MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d33724f1b25c4d62ceffc10086a6594c24a74549d6a0c6f22f712eb68371b5b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d33724f1b25c4d62ceffc10086a6594c24a74549d6a0c6f22f712eb68371b5b7
SHA3-384 hash: abfbd2ca588897f7e7257188439cd1df25b4167fc7c9d65dae8fe64f48a0993a1aee2a0970e1436561c9bbfb000e8ed6
SHA1 hash: fb10d36ad02e2ac10c0697a473b8f09e5e71ec90
MD5 hash: efad5cf87d2c254002aa4d3631032d02
humanhash: virginia-sierra-sodium-early
File name:SecuriteInfo.com.Win32.KeyloggerX-gen.471.21119
Download: download sample
Signature AgentTesla
Create hunting rule
File size:196'608 bytes
First seen:2023-09-14 09:32:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:UWwDw3w6SIlK9TqWzvsyGn6/uSnIB8eT1Wj33oVJIW9rQz:bVA6OhqWz1X/uSI1knonF9rQ
Threatray 5'689 similar samples on MalwareBazaar
TLSH T1DA14B503FA4649E2C2898B3AC6FF5404C7B1E684E797DB0A798E23DD18477BADC46147
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.KeyloggerX-gen.471.21119
Verdict:
Malicious activity
Analysis date:
2023-09-14 09:35:45 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/3fd1ad1d-2eb1-4ade-965e-d76631f3146c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448601/
Detection(s):
SecuriteInfo.com.Win32.KeyloggerX-gen.471.21119.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin packed replace
Link:
https://www.filescan.io/uploads/6502d3509bae8a378556b9f1/reports/08d6997f-5181-4355-bfaf-7ba6f912dc37/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d33724f1b25c4d62ceffc10086a6594c24a74549d6a0c6f22f712eb68371b5b7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/12481f13-0299-4f16-9ce7-87d3fc6e3472
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1307617
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Babuk Ransomware
Yara detected Clipboard Hijacker
Yara detected Costura Assembly Loader
Yara detected Djvu Ransomware
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1307617 Sample: SecuriteInfo.com.Win32.Keyl... Startdate: 14/09/2023 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Found malware configuration 2->55 57 Antivirus detection for URL or domain 2->57 59 8 other signatures 2->59 7 SecuriteInfo.com.Win32.KeyloggerX-gen.471.21119.exe 16 5 2->7         started        12 Qptvko.exe 14 5 2->12         started        14 Qptvko.exe 2->14         started        16 8 other processes 2->16 process3 dnsIp4 51 qu.ax 92.118.112.119, 443, 49720, 49726 GUDAEV-ASRU Russian Federation 7->51 37 C:\Users\user\AppData\Roaming\Qptvko.exe, PE32 7->37 dropped 75 Creates multiple autostart registry keys 7->75 77 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->77 79 Writes to foreign memory regions 7->79 18 aspnet_compiler.exe 16 4 7->18         started        81 Antivirus detection for dropped file 12->81 83 Multi AV Scanner detection for dropped file 12->83 85 Machine Learning detection for dropped file 12->85 23 aspnet_compiler.exe 3 12->23         started        87 Allocates memory in foreign processes 14->87 89 Injects a PE file into a foreign processes 14->89 25 aspnet_compiler.exe 14->25         started        91 Query firmware table information (likely to detect VMs) 16->91 93 Changes security center settings (notifications, updates, antivirus, firewall) 16->93 27 MpCmdRun.exe 16->27         started        29 conhost.exe 16->29         started        31 conhost.exe 16->31         started        file5 signatures6 process7 dnsIp8 39 mail.doormandoggy.gleeze.com 192.236.194.241, 49722, 49728, 49750 HOSTWINDSUS United States 18->39 41 api4.ipify.org 64.185.227.156, 443, 49721 WEBNXUS United States 18->41 49 2 other IPs or domains 18->49 35 C:\Users\user\AppData\...\svchost.exe.exe, PE32 18->35 dropped 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->61 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->63 65 May check the online IP address of the machine 18->65 67 Creates multiple autostart registry keys 18->67 43 104.237.62.212, 443, 49727, 49746 WEBNXUS United States 23->43 45 api.ipify.org 23->45 47 api.ipify.org 25->47 69 Tries to steal Mail credentials (via file / registry access) 25->69 71 Tries to harvest and steal browser information (history, passwords, etc) 25->71 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->73 33 conhost.exe 27->33         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d33724f1b25c4d62ceffc10086a6594c24a74549d6a0c6f22f712eb68371b5b7/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-09-11 16:39:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 22 (81.82%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2m3sj4nslrgwftx7yeainjszjqskorkj22qmn4rpoexlna3rww3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
076d1d33336d560c55cd222d6e80ea4476119ee8dc51fd8c4c490f366ce66124
AgentTesla
112f00306db8babb1c10980c11bb3324d3a598dd3e4d76b45b48edfbec48854a
AgentTesla
16d662bcb526f0bc319671cb02488c7d37a70925d73a04d79c25e3ce0abb5253
AgentTesla
2ee41490283fad1457d4870ff08f65cf2a6fd2ff0632fae5e365170824111f36
AgentTesla
8a4401b2bfd1bf7cd88327ad700415d6d785d64a403967052ff8f90752f35339
AgentTesla
a87c985a38f30126e94ba6578ae2cb45ceda22b45afa22f47e92de327e5c57a9
AgentTesla
b88f695c511fb7260c06b7e22c51dcea69ac6020cdfadaab785431d90047167e
AgentTesla
ca944d2c5a9eff2ec157e63cb5d4b756dd0abdc3c2bac0444b61419e4f225acf
AgentTesla
cf62480d3566bb8f5784015d97e90dc6b4b449c36cd64b665766bd81011c6671
AgentTesla
d7967a64a0dcd864936c7cff847728dc55b6fe40978c60df5e416d8bd294900c
AgentTesla
+ 5'679 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230914-lh65rsdg37/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
d33724f1b25c4d62ceffc10086a6594c24a74549d6a0c6f22f712eb68371b5b7
MD5 hash:
efad5cf87d2c254002aa4d3631032d02
SHA1 hash:
fb10d36ad02e2ac10c0697a473b8f09e5e71ec90
Link:
https://www.unpac.me/results/ca3f5ea7-ae49-4fb4-aaaa-c0b2fc12ab8a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/d33724f1b25c4d62ceffc10086a6594c24a74549d6a0c6f22f712eb68371b5b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/448601/

Comments