MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f651afc8738f0810f0b6eb4fd595a5115face71e1903370cc1e4594a1993f77b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f651afc8738f0810f0b6eb4fd595a5115face71e1903370cc1e4594a1993f77b
SHA3-384 hash: 4f1a4a3dbfaa0cfb0001c5d154c19abf311c9cf7286cc6f409c21343a1d9be61940f236b1d4b4dc533e0dc88fc75a737
SHA1 hash: b0b35cd1a9c34d420745b00fb7a725a7b84568c4
MD5 hash: 357672c5cffd689e8ba0b32e6aafd80b
humanhash: ceiling-black-comet-december
File name:SecuriteInfo.com.Win32.CrypterX-gen.22083.9217
Download: download sample
Signature AgentTesla
Create hunting rule
File size:860'672 bytes
First seen:2023-02-23 11:28:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ItFpb5PHF/EVIX5X69J7BhLg7OHY9NcUUMv4Azl+dtoPu:ItFV5PF/EVIX5aPaNBD4ACtcu
Threatray 863 similar samples on MalwareBazaar
TLSH T1BE057B47BBF09076F99E41AC063916CF5E31B253725CE2261F3B69488D46EFBB1C8612
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.CrypterX-gen.22083.9217
Verdict:
Malicious activity
Analysis date:
2023-02-23 11:36:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/47c6db66-9fcb-4099-a300-104f105828e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/369255/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.CrypterX-gen.22083.9217.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/63f74e015741abdfaa9f26d3/reports/f6223ed1-d1fb-4ece-94b6-2cb6a590763d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f651afc8738f0810f0b6eb4fd595a5115face71e1903370cc1e4594a1993f77b
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9943c7e0-70f4-4504-a0fe-89472c4926aa
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1181220
Signature
Adds a directory exclusion to Windows Defender
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 814051 Sample: Lista zam#U00f3wie#U0144 za... Startdate: 23/02/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Sigma detected: Scheduled temp file as task from temp location 2->51 53 Yara detected Telegram RAT 2->53 55 7 other signatures 2->55 7 Lista zam#U00f3wie#U0144 zakupu.exe 7 2->7         started        11 oLRvZRQTgF.exe 5 2->11         started        process3 file4 37 C:\Users\user\AppData\...\oLRvZRQTgF.exe, PE32 7->37 dropped 39 C:\Users\...\oLRvZRQTgF.exe:Zone.Identifier, ASCII 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmpEF38.tmp, XML 7->41 dropped 43 Lista zam#U00f3wie#U0144 zakupu.exe.log, ASCII 7->43 dropped 57 Adds a directory exclusion to Windows Defender 7->57 13 Lista zam#U00f3wie#U0144 zakupu.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->59 61 Machine Learning detection for dropped file 11->61 63 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->63 23 oLRvZRQTgF.exe 11->23         started        25 schtasks.exe 11->25         started        27 oLRvZRQTgF.exe 11->27         started        signatures5 process6 dnsIp7 45 api.telegram.org 149.154.167.220, 443, 49696, 49697 TELEGRAMRU United Kingdom 13->45 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        47 192.168.2.1 unknown unknown 23->47 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->65 67 Tries to steal Mail credentials (via file / registry access) 23->67 69 Tries to harvest and steal browser information (history, passwords, etc) 23->69 35 conhost.exe 25->35         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f651afc8738f0810f0b6eb4fd595a5115face71e1903370cc1e4594a1993f77b/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2023-02-23 10:16:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
20 of 25 (80.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6zi27sdtr4ebb4fw5nh5lfnfcfp2zzy6debtodgb4rmuugmt655q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
53eb83560df949284e8d00992e7a5acf16c77ea64ee89c0bc4b16d394640456b
AgentTesla
6148f139f5f3771a7ca863598c56555177e1611e3e83749c44ebef5a3728d703
AgentTesla
6a38cb877dc57efa24fe27df01e1a11c4006ff7f9faa20a68aebbf6f3984ffcd
AgentTesla
780820fc83c352314c4cc0dd4f09b486b8fc95abc03857211d985737fbf267ad
AgentTesla
9c631e71ef60bbef156026476390c65643d7e8200a15f97dbf38d40699ba1153
AgentTesla
a4760317e65f79bf80363952cc156693afacfb327a2459eb30966ea11c824262
AgentTesla
acec9cba576448399a9e351526c7daeff1dfe09ff2203cad80c28b05acbf0aa6
AgentTesla
c4a313a6d301b83f26b859de2a4254fbaf6b2f0d38ca3f20f1f17c05497d945f
AgentTesla
d6bac215a8319d665c5610bc0f9e66e36581c2c92462a5d523f3238869499ffd
AgentTesla
ded62740ea698cc805954c1ad4f202a8bb94a709329baf613ba0178c3f79d15f
AgentTesla
+ 853 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230223-nlkr2sff68/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5932003035:AAGiWu3EDh9FYzqRKIySebzjjQ5uW0afS3o/
Unpacked files
SH256 hash:
264437ff44418cb605bee58ae36fe8dba76e4fab4a5c814f8bd68a160b7febb2
MD5 hash:
2e077ba2c5f29627caadc715fc4ff931
SHA1 hash:
8f7ad47f12ee14aa712a7a7a6ae74d29cda93d5a
Link:
https://www.unpac.me/results/1cd0a776-c1c9-4ec9-843b-8c5eab7744dc/
SH256 hash:
b2dd5bcf9138720f9ffeca3b8aefa001e40b2dd879c1db3bb8e47281c3575f8e
MD5 hash:
301d49f143b4559eebb04d6604c9c806
SHA1 hash:
8e1065918d606bf77bf8d0fd3375de5c1e4ec0b3
Link:
https://www.unpac.me/results/1cd0a776-c1c9-4ec9-843b-8c5eab7744dc/
SH256 hash:
85848e5a68b88f0f20071dd4dc432a1c63e8994602be8dbabb483d8c4154f476
MD5 hash:
e712c9d153fb05b74690195362d96c19
SHA1 hash:
73673129e4867cca964a2fff2a7d8577952a1285
Link:
https://www.unpac.me/results/1cd0a776-c1c9-4ec9-843b-8c5eab7744dc/
SH256 hash:
06964bce7281c4f97d26ef75139bc8d1483d8521c42382ad4f19b352f9a149ba
MD5 hash:
83d35debf6fe73f3ee2cb588f34efec8
SHA1 hash:
5bcc8475e97586028318ae3f7a652ed5eff3e15b
Link:
https://www.unpac.me/results/1cd0a776-c1c9-4ec9-843b-8c5eab7744dc/
SH256 hash:
e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29
MD5 hash:
d170ab8c03b9c37d5be449454db131d2
SHA1 hash:
2031b6754a65d21b47dd11a34fee86f048d6048d
Link:
https://www.unpac.me/results/1cd0a776-c1c9-4ec9-843b-8c5eab7744dc/
SH256 hash:
f651afc8738f0810f0b6eb4fd595a5115face71e1903370cc1e4594a1993f77b
MD5 hash:
357672c5cffd689e8ba0b32e6aafd80b
SHA1 hash:
b0b35cd1a9c34d420745b00fb7a725a7b84568c4
Link:
https://www.unpac.me/results/1cd0a776-c1c9-4ec9-843b-8c5eab7744dc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f651afc8738f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f651afc8738f0810f0b6eb4fd595a5115face71e1903370cc1e4594a1993f77b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/369255/

Comments