MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2385aabbc2749063ca10bfcaff327062178dbb3da9eeeafef8eb0d479d06ba9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	d2385aabbc2749063ca10bfcaff327062178dbb3da9eeeafef8eb0d479d06ba9
SHA3-384 hash:	c4de59906826d779cbeb6313ea52737f2666e83eed3db7e39b803eb007a8d1c1438609d647c3984f7492ce11eb278f65
SHA1 hash:	95633d7faf5eb8c18a08fe3618fb0c1959e8528f
MD5 hash:	83601b8dcb111ff09bf97c29236a30d7
humanhash:	south-blossom-don-jupiter
File name:	SecuriteInfo.com.Win32.RATX-gen.10114.13981
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	790'016 bytes
First seen:	2023-10-17 10:32:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:OR3EPwvAOuHw87aruEsQ1mCtJsm02qE/wd2+I:s3EPoZuHRaiEJ1meNm
Threatray	1'815 similar samples on MalwareBazaar
TLSH	T108F46B0675795971CD44DB35C9EA894482A7DE446BE2E2192CCCB2DE0B337BE4F03E92
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	7068ccb0b2b2b2f8 (129 x AgentTesla, 54 x SnakeKeylogger, 28 x AveMariaRAT)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

347

Origin country :

Vendor Threat Intelligence

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/455265/

Detection(s):

SecuriteInfo.com.Win32.RATX-gen.10114.13981.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Creating a window

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/652e62e2d9aa1327018523b3/reports/6c07536f-bdc2-4caf-9696-bf01cb8e195b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/d2385aabbc2749063ca10bfcaff327062178dbb3da9eeeafef8eb0d479d06ba9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/52af6cdd-1641-4c58-a597-7154772cd157

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1327173

Signature

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Contains functionality to register a low level keyboard hook

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d2385aabbc2749063ca10bfcaff327062178dbb3da9eeeafef8eb0d479d06ba9

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/d2385aabbc2749063ca10bfcaff327062178dbb3da9eeeafef8eb0d479d06ba9/

Threat name:

ByteCode-MSIL.Trojan.GenSteal

Status:

Malicious

First seen:

2023-10-17 06:58:53 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 22 (86.36%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2i4fvk54e5eqmpfbbp6k74zhayqxrw5t3kpo5l7pr2yni6oqnouq._file

Verdict:

malicious

AgentTesla

4a793a9dfa5fac79c6e6b8f1d36e8719cc8f2849849259f364ee8e4af08d9613

AgentTesla

73a362f5fb3b1512dd913f9f5fffe0e3968d10ee6e5c243bd76ecbc5cd20e45c

AgentTesla

7ac35bc9a690df912117ceda080f1792321ae1f448680835ed034ec0108396a1

AgentTesla

801001af8a75fe6ef6d54185561138dbb46588fa64cafec2564009e1b124b7f7

AgentTesla

9886fa5dd072d4bb23ea5353ac0014d36b5425f49fdb0b315a2ed54cc5fcc33d

AgentTesla

b572882a705fb5963ab6184c49367cf73f720092d72f99cad222a26bf0318918

AgentTesla

ed57c220f4f3bae36c7116e0997505b04521d9b365879387772a5bd1edb097a5

AgentTesla

+ 1'805 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231017-mlh3sabc2z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla

Unpacked files

SH256 hash:

979006dac9a47b2bb25920934ed2fa82a0fdd070f22a39fa65e12c3c0b98104c

MD5 hash:

d19e605558f939c38a59af0320e93f63

SHA1 hash:

d9dfcf206953d913f935378f94bbe0dae180bd6f

Link:

https://www.unpac.me/results/f73bf20e-380f-408b-9a50-e4a510a78212/

SH256 hash:

5abcfd0e6367b571685801337e39fc2725f69b3328ad6fe144d2f7bd69b7dae9

MD5 hash:

6991bd0922db482da6384346d8b2391c

SHA1 hash:

d3d7dcacd4e9b0fce8bf2547d3450c623f7856fb

Detections:

AgentTesla

win_agent_tesla_g2

Link:

https://www.unpac.me/results/f73bf20e-380f-408b-9a50-e4a510a78212/

Parent samples :

d2385aabbc2749063ca10bfcaff327062178dbb3da9eeeafef8eb0d479d06ba9
700a634e601fb89cef7ccc91b4f368b1ec0b9da12a01ce66e35f9dff696fb8f0

SH256 hash:

3be76066dbccb3e0e8b54ac4e97f44bd8f27198bc7997e0ca24b809905998b79

MD5 hash:

f9608131d9e64ed5c78d03ff9580663f

SHA1 hash:

729ebc55ad67b6cfac16f21fbc56268a26429192

Link:

https://www.unpac.me/results/f73bf20e-380f-408b-9a50-e4a510a78212/

SH256 hash:

8fbcf3e407b689ec4017b925f8dd42daf500fdde5970aff089464e341f856ad6

MD5 hash:

3a267c4c20d452053605e4034d3eebda

SHA1 hash:

54012df6fe5fc3cade6d0d1c895af60ba98ac4e8

Link:

https://www.unpac.me/results/f73bf20e-380f-408b-9a50-e4a510a78212/

SH256 hash:

d2385aabbc2749063ca10bfcaff327062178dbb3da9eeeafef8eb0d479d06ba9

MD5 hash:

83601b8dcb111ff09bf97c29236a30d7

SHA1 hash:

95633d7faf5eb8c18a08fe3618fb0c1959e8528f

Link:

https://www.unpac.me/results/f73bf20e-380f-408b-9a50-e4a510a78212/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d2385aabbc27/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d2385aabbc2749063ca10bfcaff327062178dbb3da9eeeafef8eb0d479d06ba9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/455265/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample