MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df2ac2b254e2e1f6cf7775179ec5af8b4785e3eeadf0f0364b46f33da5068e62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df2ac2b254e2e1f6cf7775179ec5af8b4785e3eeadf0f0364b46f33da5068e62
SHA3-384 hash: da7007acd9ec9bfb50562d72906c7875b49df8e7eaed0ff4b6aef9d4c98c95b97f02d2b8b10b29900c186a1cd07d99ad
SHA1 hash: f5c23f45f7b019f0ddd45ac4a78b53ac72cee985
MD5 hash: 933a4278a070f87cddf06e353dc33a82
humanhash: ceiling-orange-glucose-mirror
File name:SecuriteInfo.com.W32.AIDetectNet.01.14970.29838
Download: download sample
Signature AgentTesla
Create hunting rule
File size:24'576 bytes
First seen:2022-05-11 02:38:00 UTC
Last seen:2022-05-11 05:38:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 192:kJLskehDYO0qbh1bTpjy1nup00s9lx00h:2ehMHSh1bRy1nHdHx00
Threatray 204 similar samples on MalwareBazaar
TLSH T17FB2215B775D8225D9A30A75FCA351880676BF02A4D2A71FE4E4BD2F3F331084B72661
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 10828c8c84868010 (5 x AgentTesla, 3 x NanoCore)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://136.144.41.76/sttwo/inc/bcd1a4ee0cf2c7.php https://threatfox.abuse.ch/ioc/549511/

Intelligence

File Origin
# of uploads :
2
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269583/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.14970.29838.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Creating a file
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Creating a window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/627b21aebd5c76586e2bba28/reports/f88dc046-1f1d-4a86-a1ec-ccdb8318445e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e1b08fd1-3a8f-4014-9814-5957b0f12cbd
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/991590
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to register a low level keyboard hook
Creates multiple autostart registry keys
Document exploit detected (process start blacklist hit)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects files into Windows application
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 624086 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 11/05/2022 Architecture: WINDOWS Score: 100 72 Snort IDS alert for network traffic 2->72 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 4 other signatures 2->78 8 SecuriteInfo.com.W32.AIDetectNet.01.14970.exe 16 8 2->8         started        13 excel.exe 2->13         started        15 Wzemrkwaf.exe 14 3 2->15         started        17 2 other processes 2->17 process3 dnsIp4 70 3.68.158.237, 49741, 49759, 49760 AMAZON-02US United States 8->70 60 C:\Users\user\AppData\...\Wzemrkwaf.exe, PE32 8->60 dropped 62 C:\Users\user\...\Zhslsmbpracrszoi.exe, PE32 8->62 dropped 64 SecuriteInfo.com.W...et.01.14970.exe.log, ASCII 8->64 dropped 90 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->90 92 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->92 94 Creates multiple autostart registry keys 8->94 102 2 other signatures 8->102 19 SecuriteInfo.com.W32.AIDetectNet.01.14970.exe 2 5 8->19         started        24 Zhslsmbpracrszoi.exe 14 4 8->24         started        26 cmd.exe 1 8->26         started        96 Multi AV Scanner detection for dropped file 13->96 98 Document exploit detected (process start blacklist hit) 13->98 100 Injects files into Windows application 13->100 28 cmd.exe 13->28         started        30 cmd.exe 1 15->30         started        32 cmd.exe 17->32         started        file5 signatures6 process7 dnsIp8 66 136.144.41.76, 49770, 49831, 80 WORLDSTREAMNL Netherlands 19->66 68 192.168.2.1 unknown unknown 19->68 56 C:\Users\user\AppData\Roaming\...\excel.exe, PE32 19->56 dropped 58 C:\Users\user\...\excel.exe:Zone.Identifier, ASCII 19->58 dropped 80 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->80 82 Tries to steal Mail credentials (via file / registry access) 19->82 84 Creates multiple autostart registry keys 19->84 88 4 other signatures 19->88 86 Injects a PE file into a foreign processes 24->86 34 cmd.exe 1 24->34         started        36 Zhslsmbpracrszoi.exe 24->36         started        38 conhost.exe 26->38         started        40 timeout.exe 1 26->40         started        42 conhost.exe 28->42         started        44 timeout.exe 28->44         started        46 conhost.exe 30->46         started        48 timeout.exe 1 30->48         started        50 2 other processes 32->50 file9 signatures10 process11 process12 52 conhost.exe 34->52         started        54 timeout.exe 1 34->54         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/df2ac2b254e2e1f6cf7775179ec5af8b4785e3eeadf0f0364b46f33da5068e62/
Threat name:
ByteCode-MSIL.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2022-05-10 23:46:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=34vmfmsu4lq7nt3xoulz5rnprndyly7ovxypansli3zt3jigrzra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
002ca5af13bbd9eb536df65ca6116638031e2c587fa84c179ac16631e3223b4a
AgentTesla
0bc2d39e3f0460d299a315cb249fd7f0d863325f8bf666355cac323847a34bbb
AgentTesla
16ab238a5b8fc0de74ddda698db8182e8193e65f7003124a0f954313cf86e048
AgentTesla
29478db896444dc2bed1ae2346fcb41e505152127be5d1798851964210c264a7
AgentTesla
31b57c8bdc8e2a57aab3585b53904eb130fe155c96f095951eccec5a02a6451d
AgentTesla
618fd616284d3fe84cff8f2fd38ee1c4cae578b619d70a59fc7d7b34f8eb6710
AgentTesla
ef83f00952dab1229b5943f9afde55837ef0d46d3dfe6b11063d85bbd4a1a8fe
AgentTesla
+ 194 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220511-c4qkgadgf9/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
suricata: ET MALWARE AgentTesla Communicating with CnC Server
Malware Config
C2 Extraction:
http://136.144.41.76/sttwo/inc/bcd1a4ee0cf2c7.php
Unpacked files
SH256 hash:
df2ac2b254e2e1f6cf7775179ec5af8b4785e3eeadf0f0364b46f33da5068e62
MD5 hash:
933a4278a070f87cddf06e353dc33a82
SHA1 hash:
f5c23f45f7b019f0ddd45ac4a78b53ac72cee985
Link:
https://www.unpac.me/results/7824c7dc-8210-4ffd-ac86-8f39813a2159/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/df2ac2b254e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/df2ac2b254e2e1f6cf7775179ec5af8b4785e3eeadf0f0364b46f33da5068e62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269583/

Comments