MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 082690655361b35e9d40944052ab73cc0a621c46b26797b4103eac51b25d7247. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 082690655361b35e9d40944052ab73cc0a621c46b26797b4103eac51b25d7247
SHA3-384 hash: 868a171d65e7f1160f6ee96da1787434ffdcbc4a44a2ce9b8952ca0e075218ee153a067809491be0bfc253afbee62738
SHA1 hash: 551a484c7a5ae03c179d4b4190e8fadf39e3b2c0
MD5 hash: 388cdbb6f60dc9ef168fa4594195d16b
humanhash: alpha-freddie-shade-arkansas
File name:388cdbb6f60dc9ef168fa4594195d16b.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:881'152 bytes
First seen:2022-12-04 10:55:12 UTC
Last seen:2022-12-04 12:35:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:j0wOZQAokg586aWHffNuT7EphFQH4s9L+t1pPflhb6imH72Gz5IgTGRB:jtB5O8fNiwphFQYshGPyimbBzmgTCB
Threatray 23'589 similar samples on MalwareBazaar
TLSH T12D154A60B1998905FF39C7FC36E1644A309A1DE0A8B96CE44C5576C20E386C4EAF79ED
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
PAYMENT COPY-1232022.doc
Verdict:
Malicious activity
Analysis date:
2022-12-04 10:51:13 UTC
Tags:
exploit cve-2017-11882 loader agenttesla
Link:
https://app.any.run/tasks/b7c172dd-1ba2-42d7-9162-d8523313efa4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/342514/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.47832.17368.28220.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/638c7cc7a2c2485912c790b1/reports/7c560665-d0e6-4de6-8833-13ca7b5436e0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8c927d9d-a388-4ece-975d-b41a5adf9767
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1127409
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to register a low level keyboard hook
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/082690655361b35e9d40944052ab73cc0a621c46b26797b4103eac51b25d7247/
Threat name:
Win32.Trojan.GenSteal
Create hunting rule
Status:
Malicious
First seen:
2022-12-03 15:22:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
22 of 41 (53.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=batjazktmgzv5hkasraffk3tzqfgehcgwjtzpnaqh2wfdms5ojdq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
28da4dc581a7a99fddff8eef31876687c6c64a0564c35f1b9bab984fc9c9160c
AgentTesla
767a461719e3d2f851ffe9f0fc2e0c51d3d5f63b6d922f0e742c5ae28f66b446
AgentTesla
b077c634471ee290e38f9e3ced5375888f93890e6b0840b8db2c1691175019ee
AgentTesla
ba9013c23988b787a28abf3dc0c0f1599372967e4bd9b7abd24280180d5843ba
AgentTesla
d254745ca2edd62c5e9d3231b3131ae065b2e1759fe9916df96e6c14af59a99e
AgentTesla
d4304332bc704765db990000fef8c43da3c66eecd0643087f09d0afde0d2a96d
AgentTesla
+ 23'579 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221204-m1n8cafh4w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/774e61af-758a-47c4-9b74-6999071b836a
Unpacked files
SH256 hash:
18cc63bcf4fc43d2bd963d9f8998e036e1c4810c61eca8739602c533f607a229
MD5 hash:
d2b2150351dc3092a5adba36cfbfe55b
SHA1 hash:
e041357fbc04a1b2264026333163ec98f0148ce7
Link:
https://www.unpac.me/results/ada29ac6-2653-447e-849e-ed9cd626c1d6/
SH256 hash:
3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03
MD5 hash:
1619753b625e58c25b73fbf1f0bff482
SHA1 hash:
c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4
Link:
https://www.unpac.me/results/ada29ac6-2653-447e-849e-ed9cd626c1d6/
SH256 hash:
972589e7af44f1b7f1aac3dfed8d5fae235b96cf85b26158e26c0e956351b2b1
MD5 hash:
d21237cfa9d44976a5a669d51df2a16b
SHA1 hash:
6bca603a1d724e2d774bb2c9e73f164a3bc972b5
Link:
https://www.unpac.me/results/ada29ac6-2653-447e-849e-ed9cd626c1d6/
SH256 hash:
648749114b1a7f198b44dba4261ea0ca4f6752d76bd1842f1b3f6429c7f2506f
MD5 hash:
583545ed70314bb191ffcafb5a686fb9
SHA1 hash:
4977b87e43a706353cb5161bf1d3512aa0938282
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/ada29ac6-2653-447e-849e-ed9cd626c1d6/
Parent samples :
082690655361b35e9d40944052ab73cc0a621c46b26797b4103eac51b25d7247
c1f9f8a6133d2f6f01574b1a8dafabae2376448bc7a6727a66b8070b66ff15dd
7c84afbd1d85d46654f72829812a1f2eb3cee52899e39d7bc54be3a4c8fe45d8
397e51f9b8a9a61de32f21b12d23334dca268c256d9024cfe4fb3605bd9c4204
