MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df2ddabfa19f0d12d7626eb76d5202cfbfc21ea56f5b78505af147d827b1b590. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df2ddabfa19f0d12d7626eb76d5202cfbfc21ea56f5b78505af147d827b1b590
SHA3-384 hash: 51ea7cbdce26f03d534aff43b50b3ba705eacbe15b2a4dacdb467d7509a37aa23d75bc794cf375ddc6ea9d915b2dc3e8
SHA1 hash: f730c84d3e321e52a971ac906aabd1204e22ef66
MD5 hash: a7f410624e4870e19da2264ab6aeda6c
humanhash: queen-north-ten-may
File name:gSfsPa9oxjPyjps.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:706'048 bytes
First seen:2023-07-25 10:48:29 UTC
Last seen:2023-07-25 11:41:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:xVtNAR1Lo2vyRor7tMgXZMsxbhsO4gUK7E6Rn5KzaJmVOYDfLqTrQaSejL8Z8tGN:DgRdo2KRW76YCwbhsOVU/snAORyfLqTv
Threatray 816 similar samples on MalwareBazaar
TLSH T1A3E45ABC313477DFCA13C876D8642C60A6E0226747DBD28E882715AFBE1D5A6DE141F2
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 64f4d4d4ecf4d4d4 (82 x SnakeKeylogger, 34 x AgentTesla, 24 x Formbook)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
268
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
gSfsPa9oxjPyjps.exe
Verdict:
Malicious activity
Analysis date:
2023-07-25 10:57:08 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/020b40e0-d4e3-41ab-af99-899bf21e91f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/432133/
Detection(s):
SecuriteInfo.com.Variant.Strictor.261807.1488.4286.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/df2ddabfa19f0d12d7626eb76d5202cfbfc21ea56f5b78505af147d827b1b590
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d5e06e0-d2c0-4a73-9180-59f10f1f4529
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1279078
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1279078 Sample: gSfsPa9oxjPyjps.exe Startdate: 25/07/2023 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Found malware configuration 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 5 other signatures 2->53 7 gSfsPa9oxjPyjps.exe 7 2->7         started        11 iYAoXaBIww.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\iYAoXaBIww.exe, PE32 7->31 dropped 33 C:\Users\...\iYAoXaBIww.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp6D81.tmp, XML 7->35 dropped 37 C:\Users\user\...\gSfsPa9oxjPyjps.exe.log, ASCII 7->37 dropped 55 Detected unpacking (changes PE section rights) 7->55 57 Detected unpacking (overwrites its own PE header) 7->57 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->59 69 3 other signatures 7->69 13 gSfsPa9oxjPyjps.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        61 Antivirus detection for dropped file 11->61 63 Multi AV Scanner detection for dropped file 11->63 65 May check the online IP address of the machine 11->65 67 Machine Learning detection for dropped file 11->67 21 iYAoXaBIww.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 mail.sienkakupeste.com 185.85.204.185, 49693, 49698, 587 GARANTISERVER-COMGarantiServerDatacenterTR Turkey 13->39 41 api4.ipify.org 173.231.16.76, 443, 49692, 49697 WEBNXUS United States 13->41 43 api.ipify.org 13->43 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        45 api.ipify.org 21->45 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->71 73 Tries to steal Mail credentials (via file / registry access) 21->73 75 Tries to harvest and steal browser information (history, passwords, etc) 21->75 29 conhost.exe 23->29         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/df2ddabfa19f0d12d7626eb76d5202cfbfc21ea56f5b78505af147d827b1b590/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-17 08:34:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=34w5vp5bt4grfv3cn23w2uqcz674ehvfn5nxquc26fd5qj5rwwia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1e28ab95c508a3b0d17dd7279384d0353cd7fa83f6f5138746ed0b44679ee1c0
AgentTesla
3f57ab60565132e8efddcae07bb3718dbd04e3cf8a4886eb7cede077707f7469
AgentTesla
65c9bcd1cab3a872271057a7587e56591c94eea3f6edec16e214ff9062ae9010
AgentTesla
879eca4369184f195b068a157fb7ce88f5389a9c8ea744229ea6f0ab9894fd56
AgentTesla
9cd50229927cb6cc9e06d0884ab53ee5da6b8764fe60e326bbed779ddc5c8e2a
AgentTesla
b80d975ddd8e28bf201a5dd08cbfa50ef211aa5600f33b4c10e6d72068864f13
AgentTesla
dce92db361fb0e2b6cc00cb1b205288120af9c48b7ffdfc71b5735ad81c72b16
AgentTesla
e0efdd6252609b1039db00c31d375781a03b956a4ba65d8a11b5b81ce46a30d8
AgentTesla
ef2d17ea4829813cf2ce706c8095a6153d3f21b78bc9bae968ad35b3c1d2a971
AgentTesla
+ 806 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230725-mwpcjscg7y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/999774c2-4570-4515-bec1-ead406292c4b/
SH256 hash:
55fcf651dcd5cbc3e91d8e102181b8c8ba6649b755d9210983727dbcdf25f4ce
MD5 hash:
22263d7a2c111e1d81b49d9a192015ce
SHA1 hash:
9858a590480824e3ee71f68ef7c8c8fe0fd1350f
Link:
https://www.unpac.me/results/999774c2-4570-4515-bec1-ead406292c4b/
SH256 hash:
3e24c77fe108059f14fe61b8400c5fe023dc2b0ec7c4fe23fa9911681086f7a9
MD5 hash:
a5228b97b33467ac41fac5cac2718252
SHA1 hash:
28bb020c8a53b046fc8e8106f2913e62c5941a0d
Link:
https://www.unpac.me/results/999774c2-4570-4515-bec1-ead406292c4b/
SH256 hash:
ebae53078ad89c341b0f4ce1de0266250507cc4aeefb8c584ede6321b506ec87
MD5 hash:
c650d65e5b9e49c38fb1d76806c73bd3
SHA1 hash:
17ea7265ca7c33da35677ecab8e28feb330d7fa5
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/999774c2-4570-4515-bec1-ead406292c4b/
Parent samples :
193e2444ca045fd813211cd2c4093f882b6d0bfe183d7a66ad3492bf90b00d3c
b8ebf4c879d3231dab03c47776dc6c85a9c46ac60562c99052a6c29546c886f1
80ae62b5d4012d415c4cb598140cfb6ad485b07f712a0c40d31d6fb46c4dd922
62ba9abf9812bfe84b4861cf596cee1c5a0cc1909e838ee8a31330509bd65147
df2ddabfa19f0d12d7626eb76d5202cfbfc21ea56f5b78505af147d827b1b590
41ece53ba5688f97959fa0ebdbfb979c0b60ee534e05b094bae8cef005875876
0972105c3cb2d74e7cb3f00ddcc6cc96089524d5625b62f71e27d5857c6eba40
SH256 hash:
df2ddabfa19f0d12d7626eb76d5202cfbfc21ea56f5b78505af147d827b1b590
MD5 hash:
a7f410624e4870e19da2264ab6aeda6c
SHA1 hash:
f730c84d3e321e52a971ac906aabd1204e22ef66
Link:
https://www.unpac.me/results/999774c2-4570-4515-bec1-ead406292c4b/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/df2ddabfa19f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df2ddabfa19f0d12d7626eb76d5202cfbfc21ea56f5b78505af147d827b1b590

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe df2ddabfa19f0d12d7626eb76d5202cfbfc21ea56f5b78505af147d827b1b590

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/432133/

Comments