MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de373cb42386f956133546049fa24b0ec459a78c7e667c9d05c366c198b680b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash: de373cb42386f956133546049fa24b0ec459a78c7e667c9d05c366c198b680b3
SHA3-384 hash: f12f3ecf601a707b111898a4d2edec3b1b4a3eb1c5acbcf59cfb6072b622a772d5c190efd3b445723cafc083410606d3
SHA1 hash: e19add1ef9b87ef54de6870b229cfbcaaeddb0fa
MD5 hash: f8b75a887b9774203f7d77de434f40ea
humanhash: johnny-burger-freddie-london
File name:de373cb42386f956133546049fa24b0ec459a78c7e667c9d05c366c198b680b3
Download: download sample
Signature AgentTesla
File size:227'744 bytes
First seen:2022-08-05 09:04:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (31'209 x AgentTesla, 10'508 x Formbook, 5'466 x SnakeKeylogger)
ssdeep 6144:9ozPrnXx5dQkZdis9lWV8TSGjF/A/iepoUPNzHnt4V:9OPLhldis9YV8mGjF/8RpVVzHnt4V
TLSH T1EB24CF8CB690749FC41BCA728AA45C20AB706676530BD203A473B2AC9D4D7DBCF15DF2
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 4f07090d0d014f8c (21 x SnakeKeylogger, 9 x Formbook, 7 x AgentTesla)
Reporter @adrian__luca
Tags:AgentTesla exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
269
Origin country :
HU HU
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
agenttesla
ID:
1
File name:
de373cb42386f956133546049fa24b0ec459a78c7e667c9d05c366c198b680b3
Verdict:
Malicious activity
Analysis date:
2022-08-05 09:05:37 UTC
Tags:
agenttesla

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2022-07-21 17:59:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla
Unpacked files
SH256 hash:
b50b0e29ebe23ca45b3ae333c2791f8d225624625f89d941daa9bcdb78f316fe
MD5 hash:
7584c20fbe682b997da8e3210338b416
SHA1 hash:
c60bdc70d1b4039ffb7fc28f3ab551636f67f6c9
SH256 hash:
4c48786ef1209b7d06d3331a42f7721e4edfd482ac4ce5c1e5b133e55d6bfa32
MD5 hash:
99b654cdd3c3b01f32981b0a878cff2c
SHA1 hash:
816e63ecb9ad94684be67038e23de64caba35f29
SH256 hash:
de373cb42386f956133546049fa24b0ec459a78c7e667c9d05c366c198b680b3
MD5 hash:
f8b75a887b9774203f7d77de434f40ea
SHA1 hash:
e19add1ef9b87ef54de6870b229cfbcaaeddb0fa
Malware family:
AgentTesla.v3
Verdict:
Malicious

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_AgentTeslaV3
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments