\Roaming\...\TKQShz.exe, PE32 14->29 dropped 31 C:\Users\user\...\TKQShz.exe:Zone.Identifier, ASCII 14->31 dropped 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->47 49 Tries to steal Mail credentials (via file / registry access) 14->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->51 35 ungaplc.com 66.29.130.139, 49704, 587 ADVANTAGECOMUS United States 19->35 37 mail.ungaplc.com 19->37 45 2 other IPs or domains 19->45 39 mail.ungaplc.com 23->39 41 api.ipify.org 23->41 53 Tries to harvest and steal browser information (history, passwords, etc) 23->53 55 Installs a global keyboard hook 23->55 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c95eabd64c7bd54273fcee058c9af7b19d4183fe1c6745f2753bd1aac0bd3abe/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-04-21 13:57:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zfpkxvsmppkue4745ycyzgxxwgouda76drtul4tvhpi2vqf5hk7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a3910d28d3f2f885f656070a26c9f7abafac1e5231c6b9a8e07844a833f6077
AgentTesla
26e4169f450ad33d2ac91ed523a144039a75b295dd77493dd6b15bda5e7094f6
AgentTesla
42080fb0ec7f2dbdeebe857d0c3d387a27c1325a4e3c80da4780648a4cb94fe2
AgentTesla
6c8b93bdd0153dfe2c4ff9e4c758ec44f3e01fbb77cb54b51e7ed07efa734a44
AgentTesla
89615850a0b6561bbf1c4402fe8ca95b4052f49ebd4a20f0e3ac8a176859ec58
AgentTesla
8ab437ed1b348f24d6a58965cdc27a3e23cfc82fef4456bd3623f739abf196a9
AgentTesla
bbdd3c67e8780f70bb81bbd019cc39c40b8efb9653dcef5e625409fc3ceedd10
AgentTesla
c498c88360de57bc9aafce102efe582a988ca1859e1f4fba5914a0b02e41a2fd
AgentTesla
e45adb38f46b6275c9208ffc10f5ad840da121078544fad3555ef8183608dded
AgentTesla
e4a0ae76726f36cba9f049d1c38fe9e0ace65ce45f7d331f8dd422e62696e072
AgentTesla
+ 3'474 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230514-lz4qzabe66/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
620e8b7b039954980be88d5fa83497e3a9afd763062bb3b9418df30635e1dd44
MD5 hash:
2c266e895a7bef647ab923dfdc1b28fd
SHA1 hash:
db8301d0a4c3aed055b00ac2dfdff9e5df60d661
Link:
https://www.unpac.me/results/52fea1f7-9d46-44f6-8a71-2377c06a1526/
SH256 hash:
9bb1603b9f30d0295c4c28934ce9bdb09229b6cb60767a933cd0f97ed7da66ff
MD5 hash:
cc64970ee7ca1292adfbe2c2894a9b2a
SHA1 hash:
5a05376fa2f6ca2dfef34320e0eb09e9e074627f
Link:
https://www.unpac.me/results/52fea1f7-9d46-44f6-8a71-2377c06a1526/
SH256 hash:
0c13dcb8bd3d4d075540cda0ee13ec146c85468e1b051a4e6438407f126513e0
MD5 hash:
c12e4952001dfb80e2d1443e6ce1de70
SHA1 hash:
466def97400643a2f7bbc55d059c700b54635e3f
Link:
https://www.unpac.me/results/52fea1f7-9d46-44f6-8a71-2377c06a1526/
SH256 hash:
f2504009ae09a97da43834ffbac4f4dec0c503c285deda363f9d72d52d28d13a
MD5 hash:
f10017bb66bf82310b03d74a475df2c3
SHA1 hash:
273f4111e39d8c0d590e54cbff8da3b2be8a913d
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/52fea1f7-9d46-44f6-8a71-2377c06a1526/
Parent samples :
e4a0ae76726f36cba9f049d1c38fe9e0ace65ce45f7d331f8dd422e62696e072
c95eabd64c7bd54273fcee058c9af7b19d4183fe1c6745f2753bd1aac0bd3abe
SH256 hash:
6333b8035d99822e87f33fdb8b0b2b613bd95ce4cd4c9b10b91294d2b6f4ddfd
MD5 hash:
6ef436c0fbb60b08e4c41f2d10abd41b
SHA1 hash:
d4951e14b5cbf79ef903fd7a55bf6354ef9feecf
Link:
https://www.unpac.me/results/52fea1f7-9d46-44f6-8a71-2377c06a1526/
SH256 hash:
c95eabd64c7bd54273fcee058c9af7b19d4183fe1c6745f2753bd1aac0bd3abe
MD5 hash:
74171776b29e523f9afd4d075fc55c63
SHA1 hash:
9992e9934ae19a570a36a36f16615a7816c3c8cb
Link:
https://www.unpac.me/results/52fea1f7-9d46-44f6-8a71-2377c06a1526/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/c95eabd64c7bd54273fcee058c9af7b19d4183fe1c6745f2753bd1aac0bd3abe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe c95eabd64c7bd54273fcee058c9af7b19d4183fe1c6745f2753bd1aac0bd3abe

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2346138/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/389368/

Comments