MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df4a1dc35bad21c273a18f9f89c3258382ba9416e60ead81c12bf89b1689060e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments

SHA256 hash:	df4a1dc35bad21c273a18f9f89c3258382ba9416e60ead81c12bf89b1689060e
SHA3-384 hash:	90e86d3dd9e7ba458d45c6594c2bab08f63300d2d9f9def528bff36e3e0ce2196f3ed275b1ed97678b2fa75cd0c65806
SHA1 hash:	5d5ceb23ec735dd7451171b11aca965e1c562a85
MD5 hash:	f0de661e23cc23a1f8803132ec4946a4
humanhash:	hot-cup-low-california
File name:	SecuriteInfo.com.Trojan.PackedNET.1755.16702.8332
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	888'832 bytes
First seen:	2023-01-10 12:46:46 UTC
Last seen:	2023-01-10 13:32:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:B/y202B9mCe29sSDS9SVTFUGs5nyyxDqEZV/NWCHgh/Wgfz:B/ySHe3SDESPUGs5nyCDqEZVeh/Wgf
Threatray	14'123 similar samples on MalwareBazaar
TLSH	T16615013916E5798DF83DA3BE9111D69803B5AE30C749E60D0DE736CBCAFD6299207213
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

174

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Trojan.PackedNET.1755.16702.8332

Verdict:

Malicious activity

Analysis date:

2023-01-10 12:48:13 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/1c540c67-ba9e-445e-bc0a-4ca69bdb6ed5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/351518/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1755.16702.8332.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Verdict:

No Threat

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63bd5e4d0fdf1633326e26a5/reports/c01a56a7-0143-4f58-a35c-d35afa2ea873/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/978e3de2-3c45-4a0c-88c8-c4c3c0383db8

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1148730

Signature

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/df4a1dc35bad21c273a18f9f89c3258382ba9416e60ead81c12bf89b1689060e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-01-10 12:47:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 39 (64.10%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=35fb3q23vuq4e45br6pytqzfqoblvfaw4yhk3aobfp4jwfujayha._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

24db2e7ba38ff5dc81c50e2b03c174de23cad2b480bb82a989b00f12767e19a0

AgentTesla

4a0f195296d29cba9e753eb3b084961e5f6ff9320c2b4338c4cb8616c39ff8ac

AgentTesla

8373691997253a144ab7c2059be27c2b1aa3e2172c424058cba3df514f9903b0

AgentTesla

916d30f29bbbbbbf9cd02ee4c66d611750d1a0aafa7b3f364b35e46216ae90a3

AgentTesla

a32619cd26fbb97072657ec6a481d4f4fd6c51b72ea5ea0837006d9a8dd24800

AgentTesla

db31c43819071dc78a0fbf9eea7d924026b1894c5415b76636dc533c7cb370c9

AgentTesla

f5c710060042d56e8e18e0d42256a4959c8d5529f8ea90e8e3084a742a9027f4

AgentTesla

+ 14'113 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230110-pz7z6sga74/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/91405f77-954e-40c8-a972-c3537fc46d00

Unpacked files

SH256 hash:

a02371ecae9b237a58e9fb28040fac95973dd7ce55465f2dcab3fcd7cd931201

MD5 hash:

bda8f86c4dcd493b1f9ac5777b707b82

SHA1 hash:

dd97fa9c692f9c2a3cc79519e69dcf82aecfcf6c

Link:

https://www.unpac.me/results/95356638-0bf8-458f-9885-b2cfcc78258b/

SH256 hash:

fb3f0d6b8b72899823d255046ee1be24ab0944c0daef5cf696b2a9828f3f18fb

MD5 hash:

508383a91853dca5cabb40248db0d273

SHA1 hash:

d0ef312d9b927661cae363dd5e7de7690e5b9d46

Link:

https://www.unpac.me/results/95356638-0bf8-458f-9885-b2cfcc78258b/

SH256 hash:

54d781f0dee6692c47390edf1ada295fb17a7e80ed5ccd58ab14c6ddf80a0ad8

MD5 hash:

4f6caebd865502f7c8046fbae3284c61

SHA1 hash:

be357e832bf6f61454875b37a1759cf1c5fa5ca4

Link:

https://www.unpac.me/results/95356638-0bf8-458f-9885-b2cfcc78258b/

SH256 hash:

6c1808f07d0f7f6aec33fc30e28d61f71e72b2588362eafbc6fa880fa89712fa

MD5 hash:

0f3b20a2db71d9d3f8f2d06bd98a4c4f

SHA1 hash:

9f95395f7a1046dcbb53a62e065c9801d6185393

Link:

https://www.unpac.me/results/95356638-0bf8-458f-9885-b2cfcc78258b/

SH256 hash:

c47e2d12442ecc8e285ac50096896d2f5c5e7eb0d6be54c211011e8c440e2c83

MD5 hash:

134c8597c51c3ceb44400bc003c60fa2

SHA1 hash:

7ca835dd55c7a84175c03c86d2892719e3d05092

Link:

https://www.unpac.me/results/95356638-0bf8-458f-9885-b2cfcc78258b/

SH256 hash:

df4a1dc35bad21c273a18f9f89c3258382ba9416e60ead81c12bf89b1689060e

MD5 hash:

f0de661e23cc23a1f8803132ec4946a4

SHA1 hash:

5d5ceb23ec735dd7451171b11aca965e1c562a85

Link:

https://www.unpac.me/results/95356638-0bf8-458f-9885-b2cfcc78258b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/df4a1dc35bad21c273a18f9f89c3258382ba9416e60ead81c12bf89b1689060e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_AgentTesla_d3ac2b2f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/351518/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample