MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d632ab7152824714b8cc8e02f712512efd4940858bbd21c98a17f36caccc111c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d632ab7152824714b8cc8e02f712512efd4940858bbd21c98a17f36caccc111c
SHA3-384 hash: e5e2e6492452d13bc43af002252f23ec791ee0ec500bbb859f5dc8db8a12eec541031004f9a9f1fa369d6bf19c1cb415
SHA1 hash: 325a1a2399d73db59a2b9867274fccadbfcda98b
MD5 hash: c25e5458da1629771e282f4d7c70b81b
humanhash: rugby-illinois-pip-kansas
File name:SecuriteInfo.com.Variant.Jaik.110210.30069.10190
Download: download sample
Signature AgentTesla
Create hunting rule
File size:281'670 bytes
First seen:2022-12-22 02:30:34 UTC
Last seen:2022-12-22 08:06:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 97318da386948415d08cef4a9006d669 (71 x Formbook, 35 x SnakeKeylogger, 26 x AgentTesla)
ssdeep 6144:Lkwaz1/qBTbAwW4cAJZUryviQWnX1hVbEdag2kImG:01/obAiUryv4X1cekVG
Threatray 1'826 similar samples on MalwareBazaar
TLSH T1A7542295A4D0D8EBD0BB1031279B923FE7FBF3063551C69B2761DFBB5A208C14152ACA
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Variant.Jaik.110210.30069.10190
Verdict:
Malicious activity
Analysis date:
2022-12-22 02:32:20 UTC
Tags:
installer agenttesla
Link:
https://app.any.run/tasks/075365cf-1163-4cbd-8a13-3021a861c89a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/348914/
Detection(s):
SecuriteInfo.com.Variant.Jaik.110210.30069.10190.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63a3c169d97d0718afe1c57c/reports/a620813f-13bf-45f5-bf91-c454ae467ebb/overview
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca43d5d8-f940-466f-8b16-ea2588670841
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1139118
Signature
.NET source code contains very large array initializations
Detected unpacking (creates a PE file in dynamic memory)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d632ab7152824714b8cc8e02f712512efd4940858bbd21c98a17f36caccc111c/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2022-12-21 23:43:51 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
9 of 40 (22.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2yzkw4ksqjdrjogmrybpoesrf36usqefro6sdsmkc7zwzlgmceoa._file
Verdict:
malicious
Similar samples:
06724c588f5b9381effa96ca72ae6c136b6ec64ae1e898942d34142e40078bab
AgentTesla
0a5d1edacfafff8bef4a4009291b438be7f757609077c2bf5057da38cceab228
AgentTesla
41887da1dcfcd733b74f492cafe20358e8813bd7e770b54ef4c75e763a77bc0d
AgentTesla
68cb6a1efb7c442f063eee5ae3f96ae12a3d2fba0852f22aa7a761cf8b1ae31a
AgentTesla
75fe4b601dac47a21ea34b057b8c2ee8623db40d6fbb6e3398b77260ed38eabf
AgentTesla
7a0e92402659c86d9da6faf33be3817996718051ea564e34aa43a41606df7be6
AgentTesla
7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293
AgentTesla
856e9dc2812c572a9023f02503c471addbf8a82be5aed8454cc6254f899caccb
AgentTesla
889c2ec3e88c2a47de4bcc6d88cb74d21a01088330fb240788c81968ba16155b
AgentTesla
f69d7601134fb94a23b3273ed59c85bd5b7847f612e878f1b5c0471e0fb6e7ee
AgentTesla
+ 1'816 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221222-czqdxagh9t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Gathering data
Unpacked files
SH256 hash:
7eab0c85b3b208e001c2199ff51bc76701c5821daea255e06fcc7c23fe5980c6
MD5 hash:
6c3853dc083a75b6527769afb61e2a3e
SHA1 hash:
78202e834b08ec0c3eef1cad522787388177425a
Link:
https://www.unpac.me/results/8b9eea24-92eb-4f86-aabf-27c9ec1e3589/
SH256 hash:
adb1463452c7a176910c095046a7bb9820f3cc22c28ebf46515190c2f37430cc
MD5 hash:
8423728c76b0ea13b6beaff5ee53ca2f
SHA1 hash:
698e00178476b7ab1ac86416afa9f37aea7e684d
Link:
https://www.unpac.me/results/8b9eea24-92eb-4f86-aabf-27c9ec1e3589/
SH256 hash:
91d1393d30a946e18b3f8bc89eb036ae23b4ca4743dbc6ec2cef258e59478433
MD5 hash:
d519f2a864ca3f68b793b7002d847aed
SHA1 hash:
861364f9d325bb710a999f7b784ad69122ad2a30
Link:
https://www.unpac.me/results/8b9eea24-92eb-4f86-aabf-27c9ec1e3589/
SH256 hash:
d632ab7152824714b8cc8e02f712512efd4940858bbd21c98a17f36caccc111c
MD5 hash:
c25e5458da1629771e282f4d7c70b81b
SHA1 hash:
325a1a2399d73db59a2b9867274fccadbfcda98b
Link:
https://www.unpac.me/results/8b9eea24-92eb-4f86-aabf-27c9ec1e3589/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d632ab715282/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.94
Link:
https://yomi.yoroi.company/submissions/d632ab7152824714b8cc8e02f712512efd4940858bbd21c98a17f36caccc111c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_d3ac2b2f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/348914/

Comments