MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d94631983f4b432da3c6ad46185145e0e90ac651c39d07d44bf0eafbd7509b7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d94631983f4b432da3c6ad46185145e0e90ac651c39d07d44bf0eafbd7509b7f
SHA3-384 hash: efe13cebda493e0cf0e856385bc680c6843228793e45f1d98eb3e573920d9f16f047d85cd3971a250eb767ecf551f87d
SHA1 hash: 692e670efba456eb81d99d9ae04f4dea8a44d481
MD5 hash: 023724470a84b79a9efbde752322ddec
humanhash: connecticut-illinois-wolfram-sixteen
File name:023724470a84b79a9efbde752322ddec
Download: download sample
Signature AgentTesla
Create hunting rule
File size:598'528 bytes
First seen:2023-08-09 07:33:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:9OSLYTyv6CYBYCY1CbQsAfErtpwjA4ksxxb1TChR4:M6YTdnYJsAfc85F9TCh
Threatray 5'507 similar samples on MalwareBazaar
TLSH T137D4121A713B5EABE17846F25BF1054583F6626D542AD6CE2D9520CBE0F2F01D900FAF
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 228c38e4e438cc22 (5 x AgentTesla, 2 x RemcosRAT, 1 x SnakeKeylogger)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/441508/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2256.20740.31614.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d94631983f4b432da3c6ad46185145e0e90ac651c39d07d44bf0eafbd7509b7f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ee0f633a-ea69-4f5d-b473-84b0e3711aa3
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1288306
Signature
.NET source code contains potential unpacker
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1288306 Sample: 1O3tb7hE9H.exe Startdate: 09/08/2023 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected AgentTesla 2->40 42 3 other signatures 2->42 6 ECbAt.exe 3 2->6         started        9 1O3tb7hE9H.exe 3 2->9         started        11 ECbAt.exe 2 2->11         started        process3 signatures4 44 Multi AV Scanner detection for dropped file 6->44 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->46 48 May check the online IP address of the machine 6->48 50 Machine Learning detection for dropped file 6->50 13 ECbAt.exe 14 2 6->13         started        17 ECbAt.exe 6->17         started        19 1O3tb7hE9H.exe 17 7 9->19         started        process5 dnsIp6 26 104.237.62.211, 443, 49724 WEBNXUS United States 13->26 28 api.ipify.org 13->28 52 Tries to harvest and steal browser information (history, passwords, etc) 13->52 54 Installs a global keyboard hook 13->54 30 smtp.unrc.ir 193.141.65.121, 49720, 49725, 587 KPNNL Iran (ISLAMIC Republic Of) 19->30 32 api4.ipify.org 64.185.227.156, 443, 49719 WEBNXUS United States 19->32 34 3 other IPs or domains 19->34 22 C:\Users\user\AppData\Roaming\...CbAt.exe, PE32 19->22 dropped 24 C:\Users\user\...CbAt.exe:Zone.Identifier, ASCII 19->24 dropped 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->56 58 Tries to steal Mail credentials (via file / registry access) 19->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->60 file7 signatures8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d94631983f4b432da3c6ad46185145e0e90ac651c39d07d44bf0eafbd7509b7f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3fdddgb7jnbs3i6gvvdbqukf4duqvrsryooqpvcl6dvpxv2qtn7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03642d9445dddc012ac9deb3bf64407597f8910bccd068cdc10ed86f34cf4b4c
AgentTesla
0bfdb30b85547479156f90746ad6218d4d246db35506b2362bdff2850c277046
AgentTesla
192356050027cf305acd427d9afa09fc4bf2bebe1e2eda711554f720e281a83d
AgentTesla
282472e5ce51674338ee76271b47826134eec156881b186646dda5a6ecd16433
AgentTesla
84ccefabf526a27d7d711f91219ba6531857883cc103dcfe1823f7d8240eb760
AgentTesla
a6732c43b74439cbbb8fff0defb66d8f81ce10e8c50a940e5f5819c1722bbeca
AgentTesla
e4c100441418455c82b3f63363875ce36ce69f9b50af3daa37389929733391cf
AgentTesla
e5b3f5c88055487475981257a3146b756a653845e01c66141d3547192805a8f3
AgentTesla
+ 5'497 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230809-jd44hahf65/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
1d26edf7410a9fb1b2d4d1147bf486f8fe4aaa30fafb4e472cef0f334b379cb2
MD5 hash:
b1558948de84ff3d32217a5d2de50b4f
SHA1 hash:
cd7e71fb50a1e929d36ee916091198678ead01d8
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/8447fc5a-55d2-4952-a6e0-fed3b6a5409d/
Parent samples :
03642d9445dddc012ac9deb3bf64407597f8910bccd068cdc10ed86f34cf4b4c
192356050027cf305acd427d9afa09fc4bf2bebe1e2eda711554f720e281a83d
0bfdb30b85547479156f90746ad6218d4d246db35506b2362bdff2850c277046
d94631983f4b432da3c6ad46185145e0e90ac651c39d07d44bf0eafbd7509b7f
e900e880ce3272ce750db05a3428dad9c354116d22cd125c374708cfd9aa0fa2
SH256 hash:
504410fd6158a7346f5a2e7b7714203b329d46dab5d129719410d5c325122804
MD5 hash:
74ed681a2d7aed1dae5627d4367474f8
SHA1 hash:
cad2df636d3f0710f69fdb18cbae03a332341dd3
Link:
https://www.unpac.me/results/8447fc5a-55d2-4952-a6e0-fed3b6a5409d/
SH256 hash:
4bc0541974fe00584a554a0ea43ec7b17ec1896158afba11af489aae14702a74
MD5 hash:
15123ce9106d171fc538d3ae045922ee
SHA1 hash:
7642e8cbef5108b91e178c6b30ef6ae45d8d4924
Link:
https://www.unpac.me/results/8447fc5a-55d2-4952-a6e0-fed3b6a5409d/
SH256 hash:
bb6e4b66a909f5b5e5fae90a2b29c6f236a261ccdb28fecc6a3c84ffdf2561a8
MD5 hash:
560b9079cd97ff76987d1796228da8cc
SHA1 hash:
3a7c6075079502d47cc9ca73e0842091f530f547
Link:
https://www.unpac.me/results/8447fc5a-55d2-4952-a6e0-fed3b6a5409d/
SH256 hash:
d94631983f4b432da3c6ad46185145e0e90ac651c39d07d44bf0eafbd7509b7f
MD5 hash:
023724470a84b79a9efbde752322ddec
SHA1 hash:
692e670efba456eb81d99d9ae04f4dea8a44d481
Link:
https://www.unpac.me/results/8447fc5a-55d2-4952-a6e0-fed3b6a5409d/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d94631983f4b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d94631983f4b432da3c6ad46185145e0e90ac651c39d07d44bf0eafbd7509b7f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe d94631983f4b432da3c6ad46185145e0e90ac651c39d07d44bf0eafbd7509b7f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2703157/
Cape
Cape
https://www.capesandbox.com/analysis/441508/

Comments


Avatar
zbet commented on 2023-08-09 07:33:17 UTC

url : hxxp://2.59.254.18/_errorpages/smokeyzx.exe