MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 126fbeb2bdc2dfac5b7b62ca004930a912ae5f3cb6171173b5bf1c92e0e18359. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 126fbeb2bdc2dfac5b7b62ca004930a912ae5f3cb6171173b5bf1c92e0e18359
SHA3-384 hash: de5c835dffa1f15c43a6725c128b2cf7d35edcf0395716e048c8bb84485783fc98c5dbcbfe72f6f9b2529f3c6ea0e941
SHA1 hash: 6fafa16430ec0309d6f4d312e686d5d67c3140d4
MD5 hash: 0d7db1febe925dee41c0bd8930787772
humanhash: louisiana-hamper-burger-hotel
File name:cmsMcqyTucZiVIs.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'011'200 bytes
First seen:2022-05-16 03:57:36 UTC
Last seen:2022-05-17 07:39:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:uxPZKAC+6OKpLeoP0MAfkxsBwoyGKnzRLs5KAC+6OKpLeoP0MAfkxsBwoyGKnzRd:uPZKAC+6OKpLeoP0MAfkxsBwoyGKnzRF
Threatray 18'704 similar samples on MalwareBazaar
TLSH T15225BF62A1C4D659DF2A32F2DE9E8D3122A7BDD90052D25BA17A33B54972317DC03B0F
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 4d5d5b5f4f474d94 (3 x AgentTesla, 2 x Formbook, 2 x SnakeKeylogger)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Fizetés,pdf.img
Verdict:
Suspicious activity
Analysis date:
2022-05-16 07:52:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5e101a0f-9e86-4d05-ae4e-488a11e19bce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/270870/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker control.exe greyware obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6281cbcbd06ea2f4a06f49a2/reports/c21904da-bf35-4220-bc8b-0b18b4b36806/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0d9f3d63-0277-4baa-9a2f-e88fee78fb04
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/994538
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/126fbeb2bdc2dfac5b7b62ca004930a912ae5f3cb6171173b5bf1c92e0e18359/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2022-05-16 02:14:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cjx35mv5ylp2yw33mlfaasjqvejk4xz4wylrc45vx4ojfyhbqnmq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
341b8a2dd41846720d1e03fcc1d11e1ca48e1b274e1d209ee3cc1ced7684baf0
AgentTesla
4b3b8f1f6ab69340cea4c78f21cb691e6efdb3ede2973a6315e947b281ea25c8
AgentTesla
4cf82337bab1a66dee7f8267b43745476f735a39047975612a83a5fdab1a0893
AgentTesla
8f8b6b559a3d8f55e8efd22212eeff9136bdbc27565b49183fce44b0ece72b6d
AgentTesla
b5acfa6e4c5b96d5f45f98733f8598cffe32b077c5ff413a93ae9c6a30b9a51e
AgentTesla
d08b7126b81c09be7e54774cc35399faceef0c2d4732cbbca5d46c48d89a2f51
AgentTesla
+ 18'694 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220516-ejhegafaej/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
0059c52d9cdc9ab145c371965b4d912cd5c3f3c5933e787cd9edff64cb28728f
MD5 hash:
598afa09d5e84d7a726fd8ac92b45435
SHA1 hash:
a4bc689e28dc2a1d7e9fe7fcabc97a51a52d0ef4
Link:
https://www.unpac.me/results/39c4bdc8-0278-4e69-ae69-4e777e2da680/
SH256 hash:
709fdbef8932044e42231f14888aa12b12ddc571e6daba8af86d624a39fa63bf
MD5 hash:
a7a6647650fe0204d1ab042824d638be
SHA1 hash:
a1194aba19ab6190a412073fe1918cd1b559aacf
Link:
https://www.unpac.me/results/39c4bdc8-0278-4e69-ae69-4e777e2da680/
SH256 hash:
4b61e173dca15efa294943adadacb1b14be61653908e0bc4129cc3ee42487fd5
MD5 hash:
0d9585c985d2944471b4361a8e963c92
SHA1 hash:
785bcda2e4c4e93c21c15e9675f498cea0d5808e
Link:
https://www.unpac.me/results/39c4bdc8-0278-4e69-ae69-4e777e2da680/
SH256 hash:
15678ea5d0b308789f1be5e72f34fc6a0e1a5a9543f5093fc9d98438cd8fd70a
MD5 hash:
d6d60ba5ff5b5f4e7848a529a0c2657f
SHA1 hash:
321bcc86346387f5b2e95a6d8ba4f773ce7fea06
Link:
https://www.unpac.me/results/39c4bdc8-0278-4e69-ae69-4e777e2da680/
SH256 hash:
126fbeb2bdc2dfac5b7b62ca004930a912ae5f3cb6171173b5bf1c92e0e18359
MD5 hash:
0d7db1febe925dee41c0bd8930787772
SHA1 hash:
6fafa16430ec0309d6f4d312e686d5d67c3140d4
Link:
https://www.unpac.me/results/39c4bdc8-0278-4e69-ae69-4e777e2da680/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/126fbeb2bdc2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/126fbeb2bdc2dfac5b7b62ca004930a912ae5f3cb6171173b5bf1c92e0e18359

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 126fbeb2bdc2dfac5b7b62ca004930a912ae5f3cb6171173b5bf1c92e0e18359

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/270870/

Comments