MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f87578f93b7160f35ba86268b9ebfa63e795113c42a4eb12c1b632d3fc3ed7e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f87578f93b7160f35ba86268b9ebfa63e795113c42a4eb12c1b632d3fc3ed7e3
SHA3-384 hash: dd195b11063da68ec8398559fc6a23d73a2f1d2dacdf251371deb9921a921b8ac0f7c60606f9f9581c3d182615070e09
SHA1 hash: c271d66be5d983ae44aefdf0f5f946131519a259
MD5 hash: 6070a1b84846a0946639a374043787d6
humanhash: stream-delta-equal-hydrogen
File name:168491916942a074a956b371af57bd67f974af391b5a7ff52d7976c014e7f42b7862e7cbc8685.dat-decoded
Download: download sample
Signature AgentTesla
Create hunting rule
File size:167'424 bytes
First seen:2023-05-24 09:06:11 UTC
Last seen:2023-06-19 16:33:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 3072:9qaoPc3WRhJd1a9d1FjnfGMPv3fsZJWBzjyLRxOCpyS0BCUKQP:tWRTfk/xHPvku3SRxzphcJ
Threatray 3'068 similar samples on MalwareBazaar
TLSH T16CF33A6C92C94E12D72D40F4F4B0515806B2A143861FE79D4EB0AAF63F5AFD3362ECA5
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:AgentTesla base64-decoded exe


Avatar
abuse_ch
Malware dropped as base64 encoded payload

Intelligence

File Origin
# of uploads :
2
# of downloads :
268
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
168491916942a074a956b371af57bd67f974af391b5a7ff52d7976c014e7f42b7862e7cbc8685.dat-decoded
Verdict:
Malicious activity
Analysis date:
2023-05-24 09:07:32 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/b8aeefa3-04f9-4d85-a462-9ad7fcfdb0da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/391053/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.24596.23461.30211.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
hacktool lolbin packed
Link:
https://www.filescan.io/uploads/646dd3b7cf634b8f311af50e/reports/922a9555-1951-4716-bc97-e4d22053731c/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/f87578f93b7160f35ba86268b9ebfa63e795113c42a4eb12c1b632d3fc3ed7e3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c1398501-103d-4733-85c3-641fab469505
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1241432
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f87578f93b7160f35ba86268b9ebfa63e795113c42a4eb12c1b632d3fc3ed7e3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-10 14:52:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
28 of 37 (75.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7b2xr6j3ofqpgw5imjult272mptzkej4iksowewbwyznh7b627rq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d04d01b0189a6d129f0f8dab1afdd3aeef49eafad1d208c93f7bc3dc0b36394
AgentTesla
168a35684463330d195c42fa3a922b6f5f76c1482859249ddedd5db5298a4db8
AgentTesla
2547bb68679d447dbde8f5631c385ba265aaf1dd9a8b3807e77ad475ad15adfa
AgentTesla
316483bf87a8932bf0d84dd527cce96da936a5612b005f5051b2656c39a9be62
AgentTesla
3c89cb1c6c74747eadb40f158ea38751bd1a61acdc789b86f0acd0a107b689e9
AgentTesla
6e57cd573de3d14fe09f11364476b54f2b935d545be1258ee843d31573846622
AgentTesla
7b4164cc352f02f53d9f49d8a5d6df6221b85c5412fcb133462c5d779730dc64
AgentTesla
c7e7c62f3d9ba103218de8ab0961e23821e91df67896cf7d450f39f535ca94f5
AgentTesla
d9577a11fb93cf09c220f70d087e55eb4c7c5fed0537aebd8013e7e01a8d5d15
AgentTesla
+ 3'058 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230524-k3a3dsbf87/
Behaviour
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
f87578f93b7160f35ba86268b9ebfa63e795113c42a4eb12c1b632d3fc3ed7e3
MD5 hash:
6070a1b84846a0946639a374043787d6
SHA1 hash:
c271d66be5d983ae44aefdf0f5f946131519a259
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/b3be4396-23c4-4915-a19e-ed5677732f87/
Parent samples :
f87578f93b7160f35ba86268b9ebfa63e795113c42a4eb12c1b632d3fc3ed7e3
8514688f25e263c5e78673ecf3275a0eb4d49bb7d155924d1a889b4f3a7eec49
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f87578f93b71/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/f87578f93b7160f35ba86268b9ebfa63e795113c42a4eb12c1b632d3fc3ed7e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

42a074a956b371af57bd67f974af391b5a7ff52d7976c014e7f42b7862e7cbc8

AgentTesla

Executable exe f87578f93b7160f35ba86268b9ebfa63e795113c42a4eb12c1b632d3fc3ed7e3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2639973/
  
Dropped by
SHA256 42a074a956b371af57bd67f974af391b5a7ff52d7976c014e7f42b7862e7cbc8
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/391053/
  
URLhaus
https://urlhaus.abuse.ch/url/2637101/
  
URLhaus
https://urlhaus.abuse.ch/url/2637099/

Comments