MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de32e114e23cf733de64abb21ab9fa39491ef746313df88d8c5136e15d9bb9bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de32e114e23cf733de64abb21ab9fa39491ef746313df88d8c5136e15d9bb9bd
SHA3-384 hash: bd57244dd738e4634f3c0f3da47bc1520b27a1877662266f9ea8b0ed48ff9a2cbca12613f0ab6c260c2c5a091372d043
SHA1 hash: 1819f021ed37dba95595a8676beef827907ddd19
MD5 hash: 3d92ed8388943a0047236ccd4e141afd
humanhash: alaska-seventeen-november-six
File name:PO75773937475895377.bat
Download: download sample
Signature AgentTesla
Create hunting rule
File size:64'872 bytes
First seen:2021-04-07 11:20:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:hqsf49K00d7zGExUc3YLlgUcEhWcQCSR/+hLOKl3Ul3MhDePCXHLsZYhdFMLDSN3:8uAKdd7qCYRbSg
Threatray 3'856 similar samples on MalwareBazaar
TLSH 1453A4111AB10993F71AF0BD4EB667B284EDB5545A63A4EF0FB483A86DCBF190187C31
Reporter abuse_ch
Tags:AgentTesla bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO75773937475895377.bat
Verdict:
Malicious activity
Analysis date:
2021-04-07 11:47:17 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/5778e0b4-2354-43f6-ace4-b02b6c7690c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/132833/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.8887.17209.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Sending a UDP request
Creating a file
Moving a recently created file
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Deleting a recently created file
Launching a process
Running batch commands
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Blocking the User Account Control
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding exclusions to Windows Defender
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e44aa9bc-d24d-45f7-9795-fec2362919f0
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/668559
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383208 Sample: PO75773937475895377.bat Startdate: 07/04/2021 Architecture: WINDOWS Score: 80 50 Found malware configuration 2->50 52 Yara detected AgentTesla 2->52 7 PO75773937475895377.exe 21 11 2->7         started        12 SWqTT.exe 2->12         started        14 SWqTT.exe 2->14         started        process3 dnsIp4 42 myliverpoolnews.cf 104.21.56.119, 443, 49710, 49712 CLOUDFLARENETUS United States 7->42 40 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->40 dropped 54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->54 56 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->56 58 Adds a directory exclusion to Windows Defender 7->58 60 2 other signatures 7->60 16 PO75773937475895377.exe 7->16         started        20 cmd.exe 7->20         started        22 powershell.exe 24 7->22         started        24 3 other processes 7->24 44 192.168.2.1 unknown unknown 12->44 46 172.67.150.212, 443, 49729 CLOUDFLARENETUS United States 14->46 file5 signatures6 process7 file8 36 C:\Users\user\AppData\Roaming\...\SWqTT.exe, PE32 16->36 dropped 38 C:\Users\user\...\SWqTT.exe:Zone.Identifier, ASCII 16->38 dropped 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->48 26 conhost.exe 20->26         started        28 timeout.exe 20->28         started        30 conhost.exe 22->30         started        32 AdvancedRun.exe 24->32         started        34 conhost.exe 24->34         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de32e114e23cf733de64abb21ab9fa39491ef746313df88d8c5136e15d9bb9bd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 11:21:08 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3yzocfhcht3thxtevozbvop2hfer552gge67rdmmke3ocxm3xg6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
174d9ba2e89f897d84a612d59117d349773c91f129aa8cdb8ad8a29d576fa8af
AgentTesla
23eb242e4f23685da9d82fba572f068eb1ba1ea55f20bde41f30bd180e5688fd
AgentTesla
6118f0c08d35a0dacc436ecc89379620c5d966f7cba43a6148684dd4a06c81ad
AgentTesla
6ba8c40649c6be2f68bcf24452060cc9f8d6df91db26ec889b1e57481fab55dd
AgentTesla
7b13c46563325621aa15ff5ff9b39f5ea09367e4e91a16a7ff4cdcd52e0e5332
AgentTesla
8156ce4621048984bce4875898da52376777c2380543fd353de5af5b72c5ebca
AgentTesla
93c5bfb2b4a47759762d3ae4b1d80c2de8a4d41860d18c55cafa7607a8e7f1c4
AgentTesla
a24f5f4b32db9b6d284e1abd91640aefffd14dcc2c3c7b3942f6a7c02cfdbed2
AgentTesla
c15a76e6023a05abd0237937cad3353bc104e97ee19d2fbcd475e1721b330c50
AgentTesla
fe443666d12a1f8abc14589390805436e14c0131b9705c38dd425a1f687e8949
AgentTesla
+ 3'846 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210407-acj2l344t2/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
AgentTesla Payload
Nirsoft
AgentTesla
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
de32e114e23cf733de64abb21ab9fa39491ef746313df88d8c5136e15d9bb9bd
MD5 hash:
3d92ed8388943a0047236ccd4e141afd
SHA1 hash:
1819f021ed37dba95595a8676beef827907ddd19
Link:
https://www.unpac.me/results/fa225ec2-00b3-45d9-b7f2-c29a8528f1a0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/de32e114e23cf733de64abb21ab9fa39491ef746313df88d8c5136e15d9bb9bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe de32e114e23cf733de64abb21ab9fa39491ef746313df88d8c5136e15d9bb9bd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132833/

Comments