MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d106446fe25932f01efe8164e5dfa001b5c8a05a8d42a3bfd90c306b5814ea54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d106446fe25932f01efe8164e5dfa001b5c8a05a8d42a3bfd90c306b5814ea54
SHA3-384 hash: b1bb97dea36aa20a880e980d3158c7ffd50d3803f41cd65b7755dd974c41443efbd01e74f3207a271767ccdae814bd0f
SHA1 hash: bad191389cad4e77167354dc4cf3f96715999576
MD5 hash: 188ca2197f9b756f9ad74a75b1dc4356
humanhash: maryland-north-glucose-london
File name:drogba.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:670'720 bytes
First seen:2023-07-13 06:35:19 UTC
Last seen:2023-07-13 13:17:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:ZqRVZ0GQIut7DVP1PkQFjoUd7hQA12i8OlyF7m2xaHx:ZqRV+z7JPtkCVEA1dlylaHx
Threatray 4'817 similar samples on MalwareBazaar
TLSH T166E44C0B3DD0291BE42E427E107C6A6CEAEED51D426FE924742DC2A7B2F664C0D4D74B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
270
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
drogba.exe
Verdict:
Malicious activity
Analysis date:
2023-07-13 06:37:08 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/cb38dfd3-86da-4cc7-a205-f4e0f521f07e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/417252/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.16539.24010.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed replace tracker
Link:
https://www.filescan.io/uploads/64af9b53a15fc7eb4fd1cd71/reports/49292abd-61ce-4954-8593-a1baa91a48f0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d106446fe25932f01efe8164e5dfa001b5c8a05a8d42a3bfd90c306b5814ea54
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f75fefb7-5b04-449c-ba6b-f253d8362b4e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1272242
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d106446fe25932f01efe8164e5dfa001b5c8a05a8d42a3bfd90c306b5814ea54/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-13 03:02:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2edei37clezpahx6qfsolx5aag24ric2rvbkhp6zbqygwwau5jka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1e6d877e28638122cf889cb074d451010ab7aaaab155348d1719c7467e697dac
AgentTesla
22946068fd1e3e163cd2aa78bd95ac8983fddcbebbd2a7ec07fd2e752caa49d2
AgentTesla
42131014120f6538128d4ca52b1eae8e23a543a5a7c56a42602f8e19fccdafa9
AgentTesla
73bb3aadb9432efe0971a8211681ed2df1d891997fbcd1add6f4960eb05cda43
AgentTesla
8163524766bde94fff9883de3c7f13bb88bbdd6af597bf3217613321caf43b3e
AgentTesla
8f006585b173e95503af78fe048e5836196340b2e56f3b1b2946a5915e6bb998
AgentTesla
94e0979bf69db22ad543fcaeaf820f651a5ab917c74b6e329f7e9ee020cc7a26
AgentTesla
980bdbac9ae7d494daaf5e30e23656e81fbff319223f766d8c4ae65412d4d03b
AgentTesla
983378f4b350a997de3cd1d8e1c66a5728c2b34ea0b7937ccac824aeda29f7da
AgentTesla
cdb512760be3becba1ca6ceaa20786f3428bee9a0037be8a95da3e1910cd067b
AgentTesla
+ 4'807 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230713-hcxglage7w/
Behaviour
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
76862ef6eed61df70e7cfc407ff3fac8cbca62a2cbf65d4557b20e00ac16f603
MD5 hash:
10271d4f19d6f03d3b04dd51b5f2acf6
SHA1 hash:
