MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d91d2ae4ef54fa855e4b7a36c37717014e0195e815abb272045a25ce46dc66a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	d91d2ae4ef54fa855e4b7a36c37717014e0195e815abb272045a25ce46dc66a6
SHA3-384 hash:	1fc297f35e5c802e46237873841f2f5243daba1c98356fac3adeb82d3dbc5a5033c6079a6111a5ca74b58a04dc4906fe
SHA1 hash:	e8763489a312867eb8805867b46b39ae6d87dbff
MD5 hash:	b563e504169d51631afa24b9f9d622f7
humanhash:	solar-xray-four-violet
File name:	IV22200102 08-02-2023.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	581'632 bytes
First seen:	2023-02-08 14:08:07 UTC
Last seen:	2023-02-10 18:25:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:rW9Pb+HT0qE8S6S7ztLHKNu+A+/1bazhUBjqXn26AlFvL35IRN7Y:8b8vOztLHKNu+A+/1bazhUtc/Alli
Threatray	22'499 similar samples on MalwareBazaar
TLSH	T163C4A13E1DB656E2E0B8FA7196E28420B59C8183330FC95AD9DADBC17F012827DCE55D
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

184

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

IV22200102 08-02-2023.exe

Verdict:

Malicious activity

Analysis date:

2023-02-08 14:09:16 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/deb604e9-ecf4-405a-8bf8-14c1b7e87bef

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/361993/

Detection(s):

Sanesecurity.Rogue.0hr.20230208-0433.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63e3acff89bd67c10fdd4f79/reports/658e725e-d603-459a-9d57-6e5e8dbbb04d/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/d91d2ae4ef54fa855e4b7a36c37717014e0195e815abb272045a25ce46dc66a6

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1b844c10-7824-4549-bf4b-eb6f86352f72

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1168835

Signature

.NET source code contains very large strings

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d91d2ae4ef54fa855e4b7a36c37717014e0195e815abb272045a25ce46dc66a6/

Threat name:

Win32.Trojan.Casdet

Status:

Malicious

First seen:

2023-02-08 03:51:26 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3eosvzhpkt5ikxslpi3mg5yxafhadfpicwv3e4qelis44rw4m2ta._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1326d9172aa0687e037a43b532cf2fb0e2ba90bff2e35efdebac87c3b06560f2

AgentTesla

20c94daf0506d27a6bd3de27e378fc900dd44a32328a41912d60fd26677d426d

AgentTesla

4033d9c9ef268cf2bdf04bb0e1c549e5461ba27026797edf70121468abbd1203

AgentTesla

42bf7d3068212fcc28e6642c1bd4194772639fed9e0eb6636b1c2fbd3048f2ac

AgentTesla

7116f819cf1a305e813cb1bf9d3667fdc18efd1d5ed7e6c5a3afe92c1040addb

AgentTesla

8089619c8dba1d0d3a52b272d619fd6658adc82fd4f44df48582b0d6505f673d

AgentTesla

af044c42784626edaa652ffc0e158cac07b29329f3131321d3d59619329c6010

AgentTesla

bc2156324a794d59d30a114e3f92daf22b1e70fd4187fe00311ce122b10c4d64

AgentTesla

f144fef878393aa69f18f5cf812ee9a62b0224ccb21936321c8f98d65c98d2f6

AgentTesla

+ 22'489 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230208-rf4vhsag6w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

23eb8a681a87db64b40b7c2f0691ddcce7d2e0407f735878d8f62688bdbd7059

MD5 hash:

5d50e53e23a0b6903f8ba7e4fb06177e

SHA1 hash:

eaa571421001f4206d3c3fa4078bfdd0aa4881de

Link:

https://www.unpac.me/results/4ca3d051-e964-44f5-86e1-4f777f1278a8/

SH256 hash:

452677f7538cdad7eae21f72f500cc0fa48d6fef66e22176612ea26ef4813cdd

MD5 hash:

8bcebae63e79b193a35982314d8c3dbb

SHA1 hash:

7a45432f9b4329dd82dd31389631eb9b907c8e31

Link:

https://www.unpac.me/results/4ca3d051-e964-44f5-86e1-4f777f1278a8/

SH256 hash:

f7adc2d62ff2314e3ed5c626f91a731bef7983d6154afa44949bcd2e55ccd660

MD5 hash:

a90491e8207f5d28238b6fdb968aef36

SHA1 hash:

578c696aa1142b51e34ca44a7c69c042f4870814

Link:

https://www.unpac.me/results/4ca3d051-e964-44f5-86e1-4f777f1278a8/

SH256 hash:

d91d2ae4ef54fa855e4b7a36c37717014e0195e815abb272045a25ce46dc66a6

MD5 hash:

b563e504169d51631afa24b9f9d622f7

SHA1 hash:

e8763489a312867eb8805867b46b39ae6d87dbff

Link:

https://www.unpac.me/results/4ca3d051-e964-44f5-86e1-4f777f1278a8/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d91d2ae4ef54/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/d91d2ae4ef54fa855e4b7a36c37717014e0195e815abb272045a25ce46dc66a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.