MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d858c46195e818b01623144579c503c17a2bcfe6c2a38cff995f2bf720e2b06b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d858c46195e818b01623144579c503c17a2bcfe6c2a38cff995f2bf720e2b06b
SHA3-384 hash: b8ec236c9de85cfc15edd5b3c9674ffcbf2081bc47a6042d557827a11a68811097a386d0b23dab5f299bca912d81df65
SHA1 hash: ed8a8a89538c1c8e5acfd272255d3b7861b4b10a
MD5 hash: b82bf692fb36f7d1bd62f5e2cea0c2d8
humanhash: virginia-bravo-jig-alaska
File name:168492132148caa45aa0aa3833507f6e8ea7f3c9723b83618455d8f8c89e02af893ffeb987924.dat-decoded
Download: download sample
Signature AgentTesla
Create hunting rule
File size:168'960 bytes
First seen:2023-05-24 09:42:03 UTC
Last seen:2023-09-01 06:02:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:uH759sOPkdP1pL/holeC5gzFpxdPvsHWXbOvI52cRS2:uRk3d/ugNRvbbOvI5V
Threatray 3'071 similar samples on MalwareBazaar
TLSH T143F328E992894DD1C72C40B4F4ADD148CEB291565637F75D0DA3ACFABB0A383321AC67
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:AgentTesla base64-decoded exe


Avatar
abuse_ch
Malware dropped as base64 encoded payload

Intelligence

File Origin
# of uploads :
3
# of downloads :
269
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
168492132148caa45aa0aa3833507f6e8ea7f3c9723b83618455d8f8c89e02af893ffeb987924.dat-decoded
Verdict:
Malicious activity
Analysis date:
2023-05-24 09:44:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4813d1b3-e58f-4790-b3d5-a3cf47a40ea1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/391066/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.24596.19636.25681.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a custom TCP request
DNS request
Creating a window
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
hacktool lolbin packed
Link:
https://www.filescan.io/uploads/646ddc2622cadf2621d974f7/reports/de6997b8-956f-42ce-9c24-8f5caddabbec/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/d858c46195e818b01623144579c503c17a2bcfe6c2a38cff995f2bf720e2b06b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bbca0838-8fa8-41e3-b11e-f12bf9a4e90d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1241465
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d858c46195e818b01623144579c503c17a2bcfe6c2a38cff995f2bf720e2b06b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-24 09:43:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3bmmiymv5amlafrdcrcxtridyf5cxt7gykryz74zl4v7oihcwbvq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07f01993306030d708dc2b5b42d4a6aef41c0c2f597aca066138689a6722a25d
AgentTesla
107f5059b55ddfab8351c5369f43325f2d051aa41f5bbfe94a48ce577626a726
AgentTesla
158d9c5a8c7290c638708e4843cb732e395c1ef4d782e1425220cb54467f27dd
AgentTesla
207101f6912ab3d1db4eb31783037685cade90fbc6ed91dffc1c53138b8436ff
AgentTesla
2c5117280800871fbceb13a571a8d602c17f3c08247c8ccf546bb9dc8adda73e
AgentTesla
45724089400b978774c70254e03cacf1df986161104c4a5691af5d9eff8f46c1
AgentTesla
493781dc1d845e09f96742dfdc2edaef673ac5d4b2139875929166f2627dc161
AgentTesla
9897d0d1d13bbde8a468acd74e20f91c131368f3d6cd723d2545b876436d8f28
AgentTesla
bfdc1ff00762627c6a8a95344bf549ea2ed0d63d9c0375584a608201f1b5d84e
AgentTesla
c258adf0015f1607b2b09594cbec41de70d816829820695f8c9778ec4b11d553
AgentTesla
+ 3'061 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230524-lpdrsscd6s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
d858c46195e818b01623144579c503c17a2bcfe6c2a38cff995f2bf720e2b06b
MD5 hash:
b82bf692fb36f7d1bd62f5e2cea0c2d8
SHA1 hash:
ed8a8a89538c1c8e5acfd272255d3b7861b4b10a
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/954b6a80-b0cf-4f32-8863-0a40313b4b96/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d858c46195e8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/d858c46195e818b01623144579c503c17a2bcfe6c2a38cff995f2bf720e2b06b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

48caa45aa0aa3833507f6e8ea7f3c9723b83618455d8f8c89e02af893ffeb987

AgentTesla

Executable exe d858c46195e818b01623144579c503c17a2bcfe6c2a38cff995f2bf720e2b06b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2638559/
  
Dropped by
SHA256 48caa45aa0aa3833507f6e8ea7f3c9723b83618455d8f8c89e02af893ffeb987
  
Dropped by
MD5 d7f32248a665e5d4104215ad2b5d766e
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/391066/

Comments