a76b7df57b1b16e4bac4e1e19e88b1a03c0b31aec4441046be5cbe7ce68cd58c
d8ead95646470952403879a6bc78117d895ffe37a3b3a551cf65731a1260c8ad
42c55bc7230056d825019e88be1682afb9a3500de5d0e4582a1db497f9ec902d
8431eb1fb2cdcdc154e0692322e26cfb020248e5c64a5bb1f5989878ea69974c
b05d969714238e447faff32ccbe88b5ddef15a089157a0dcfd18a2f03cd493bb
ffbed79e038cf8090a789bd931d8e17f940f7c51bd1491c1102530c76b0ff502
3703e29e26455c33c0f38d99036cb9ca0a0126e4f46ed5ff5900b4b4dc49cd14
cdf98d2d51a7776d859d4e866bcca6c3d323e076ef86654b0e1071137433368f
9f9cd55cae9d3807b8b594dc0d21f373b011ced9fb9c5b5c967245e274966647
67e9518c5adca9e7235912cdf74ad530841ff8879a5cb38c5d7767b8ea16d491
4be7ea0807b3e60e8d123107ce1da7dde5c044c2cbc04a8ff9733540a3c4ffaf
b4afb050b3582ac523796306096936a520c5faf302d60b934d8f59bbdc97aceb
300e22ba7444d4fd02bfbdd2e336bbc861ec4be97576b1065bfa49309946fd4c
9705354879b69702831083e4c3113e7f61c2d33a8eff41a73c7c1ca678df9588
fb948365420fb40a1f19fdb12b15670c15b1eb8626d6e12f792184683e72b557
18e15b5d7924548af144cf5449eda73c8d67c093a6c945ac00db6de533ff13db
ceeb2e11ecbce4f2948f5505afa83c9e7594284d701234791c8d32d0b05521de
7a5b7449fcd765f1a3be1dc0c8286cb46afe94b8c8040a0d268b27fe8d658ee4
f826131b5c356693f53746f0af896eaac4217ef48a1e148759541c21fe29b07d
04698304959253365ac8015e9af904b4be0e1938c63a5b91276028636a90cbbc
971dfc5c82fae0d102f99d405119645d49629ab7679fe0d7eafeffeba4041d45
3d38bac8b15d5ab3b1f5b2c13610928eb7482057dbd2b111be9c287aefc407e8
c5805f6651b3ac3e15f770607a867a8c014d2637a8af30ac272b744409b0d170
564e748a2164cc70ec2c77d9830e301dedc3439f165fd8cc798bbd53fa168862
c6922f3de8e40e5e56073a9a180de581ac3ae0eacf20f6623e0de4c7eef693e1
770c54042217d87ffe83dd0674d556c6bde9d1acc4a4cd830820170ebf2e7ca4
a53eafec588919d171746ba18abf11ca4643c9e2b858d3e825b5141946af0901
5b4d52030d1568ee351d1f51d467ec102f4923ad9947f7a9237076fff39b7791
5113b6fbc97bc224a327cdcdfa5558d3526652b76b5a157e744f2fd9a9be0aa7
9df08396c2e40b7ad647f56a6441a309996dd3b6ac40cb5944753c9fee5a38bb
df439bff97d28e23956a71daa13d628a07b7cc2973ca3a6956d7b9036d13700c
17b6e0bb426b762e1caee67606532e3350d8c752c0625994424916e0fba527ab
af2a4df6137e85a5f69a4e5478992d32bee91b7208757879e3b98aba9ec88919
78fedb4b5349e928c359cdbc4e5b0e106ce84a0ee729538e9a28795c5c8fea4e
e82d940033891932405dfdeedbd283a3be9dcea92d0a4d3cda675abc3345dfc4
094b5e896bf9c2b8b10f16de33313f39384a9e42784a49e3176a0d9b565bb0d7
2dd2ebd30b691da32cc47292b130a4781fabf091f341e045a7a72b53c5566ba6
f18a2b2d68691d79ca7b517b7111b3bcdc5f978f70735cbda33ba0260b54780f
754d1ba349e7f1633d9a6ee33497c5543aeb8710e70e89e799368d00b6e7062a
4905116d90f4b6b08798705b2bce585c9c17e8ebb83cc17b998265e2ceb97525
2ada13943b92d98911f75e2844fe9beba7659cfeef2aaa521ff9df0fb4bf7f15
8fea022b2f3c3f6f97a8c4ebe93fe862fb731fa82f8d23ac8cd11c21a4824041
04ff0a9d357afb8e0d2f7dc07f9a9d3ded1104c25f4cad3dc08524f235283245
d7e3abee48bb92e413e8a2dab38594934ea6bcdde8dd493dccd01bd4808020b6
1d9870e41cc277f5ae025cc7b5f062da933e1a78d39f76393f0c12ff45f57fe5
d5ed9504812940d2447bb851ae8bb2467a1578b4554b52bac7654ca62d9e04c1
de46ab143d523dfdba34843a47df51f1112cac3bc7b3c8c053ab791b2c0a5010
3bc2c61a0e15a16eb536081daadd7275600e57f0be74d284dc64ef64552e2cc4
5020f288ce75458c32396de7fbf75933adb16ae00d868f999667ee34a2eb295c
SH256 hash:
340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3
MD5 hash:
85f9290aa8900e9fd74b01ee23125706
SHA1 hash:
310eb5e4aea5471b74a6385f1da283b9d8e3d698
Link:
https://www.unpac.me/results/ada29ac6-2653-447e-849e-ed9cd626c1d6/
SH256 hash:
082690655361b35e9d40944052ab73cc0a621c46b26797b4103eac51b25d7247
MD5 hash:
388cdbb6f60dc9ef168fa4594195d16b
SHA1 hash:
551a484c7a5ae03c179d4b4190e8fadf39e3b2c0
Link:
https://www.unpac.me/results/ada29ac6-2653-447e-849e-ed9cd626c1d6/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/082690655361/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/082690655361b35e9d40944052ab73cc0a621c46b26797b4103eac51b25d7247

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 082690655361b35e9d40944052ab73cc0a621c46b26797b4103eac51b25d7247

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2271081/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/342514/

Comments