MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd987d623939a8b69f25a2b8350fb6e76a51e77545add40658fc60f00950d625. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd987d623939a8b69f25a2b8350fb6e76a51e77545add40658fc60f00950d625
SHA3-384 hash: 806be308316e6c0d037c767dd6f5c32a81305c76db9ab030220eb552d1ec8443bc964877fce4360a790eb954740857a5
SHA1 hash: a023833da6bc0ecbaa674be65bdfd75b0df7b9bb
MD5 hash: 005c45c7069070fe6ad1f112a16f135c
humanhash: indigo-snake-moon-north
File name:test.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:752'178 bytes
First seen:2023-06-07 16:54:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ea06f0ebd05782e9caa4e3157d406e08 (3 x AgentTesla)
ssdeep 12288:5XiGDGvPSL84r6h7okw3DmKyhouWMNR5ZcnFzFJ+RsuDv5YQVqsjKx:5XvDGCLbr6h73klHuZ2nFf+RJvuQF4
Threatray 2'686 similar samples on MalwareBazaar
TLSH T1E7F4122C2DB8AD56E1E5C7B194F172667121B83E36CF2D1F55867F4680B3A4334A322E
TrID 82.3% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
5.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.5% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
test.exe
Verdict:
Malicious activity
Analysis date:
2023-06-07 16:55:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/807814dc-9eca-4fea-a6d8-1b443c1121e8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/396586/
Detection(s):
SecuriteInfo.com.Variant.Ser.Jaik.2505.30195.31890.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Sending a custom TCP request
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Deleting a recently created file
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6480b6679f2672119c32717d/reports/ed6986b4-1b9c-48fa-9f96-28ebec6b14dc/overview
Verdict:
Malicious
Labled as:
Ser.Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/fd987d623939a8b69f25a2b8350fb6e76a51e77545add40658fc60f00950d625
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/abd08fe1-6ba8-47ac-9cab-4a47414311e4
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1250643
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Yara detected MSILDownloaderGeneric
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 883669 Sample: test.exe Startdate: 07/06/2023 Architecture: WINDOWS Score: 100 28 Found malware configuration 2->28 30 Antivirus / Scanner detection for submitted sample 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 8 other signatures 2->34 6 cajoxn.exe 3 2->6         started        9 test.exe 2->9         started        process3 signatures4 36 Multi AV Scanner detection for dropped file 6->36 38 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->38 40 Machine Learning detection for dropped file 6->40 11 cajoxn.exe 2 6->11         started        42 Writes to foreign memory regions 9->42 44 Allocates memory in foreign processes 9->44 46 Injects a PE file into a foreign processes 9->46 14 RegSvcs.exe 16 3 9->14         started        18 WerFault.exe 24 9 9->18         started        process5 dnsIp6 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->48 50 Tries to steal Mail credentials (via file / registry access) 11->50 52 Tries to harvest and steal browser information (history, passwords, etc) 11->52 24 194.55.224.189, 49702, 49707, 49708 LVLT-10753US Germany 14->24 26 cdn.discordapp.com 162.159.134.233, 443, 49704 CLOUDFLARENETUS United States 14->26 20 C:\Users\user\AppData\Local\Temp\cajoxn.exe, PE32 14->20 dropped 54 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->54 22 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->22 dropped file7 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd987d623939a8b69f25a2b8350fb6e76a51e77545add40658fc60f00950d625/
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2023-06-07 02:44:00 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7wmh2yrzhgulnhzfuk4dkd5w45vfdz3viww5ibsy7rqpackq2ysq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1c758992ed57930115ba585a43bc0a7a750a476206cf1999bf3333f26fc230f2
AgentTesla
3bdc4fb579dbfd37752bafc023e9eaaf2788ad91afe542f8d86e097e5ca62176
AgentTesla
3c4bb89b988346aaae821e6b5ca65572da9e265bf00dfa5d0df0870634711545
AgentTesla
4a8da72abff64bcf80a2500077504588b720180b7694203bdb2434fa075fa7fa
AgentTesla
812f2741f662194744b33d6e51c4fbe11823d06e90938865aa4517974a072bc1
AgentTesla
8ef5c190b1b13bb8fdf5c06fbd8cec9bb68e9aea39d5eacd0dcc011bc6e726ee
AgentTesla
94a92d06d9fac7101cb5c15f1afe2bce92b2186085cadc1ea2c72b2f6e154912
AgentTesla
a130830dbd995f4e11fd9572076a51db0ea6fa0c4d7c57acc2c72274c05d408a
AgentTesla
a278b60ab0bd9823527c0d86509a3a5f31f107e4f8e70761cd62395e27738a0f
AgentTesla
fc4e8b16874c86e3d8ad3ce052b15421cd95d6c6f194587f2f5e08fa79e54172
AgentTesla
+ 2'676 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230607-ve4pxadc23/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5954474519:AAEGnfW1mRvGRxq-zIAvwJfpKEbhLLiqVaM/
Unpacked files
SH256 hash:
cb87d1f6fd3210423e98666863cbcfc912861c72cf300c4cfcdd43dd94c91c86
MD5 hash:
cd9c3e93f2877df91ff30a3ecd282126
SHA1 hash:
8190816811850e35437cdc0cbc113bae3c5f7431
Link:
https://www.unpac.me/results/4828c246-705d-4e97-8f75-3d34ba525ab1/
SH256 hash:
3ee6b2e12f816a3fd42dab31905ed04c3d219887f1e37f0fa2987b5402f00366
MD5 hash:
a1c4aebc2be356fed684292874cab02b
SHA1 hash:
5b5d03ee8e39694f9fb55818b6eedfcfda6c4b63
Link:
https://www.unpac.me/results/4828c246-705d-4e97-8f75-3d34ba525ab1/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/4828c246-705d-4e97-8f75-3d34ba525ab1/
SH256 hash:
9cb9f3549cbb7ab95699b23036f604b74677075ceb6be7918a3d97c22ed914ff
MD5 hash:
69f7b44ad7a90e2cef90db674a9424e8
SHA1 hash:
0ad9a90c898646dfb3568c128996f9c5b18d10e0
Link:
https://www.unpac.me/results/4828c246-705d-4e97-8f75-3d34ba525ab1/
SH256 hash:
fd987d623939a8b69f25a2b8350fb6e76a51e77545add40658fc60f00950d625
MD5 hash:
005c45c7069070fe6ad1f112a16f135c
SHA1 hash:
a023833da6bc0ecbaa674be65bdfd75b0df7b9bb
Link:
https://www.unpac.me/results/4828c246-705d-4e97-8f75-3d34ba525ab1/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fd987d623939/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd987d623939a8b69f25a2b8350fb6e76a51e77545add40658fc60f00950d625

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Multiple
Cape
Cape
https://www.capesandbox.com/analysis/396586/

Comments