MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df1c23098518c7b4e5011924bfd98eaaa244e2bf9bb6104d8cd6b54cb3049ac0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash:	df1c23098518c7b4e5011924bfd98eaaa244e2bf9bb6104d8cd6b54cb3049ac0
SHA3-384 hash:	4cb32c42cd25026dc4069172bde73760f90939d6423da86ef5ba43b98ba52424cbab1f9968fe8fb349d6a510c99e1e6a
SHA1 hash:	1928b7c6fa6cb5b5e90eda5e3347666a1edaff40
MD5 hash:	e848be9969710866044835bfc8d2b70a
humanhash:	april-nine-snake-foxtrot
File name:	SecuriteInfo.com.Win32.TrojanX-gen.6255.979
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	719'872 bytes
First seen:	2023-09-26 12:05:46 UTC
Last seen:	2023-09-26 12:34:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'658 x Formbook, 12'249 x SnakeKeylogger)
ssdeep	12288:jhBOnsvyN964HQlq7Sb/YsSfpZWNPP39JYnRx1PE+x4Op/E96IVw4GyPErvor9e4:jhB/zq7STJaRjPEw4Op/L6wsP
Threatray	5'767 similar samples on MalwareBazaar
TLSH	T160E4E09C3610B6DFC86BCD768A641C64EB6064BB531BE243A44719EDAA0D6DBCF101F3
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

297

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Win32.TrojanX-gen.6255.979

Verdict:

Malicious activity

Analysis date:

2023-09-26 12:07:07 UTC

Tags:

agenttesla stealer

Link:

https://app.any.run/tasks/28409721-5027-49f3-9868-ef96056a1877

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/451262/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Restart of the analyzed sample

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/6512c92b34be449f0119eec7/reports/f9d92e2c-30fb-4cd9-95a3-14433f2b551b/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/df1c23098518c7b4e5011924bfd98eaaa244e2bf9bb6104d8cd6b54cb3049ac0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f0ad8834-5064-421a-976d-bcd7c887404e

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1314484

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/df1c23098518c7b4e5011924bfd98eaaa244e2bf9bb6104d8cd6b54cb3049ac0/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-09-26 10:51:34 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 34 (52.94%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=34ocgcmfddd3jzibdesl7wmovkrejyv7to3batmm222uzmyetlaa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2eaf94da95c7c5bfeee85e0c9b2eeb4203bc708e8538061624082b61866bc3b5

AgentTesla

42715639c8e8557bba09d97271da711e53773311b354b802bd3136870ca2098c

AgentTesla

68d7bd6dc7ce2ada6af865682185e9f2c33c897ec3191f0d6127d3654e69b4a1

AgentTesla

97fd0ea2f2ebe8dc9decafa546e62a5225feca31893c1e1dd820540d4211a594

AgentTesla

9e5550baaff66b95e879eaec6b64570be212108120e8da8b6b7cc9e59d943475

AgentTesla

ad67a54eaf179539edf3c7949fd5a2b0939b52eea4512a9f16840fdaf9b43f03

AgentTesla

fc7332e86188490e730a72e040963619564ff94a46616c206f4ae9f71e1f836d

AgentTesla

+ 5'757 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230926-n9qyzahb4x/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

8166edc6402990e60b92312dd5e6347d8579bfff3958e37bed5cebc316705c5b

MD5 hash:

5cad89fc586f13bd55a4788c995ec3d9

SHA1 hash:

e767585176f1a7ca61ca7a8b732f791a4f883c45

Link:

https://www.unpac.me/results/4c3a03a7-8ad9-4fbf-a3ec-ac5ac2391a18/

SH256 hash:

24a28ba2e1bcc4bdf39f8c22c0ba61ad79c25c9787e33259938d57e544c5a08b

MD5 hash:

77097de456ba95689e1c044580b82f16

SHA1 hash:

d3ad1f00fec1cdcd2db04851ca08bd1d554b6e10

Link:

https://www.unpac.me/results/4c3a03a7-8ad9-4fbf-a3ec-ac5ac2391a18/

SH256 hash:

f4aa6ce06dc3b847bd738cc97c17fcd23219b2d5d63c39cd60dbfc8f24306fa0

MD5 hash:

5bd4177af5ef90da01e409bce1df3ce3

SHA1 hash:

ba21087acc3af5c7f01e988d76a3b63ea5ab78a1

Detections:

AgentTesla

Link:

https://www.unpac.me/results/4c3a03a7-8ad9-4fbf-a3ec-ac5ac2391a18/

SH256 hash:

df4ae14aba1386482151a3b8cc58ef081c58306da7f4cc0c35e0718242cf043c

MD5 hash:

8383b9306b9b5929b0aed1f24991d929

SHA1 hash:

6acebb9f139a62de981a3ec15ce35f61f5c3132e

Link:

https://www.unpac.me/results/4c3a03a7-8ad9-4fbf-a3ec-ac5ac2391a18/

SH256 hash:

df1c23098518c7b4e5011924bfd98eaaa244e2bf9bb6104d8cd6b54cb3049ac0

MD5 hash:

e848be9969710866044835bfc8d2b70a

SHA1 hash:

1928b7c6fa6cb5b5e90eda5e3347666a1edaff40

Link:

https://www.unpac.me/results/4c3a03a7-8ad9-4fbf-a3ec-ac5ac2391a18/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/df1c23098518/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/df1c23098518c7b4e5011924bfd98eaaa244e2bf9bb6104d8cd6b54cb3049ac0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/451262/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample