MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff075bd120a01cea7441f17e7ed8b2cdc630c8445d3bf025133dcf190b41f0fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff075bd120a01cea7441f17e7ed8b2cdc630c8445d3bf025133dcf190b41f0fe
SHA3-384 hash: 457141ec9f7cea6300c9870ba6368e8973c0141ebbbc1b03b86b7941a47405d7f6024e8f10a99cf4f8c69af05a5d7ec7
SHA1 hash: 2f0c978f7b565c599f8d719be657ca5471ef147c
MD5 hash: 0688e96359a47fdee3188d881fcbd2f0
humanhash: alpha-india-sixteen-romeo
File name:SecuriteInfo.com.MSIL.Kryptik.AGIJ.tr.11110
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'171'456 bytes
First seen:2022-09-07 20:30:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:tONz9IVo0TlDTVr6St9SeU8blvxlAStWUo9gjLs:tYz9IVtJDJrjt9S18blzZgUOgjLs
Threatray 19'578 similar samples on MalwareBazaar
TLSH T1C345390722C509A0D07A52B824DCC5728B7A9E55E63BC9457FCC9CEFF693F6842D23A1
TrID 49.6% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
21.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.9% (.SCR) Windows screen saver (13101/52/3)
7.1% (.EXE) Win64 Executable (generic) (10523/12/4)
4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f0c4c6a2c4cdcccc (3 x AgentTesla, 1 x Loki, 1 x SnakeKeylogger)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
436
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.MSIL.Kryptik.AGIJ.tr.11110
Verdict:
Malicious activity
Analysis date:
2022-09-07 20:33:16 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/825796e3-d430-42b0-b39a-ee6ea66fd953

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308584/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.AGIJ.tr.11110.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-vm
Link:
https://www.filescan.io/uploads/6318ffe1d836d69184834eda/reports/55d156d0-e0ff-4600-938b-d22519207b24/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/05bdb507-8765-4b4c-b51d-bdf2839539ef
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1066751
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 699285 Sample: SecuriteInfo.com.MSIL.Krypt... Startdate: 07/09/2022 Architecture: WINDOWS Score: 100 27 Malicious sample detected (through community Yara rule) 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected AgentTesla 2->31 33 8 other signatures 2->33 7 SecuriteInfo.com.MSIL.Kryptik.AGIJ.tr.11110.exe 4 2->7         started        process3 file4 21 SecuriteInfo.com.M...IJ.tr.11110.exe.log, ASCII 7->21 dropped 35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->35 37 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->37 39 Adds a directory exclusion to Windows Defender 7->39 11 SecuriteInfo.com.MSIL.Kryptik.AGIJ.tr.11110.exe 15 2 7->11         started        15 powershell.exe 19 7->15         started        17 SecuriteInfo.com.MSIL.Kryptik.AGIJ.tr.11110.exe 7->17         started        signatures5 process6 dnsIp7 23 api.telegram.org 149.154.167.220, 443, 49734 TELEGRAMRU United Kingdom 11->23 25 192.168.2.1 unknown unknown 11->25 41 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->41 43 Tries to steal Mail credentials (via file / registry access) 11->43 45 Tries to harvest and steal ftp login credentials 11->45 47 2 other signatures 11->47 19 conhost.exe 15->19         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ff075bd120a01cea7441f17e7ed8b2cdc630c8445d3bf025133dcf190b41f0fe/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-09-07 20:31:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
72
AV detection:
17 of 40 (42.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=74dvxujauaoou5cb6f7h5wfszxddbscelu57ajithxhrsc2b6d7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1aaf4de53354804892f469dc81af5c889c575c931852cfa7f07b2313c54196b6
AgentTesla
1aed7661a990d34584f7687545b78a8debc0a905e91bdccb9f2160606c1965c4
AgentTesla
3c145d64a3b2a1b1c02701a8147b39e11d3611d7e30415d7a117bf017df71f97
AgentTesla
6fe3e4a455584fd416ce8c785e95c072e52b08b9c8749564188f784fa7ff7f10
AgentTesla
726049b62b7aa78b24e6bbe3b589446acc258bd1795fef985910bce206555695
AgentTesla
8ac87b444eea2a1f9bed0f24a201330fe22090a803e68f160ffdc43dc8b265a2
AgentTesla
961b3c31dce2146e97c694b3d02e9818b7e637c569c2b9c034c5f4e713bb7a5b
AgentTesla
b43689efa40a68f025b93d4b0e787b413d580caa65ac78e0f6d05b93775e004f
AgentTesla
+ 19'568 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220908-fwsxeadgb8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5160627201:AAFqhXgzctTZMSuR7dIpLe50dmHi1xpPyYQ/sendDocument
Unpacked files
SH256 hash:
8b533ffaed24e0351e489b14aaac6960b731db189ce7ed0c0c02d4a546af8e63
MD5 hash:
dbc7be56e6e32349315170599c8b333f
SHA1 hash:
d8e5840e3574b87d435e55a65ac648e040871aee
Link:
https://www.unpac.me/results/df359784-a20a-4d17-9629-97011abbf2f0/
SH256 hash:
5e95d6b3a2ed5f2040510a448d21ce94e0ffc1efa49d86f9ce7bb7b699c6264f
MD5 hash:
be3ece23aa30eba07b66aae1aa206c95
SHA1 hash:
c96a974ef6cb515adbca771c2041345f9421e9f9
Link:
https://www.unpac.me/results/df359784-a20a-4d17-9629-97011abbf2f0/
SH256 hash:
24145c556ad5bdc7491150220c3e915be5c1b413f3f1fafa725b8e8d5f6b5261
MD5 hash:
f4ebc0aa022f6b3619b5f43454430be8
SHA1 hash:
aae946f898bc0c23c1c89e3f17b94ddd883351c4
Link:
https://www.unpac.me/results/df359784-a20a-4d17-9629-97011abbf2f0/
SH256 hash:
c4deb6ef8e9a937ed4cb521f66c592b798729aefaf1bd6120fa025cfed950993
MD5 hash:
9a4ea66c86bd39e1f7b915ae66994644
SHA1 hash:
345c74ba37d826c19e9d9b24e6e66e499cb88a47
Link:
https://www.unpac.me/results/df359784-a20a-4d17-9629-97011abbf2f0/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/df359784-a20a-4d17-9629-97011abbf2f0/
SH256 hash:
ff075bd120a01cea7441f17e7ed8b2cdc630c8445d3bf025133dcf190b41f0fe
MD5 hash:
0688e96359a47fdee3188d881fcbd2f0
SHA1 hash:
2f0c978f7b565c599f8d719be657ca5471ef147c
Link:
https://www.unpac.me/results/df359784-a20a-4d17-9629-97011abbf2f0/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ff075bd120a0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff075bd120a01cea7441f17e7ed8b2cdc630c8445d3bf025133dcf190b41f0fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308584/

Comments