MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1273b8a3054090fdf04f696dd22f284639ccb57afe9aa0a657d6fdb8fbdd3bd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1273b8a3054090fdf04f696dd22f284639ccb57afe9aa0a657d6fdb8fbdd3bd1
SHA3-384 hash: 891076c38bcfb4cfe82a342ebc1be44415625914e840d252b248492bb43225c772c68b7b5ca2f4189032e69edc80928f
SHA1 hash: 714c015ec060b4548ab6ad44abe3735cd3bc38b9
MD5 hash: 01b0451e4edec1e4766dec21ecc94a2b
humanhash: gee-cola-hamper-arizona
File name:file
Download: download sample
Signature AgentTesla
Create hunting rule
File size:806'912 bytes
First seen:2023-01-20 13:56:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 12288:SOnJV/fZlRI6KDc4sZR80QX+RCQl3QHpNINQGilzP:SOznZ8TBoTQX+RCOmNmlOP
Threatray 24'837 similar samples on MalwareBazaar
TLSH T1F4056B117191C2D5ECB64E780278F9242795DD9BA32D41AE7EC7343A88F378B84787A3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter jstrosch
Tags:.NET AgentTesla exe MSIL

Intelligence

File Origin
# of uploads :
1
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-01-20 14:01:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/babdf2fb-06e3-4f60-94b8-96c48f5fd058

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354991/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/63ca9db52d4f6d560e221d06/reports/2bc7abf6-8c5c-4bba-91f7-0fc474c3977a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/494af2c7-8c9a-49b7-8ab3-cc892ad73d59
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1155541
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1273b8a3054090fdf04f696dd22f284639ccb57afe9aa0a657d6fdb8fbdd3bd1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-20 13:40:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cjz3riyficip34cpnfw5elziiy44znl272nkbjsx2363r665hpiq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
263bbaae6ed67f8d86ded09cfd7a87dfdd893ce2715a4e112fb8790c2ab1fe8b
AgentTesla
372e830ca920a5f2b66e8980e5b9ddedd9343a5c23c6fb48adfc762568eacb51
AgentTesla
5a4d6959bab110d8c072b3c901e22463388ffb87c673243da8cd5c4064ab7ec6
AgentTesla
5a64665bdc77f9386891c1a251064decfdce7e9782bb4b47d95e2c14238d46f2
AgentTesla
70c00f0b64374515867ce97a2fa93544f35e715be18088e89c75c029d0f26efe
AgentTesla
851f52d27f15eb052fdaef1c0cdf91c9642d5b3c170a62a56c67d5b1b24d0c9f
AgentTesla
c8c118ac06d0162ec3a55bec5ea672de0faabab191cd92ffa31e9d3009f4e1b8
AgentTesla
f76fef3e72be648d3a32fb43e48276ef6f04cc0f5a21b89d58983c3232775adc
AgentTesla
f8067bcbd115afe0e506baf9b9de74c07f088a6b9a4cbdaa70826c26b0d0fa95
AgentTesla
+ 24'827 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230120-q9a9maga6t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
1cfe6df7e1a5e9b4e41cd745fdbbfbd453c50dd9b9dc27d76dd09446910872fb
MD5 hash:
db9dfdb1913f2bbd6f0445466ca4bc4f
SHA1 hash:
b4b74421b1a64eec4d1b7ae3345897cb9a4d9de8
Link:
https://www.unpac.me/results/726d2b85-cb0a-4772-93de-304dc938d070/
SH256 hash:
3a1108ba9eb7617758c85b4795254d0b012a05d4acb5462d39363dc9f77e5eb5
MD5 hash:
8e5d2da72113328b9dbc4fd1b1ac94b6
SHA1 hash:
af5d6eb888a1646618f9b2d31f4a9dad6bdecd94
Link:
https://www.unpac.me/results/726d2b85-cb0a-4772-93de-304dc938d070/
SH256 hash:
2697f3a2efafecfce5d6e8e2c02650d76215a133cde576d6572e0c67d609a59a
MD5 hash:
3bf3fe2bcd45e7f9552ddf0f036c17be
SHA1 hash:
a7970750cde1f6f8fca23a98b07c6832c7d03d2a
Link:
https://www.unpac.me/results/726d2b85-cb0a-4772-93de-304dc938d070/
SH256 hash:
37f0a483475337a8f4e26ba814b3fb7f87dae6552dc6fd82328c3d72e305d063
MD5 hash:
a41c4d97e737c467197c379b8eb887d8
SHA1 hash:
3fa6702cc09f505f169f5e94e54f24af9d6091b3
Link:
https://www.unpac.me/results/726d2b85-cb0a-4772-93de-304dc938d070/
SH256 hash:
692096bc9564f4595a947a8ab2b7a058432e21af003408b5f5460792b0f8e22a
MD5 hash:
52360e902ef52f9645a7e33996a618b1
SHA1 hash:
37b711417112f0a6b00b1c8f244d868c207f166e
Link:
https://www.unpac.me/results/726d2b85-cb0a-4772-93de-304dc938d070/
SH256 hash:
1273b8a3054090fdf04f696dd22f284639ccb57afe9aa0a657d6fdb8fbdd3bd1
MD5 hash:
01b0451e4edec1e4766dec21ecc94a2b
SHA1 hash:
714c015ec060b4548ab6ad44abe3735cd3bc38b9
Link:
https://www.unpac.me/results/726d2b85-cb0a-4772-93de-304dc938d070/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1273b8a30540/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/1273b8a3054090fdf04f696dd22f284639ccb57afe9aa0a657d6fdb8fbdd3bd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 1273b8a3054090fdf04f696dd22f284639ccb57afe9aa0a657d6fdb8fbdd3bd1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2512245/
Cape
Cape
https://www.capesandbox.com/analysis/354991/

Comments