MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb617190b27e7449ed078297a96bf5b8b11e02e0f3bf1fa2bc947cac60e8590c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb617190b27e7449ed078297a96bf5b8b11e02e0f3bf1fa2bc947cac60e8590c
SHA3-384 hash: 85615a7548e0ca4f296d662eeae56c5e32c676eb2d24639002f33843e0a094acdf8e3eb0f62d4294816249a36d8dcb07
SHA1 hash: cb3d4ebe25321e370a81449eab26debb946e73a7
MD5 hash: 71dc2ce12aee1cbcd299fcc20901a95c
humanhash: nevada-kentucky-romeo-charlie
File name:9692532161_INV_SZV_WJG_001_20230831_180610.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:597'504 bytes
First seen:2023-08-31 13:02:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:bzfOZ1Lmv7j07El6ihsgNXYbll01bfCCBSUgUZFBJkW+CUc:vWZ+f0Yl7hLNXClSRaCo2bDkDCt
Threatray 5'445 similar samples on MalwareBazaar
TLSH T146D41200B2B93F23E57483FA8555B21007F297126322E52C1EE472DBAE27F56987C75B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
US US
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
9692532161_INV_SZV_WJG_001_20230831_180610.exe
Verdict:
Malicious activity
Analysis date:
2023-08-31 13:05:54 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/85b928cf-afe0-4e36-8ce8-474cd95f054a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/445474/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64f08f897444d2eb09f40cfa/reports/186ffb49-5798-4cf3-aa41-cb335a063e98/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/eb617190b27e7449ed078297a96bf5b8b11e02e0f3bf1fa2bc947cac60e8590c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9385968c-bbe8-406b-b101-49843a576b5c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1301043
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eb617190b27e7449ed078297a96bf5b8b11e02e0f3bf1fa2bc947cac60e8590c/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-08-31 13:01:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5nqxdefspz2et3ihqkl2s27vxcyr4axa6o7r7iv4sr6kyyhilega._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
47764a3fd4c9b5502c0f927992cfd4a3c7e16b70228b613c08ec60733ce8f60c
AgentTesla
513b504d6939f1a106cf21f1f4029ab30c5f701fbcf63881b1a5df7466ed2eb1
AgentTesla
53224dc914e12b6a02b83e05380d13298bc3720f93eea15ee6205dc51aa2a948
AgentTesla
7abcf6dd45f7dd04716c72f511eac0642bb2401da536123698f117b0896816f3
AgentTesla
988de5533ea7c98cdc0974eeb98cc650bdc4f991df9c8f0f85c5a7d4e7611b45
AgentTesla
9f8dd7a2f5e56970c9e6aa9af1c62b9d1d2ee03ca5dc33f9d6d376edd3bc0cdd
AgentTesla
ba7f9aa187f2834a0e730911db8e70b035a93c5bfd1d98306a1b8841ee63d9a8
AgentTesla
+ 5'435 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230831-qacneaeg7t/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
988de5533ea7c98cdc0974eeb98cc650bdc4f991df9c8f0f85c5a7d4e7611b45
MD5 hash:
173dca1136f18febdf8370b171eab365
SHA1 hash:
74528a60287cad71165c6c3fe2fabdcab9fa0f10
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/fe2d4b69-f3b2-48b4-82ff-0a36d5c1c685/
Parent samples :
988de5533ea7c98cdc0974eeb98cc650bdc4f991df9c8f0f85c5a7d4e7611b45
513b504d6939f1a106cf21f1f4029ab30c5f701fbcf63881b1a5df7466ed2eb1
9f8dd7a2f5e56970c9e6aa9af1c62b9d1d2ee03ca5dc33f9d6d376edd3bc0cdd
eb617190b27e7449ed078297a96bf5b8b11e02e0f3bf1fa2bc947cac60e8590c
SH256 hash:
c094444932babf732e788625413d66665af54fa789015decb7e2da3d3ab25dc3
MD5 hash:
49204dbac9267797c9f6679a4bac06ec
SHA1 hash:
5590f19a53f6e6a88d14adfbc83ea1cd7ae002c7
Link:
https://www.unpac.me/results/fe2d4b69-f3b2-48b4-82ff-0a36d5c1c685/
SH256 hash:
7a1174741565a52f78766d7a220eed0417401d41b74f1fd78cbc682eba20fed8
MD5 hash:
e393329144dfe42dae039f7c7aa96b43
SHA1 hash:
31f47a573c197e1e675f601b21150b604a3a0adf
Link:
https://www.unpac.me/results/fe2d4b69-f3b2-48b4-82ff-0a36d5c1c685/
SH256 hash:
598a766b26fc39c1092e2f20cee1f42df6d6049d618ac5d4d331c646ab6a8b47
MD5 hash:
00c960e10d544bd0961a993c3c6dbbe5
SHA1 hash:
04018db21d1b12800f1bc413b90ccb3264955bcb
Link:
https://www.unpac.me/results/fe2d4b69-f3b2-48b4-82ff-0a36d5c1c685/
SH256 hash:
eb617190b27e7449ed078297a96bf5b8b11e02e0f3bf1fa2bc947cac60e8590c
MD5 hash:
71dc2ce12aee1cbcd299fcc20901a95c
SHA1 hash:
cb3d4ebe25321e370a81449eab26debb946e73a7
Link:
https://www.unpac.me/results/fe2d4b69-f3b2-48b4-82ff-0a36d5c1c685/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eb617190b27e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb617190b27e7449ed078297a96bf5b8b11e02e0f3bf1fa2bc947cac60e8590c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/445474/

Comments