ec31fb135f3a5210117baec98303b5cdbe6984d0
Link:
https://www.unpac.me/results/d577a85f-cc0c-44f0-9c56-38e6f5ce764b/
SH256 hash:
06d4404ae35c11c366f95e29a9567e0eccc3343be774ba1c0377d149608c8b8c
MD5 hash:
bb9115d080a3d14a8a719610905aaede
SHA1 hash:
74b138283e3680816f5ead654720c5ca15985220
Link:
https://www.unpac.me/results/d577a85f-cc0c-44f0-9c56-38e6f5ce764b/
SH256 hash:
cfb47bc0e75450721fbab6d7e77319be2ff963baa043b0edbbd485d6f18e6f57
MD5 hash:
0255dca41f11beb051faeaf2df41ca9a
SHA1 hash:
45079d80bbf36a65654d288171b6c0e42fd437f5
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/d577a85f-cc0c-44f0-9c56-38e6f5ce764b/
Parent samples :
0d60b66a4cf05690e7a7afa8a54328fd3b043bb5a77c9c45d59ecdbc8f7af440
37a3df3f3e43cf82060890197d96d5ad5e0b84b0995f1cd70709f96899fe2994
42131014120f6538128d4ca52b1eae8e23a543a5a7c56a42602f8e19fccdafa9
8163524766bde94fff9883de3c7f13bb88bbdd6af597bf3217613321caf43b3e
5cc55879af4ec6a5ded72775f9ae99a0f46496b45caaac6b5f58d67dad355f6f
8a8e0e6bbd082c0517424117627d9a6740892357cdf95555150d87f98f39aad7
73bb3aadb9432efe0971a8211681ed2df1d891997fbcd1add6f4960eb05cda43
e3a4d27630c1d1f5f57a8d490047380ffd6f813b6ffa9eb554632ac915a61447
983378f4b350a997de3cd1d8e1c66a5728c2b34ea0b7937ccac824aeda29f7da
be84687edad29eae1d7819714c65881c1c8bd2bb9170c58f8b5fe5a34ef2a664
8f006585b173e95503af78fe048e5836196340b2e56f3b1b2946a5915e6bb998
980bdbac9ae7d494daaf5e30e23656e81fbff319223f766d8c4ae65412d4d03b
22946068fd1e3e163cd2aa78bd95ac8983fddcbebbd2a7ec07fd2e752caa49d2
94e0979bf69db22ad543fcaeaf820f651a5ab917c74b6e329f7e9ee020cc7a26
cdb512760be3becba1ca6ceaa20786f3428bee9a0037be8a95da3e1910cd067b
1e6d877e28638122cf889cb074d451010ab7aaaab155348d1719c7467e697dac
ad4ef5b118ce9922d0adedc4ee0135aa1bc55a0ce537d7396001cdaf533856b3
d106446fe25932f01efe8164e5dfa001b5c8a05a8d42a3bfd90c306b5814ea54
6c29c5aedf40d9fd44024cd8ee9ecf19b26a10006d88ec3f76f47c70a2ad1122
6fb64f7e90516c0003e7cd104a2370a22c5949871bc653067d0100229f8f9717
7b53084fd46b89ffc9c41b0fcaaecc3e55579eef25037e68f1aee62d86528b61
813490a4f54269088113cdf7e413b2c9eae7ebdd9a88a51195b324ec6a0fcd3a
2f2c5ef0fb2db3d362fcb5ebd1ed82b5a73cd36c9c0ab4ae18dd26f225bb3e63
4cf806a71adea5b039528773d5857e5386af8aa61ad773c2d7857c9e23cc6feb
67f50cbee8d146700d13aba555eee7cef1b007947cf5f6dc6c8262b8a0f01c70
cd5661c73868cc4246d7cb01f785447b6c359ded6aaff8e1e62737032ddaa7e8
0ef8f46933f6388ca0374cda300f534802a54343ecade5f00d9cf2f9a6485638
SH256 hash:
d106446fe25932f01efe8164e5dfa001b5c8a05a8d42a3bfd90c306b5814ea54
MD5 hash:
188ca2197f9b756f9ad74a75b1dc4356
SHA1 hash:
bad191389cad4e77167354dc4cf3f96715999576
Link:
https://www.unpac.me/results/d577a85f-cc0c-44f0-9c56-38e6f5ce764b/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 0217ee0b9476886783d419223c4b58be306ed779eb3ca6c3d0239d9ef12feecc

AgentTesla

Executable exe d106446fe25932f01efe8164e5dfa001b5c8a05a8d42a3bfd90c306b5814ea54

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 0217ee0b9476886783d419223c4b58be306ed779eb3ca6c3d0239d9ef12feecc
Cape
Cape
https://www.capesandbox.com/analysis/417252/
  
Dropped by
MD5 3760fbc64874a8ed37763b9a6913b6c4

Comments