MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc72c3da125cac80b5cafb89d523c7b77b357f551fa4366efcd1fd83b568e942. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc72c3da125cac80b5cafb89d523c7b77b357f551fa4366efcd1fd83b568e942
SHA3-384 hash: 9388258616a892d216d56d84a5a37b3c80ebd01428227af99ea7d535314b52f7e8216cc8da4c1c38e8e43ed5793ff398
SHA1 hash: 07e56abca89e7db93f8a0d82ea2bb0b31ec814a9
MD5 hash: 79747753f64e2bd81a488214af41b3f8
humanhash: stream-minnesota-may-charlie
File name:SecuriteInfo.com.Trojan.PackedNET.2273.21950.25588
Download: download sample
Signature AgentTesla
Create hunting rule
File size:538'624 bytes
First seen:2023-08-15 10:34:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:9yWV/Os3341y2HD/bsPze+NcHszLAERP714+1TjnD:9yRHy2jzsL7TlRP5VN
Threatray 1'090 similar samples on MalwareBazaar
TLSH T1E7B41218F2FD3B26C17AD7F9506149B903B8BDA6B552E21DCCE320D20D64B906B81F27
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Trojan.PackedNET.2273.21950.25588
Verdict:
Malicious activity
Analysis date:
2023-08-15 10:37:13 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/b5108f77-e113-45ba-a353-bc0da40f3ec9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442753/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.2273.21950.25588.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/dc72c3da125cac80b5cafb89d523c7b77b357f551fa4366efcd1fd83b568e942
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/86f4a56b-863d-4505-b217-b503b9cefb0e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1291335
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1291335 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 15/08/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Found malware configuration 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 8 other signatures 2->57 7 SecuriteInfo.com.Trojan.PackedNET.2273.21950.25588.exe 7 2->7         started        11 ZzsdQVILU.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\Roaming\ZzsdQVILU.exe, PE32 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp61BA.tmp, XML 7->37 dropped 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->59 61 May check the online IP address of the machine 7->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 7->63 65 Adds a directory exclusion to Windows Defender 7->65 13 SecuriteInfo.com.Trojan.PackedNET.2273.21950.25588.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 71 Injects a PE file into a foreign processes 11->71 23 ZzsdQVILU.exe 11->23         started        25 schtasks.exe 11->25         started        signatures5 process6 dnsIp7 39 api4.ipify.org 104.237.62.211, 443, 49721 WEBNXUS United States 13->39 41 api.telegram.org 149.154.167.220, 443, 49722, 49732 TELEGRAMRU United Kingdom 13->41 43 api.ipify.org 13->43 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        45 173.231.16.76, 443, 49725 WEBNXUS United States 23->45 47 192.168.2.1 unknown unknown 23->47 49 api.ipify.org 23->49 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->73 75 Tries to steal Mail credentials (via file / registry access) 23->75 77 Tries to harvest and steal browser information (history, passwords, etc) 23->77 33 conhost.exe 25->33         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dc72c3da125cac80b5cafb89d523c7b77b357f551fa4366efcd1fd83b568e942/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-08-15 10:03:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3rzmhwqslswibnok7oe5ki6hw55tk72vd6sdm3x42h6yhnli5fba._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
120f07b74d3851e775ca166a3f24e4c797370fba8ff5de503bc11f9f2e096638
AgentTesla
135f9805df67da21d95c184b5b6dec71829fd39ed2ef6eaf2b984088ce4a1c03
AgentTesla
2768400847a861225f77e29ea61b399ab730571e068f3fa8a48072c94dc893e6
AgentTesla
2eaf94da95c7c5bfeee85e0c9b2eeb4203bc708e8538061624082b61866bc3b5
AgentTesla
2f2238ba20cda49017c3d861729bbcde2143576afab80b5a2e4b3476bd2ca1fc
AgentTesla
358659e950dae1b469fca25fb75167cae886174d21a9226fd8081fbd71d5abbc
AgentTesla
6a43a145806aa6aeef3f5c73d915281a6ea092e254ffa4fa8c2d14b0133eb603
AgentTesla
a1b22bb99dfebf6b3fc3fa288b770d64120cb17e0c9d904aac2f8a813b47e579
AgentTesla
bd9df3adf1e6c84fcab2206d63d2f02e3f1ce1b715c09459d21ff47c09cac2f8
AgentTesla
c0d4dfab211b00bc04b0ef763548fe9cd5d0ab7330546875ef1e29adcf33f800
AgentTesla
+ 1'080 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230815-mmndwscb7v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5909758224:AAHUq-oE7XvE2pdBSQLpVUjfMJcTBrNKjig/
Unpacked files
SH256 hash:
d49b6b98ce2072303df26f7fdd3bcf642267bd4d44be0bbbfabf7e9742618dd8
MD5 hash:
9668fa7d79bba30a0080007d155a5bd4
SHA1 hash:
c3df87d81ec44a86f03d12e8184fd9d8f2365233
Link:
https://www.unpac.me/results/528a7851-bcc7-4356-972b-589edae03cd6/
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/528a7851-bcc7-4356-972b-589edae03cd6/
SH256 hash:
75279a2f3680321caa5318ab879a321198d38abdd00782a711e40cfa437f3097
MD5 hash:
1c3b1632ca3be3a4f5b65a071277cf4b
SHA1 hash:
946123f0a882c1de3043ba967dab311077b58f6b
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/528a7851-bcc7-4356-972b-589edae03cd6/
SH256 hash:
0f2258c873fe8bdc4935443dbadfd36e39ab962fc8aefcdc5008011f4a9f0fe5
MD5 hash:
c89ebd879c5179c3c876a487e5ae90ad
SHA1 hash:
1d5e582604cd98701c05d73c800346c7d7f78edf
Link:
https://www.unpac.me/results/528a7851-bcc7-4356-972b-589edae03cd6/
SH256 hash:
dc72c3da125cac80b5cafb89d523c7b77b357f551fa4366efcd1fd83b568e942
MD5 hash:
79747753f64e2bd81a488214af41b3f8
SHA1 hash:
07e56abca89e7db93f8a0d82ea2bb0b31ec814a9
Link:
https://www.unpac.me/results/528a7851-bcc7-4356-972b-589edae03cd6/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dc72c3da125c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/442753/

Comments