MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 142b5c747f40768652455670aa1050e6b2cbd7cb1517c3ab0b958007ddc9e692. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 142b5c747f40768652455670aa1050e6b2cbd7cb1517c3ab0b958007ddc9e692
SHA3-384 hash: 1cc8e2714df63f02d33c51d5398b48f1b650a481de4857829ad057db9f0210fcdc2ba8927e6a6162ffd93c4a1f308af0
SHA1 hash: e05ec2550a0fb094798cc92ca28270e7be9dc8c0
MD5 hash: b3f6079092d3bb409976a3b2a638e379
humanhash: table-eleven-avocado-lima
File name:SCAN_AWB_SHIPPING_Bill of Lading_DOCS_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:685'568 bytes
First seen:2023-09-14 12:47:30 UTC
Last seen:2023-09-14 13:38:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Xv5j8FwLm/BFLmM2+3XJ1gyIbIzSNAOk6YxFjul9NOMsrX3WtmMzXLWFEAmD:XRj8F6ONmM2+3XTgyIUmNAPZUOf3qzXK
Threatray 1'157 similar samples on MalwareBazaar
TLSH T111E412E2B616EE89E8AA0BF14472530003B56E6D95ACE50D2ACE3D9F73337431594F1B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 68d8d8c8d9a9c1d9 (96 x SnakeKeylogger, 67 x RemcosRAT, 66 x Formbook)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
292
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SCAN_AWB_SHIPPING_Bill of Lading_DOCS_PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-09-14 12:50:50 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/dc0629f5-4cc1-4c01-9532-67c57d7f8125

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/448632/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.3593.26892.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/650301049bae8a378556f01d/reports/a51b77bd-a363-4032-b972-ba36d1534055/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/142b5c747f40768652455670aa1050e6b2cbd7cb1517c3ab0b958007ddc9e692
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/49794827-b5e4-475b-b796-4b70cf0b0491
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1307841
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1307841 Sample: SCAN_AWB_SHIPPING_Bill_of_L... Startdate: 14/09/2023 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->45 47 11 other signatures 2->47 7 AjHuooQZsk.exe 5 2->7         started        10 SCAN_AWB_SHIPPING_Bill_of_Lading_DOCS_PDF.exe 7 2->10         started        process3 file4 49 Antivirus detection for dropped file 7->49 51 Multi AV Scanner detection for dropped file 7->51 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->53 55 Machine Learning detection for dropped file 7->55 13 AjHuooQZsk.exe 7->13         started        17 schtasks.exe 7->17         started        35 C:\Users\user\AppData\...\AjHuooQZsk.exe, PE32 10->35 dropped 37 C:\Users\user\AppData\Local\...\tmpF51B.tmp, XML 10->37 dropped 57 Uses schtasks.exe or at.exe to add and modify task schedules 10->57 59 Adds a directory exclusion to Windows Defender 10->59 61 Injects a PE file into a foreign processes 10->61 19 SCAN_AWB_SHIPPING_Bill_of_Lading_DOCS_PDF.exe 15 2 10->19         started        21 powershell.exe 21 10->21         started        23 powershell.exe 21 10->23         started        25 schtasks.exe 1 10->25         started        signatures5 process6 dnsIp7 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->63 65 Tries to steal Mail credentials (via file / registry access) 13->65 67 Tries to harvest and steal browser information (history, passwords, etc) 13->67 27 conhost.exe 17->27         started        39 api.telegram.org 149.154.167.220, 443, 49712, 49713 TELEGRAMRU United Kingdom 19->39 29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/142b5c747f40768652455670aa1050e6b2cbd7cb1517c3ab0b958007ddc9e692/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-14 07:48:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cqvvy5d7ib3imusfkzykuecq42zmxv6lcul4hkylswaapxoj42ja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05360352816fd2dfd09c05a57131f86c59fd38f7153c5261973216cf596ad077
AgentTesla
06ae72c32a24ee111456f03eddac030e5dcc887b1f6fcccebd0510aa7e694c82
AgentTesla
402fbecbd491aca725151d4bfe04e48f40bee088a5f492f2ad47751c72b199ce
AgentTesla
5d200010b1e304c628c669df531476f099b0ca944a1c52e5025f6fc1af16ad1b
AgentTesla
9031046e4ced137007aef2a35a80ab5e4a66dfcc47505d7c7832283ec1ae2c5a
AgentTesla
ab335b9636205ee0f2260e18b7c546b6a110015b3a1b759bac656f17ce9e93b2
AgentTesla
d2ca4fbb0d048c9fcb71ec6146e9a8ef2f648191b4bc8cec3d05f5afa2f0ed5b
AgentTesla
d2e1eead980699faad8218e03f34a2a6309f4fa40c43126f752a8e759a1c1fbd
AgentTesla
f8ed4bb623e64e25ffa201ed4d490789e6707b8dce4ebc99ca181aefc9c08ebf
AgentTesla
fe36ee5707daa891a4902579d1ef2a98d681bf50d87982a1a331432277924365
AgentTesla
+ 1'147 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230914-p1rpksef56/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6341101849:AAH9Bq043iL55ADMsqYTAfEUkpSPMxB7MXY/
Unpacked files
SH256 hash:
0cc2d545cdbc9aca7ac5732fc2e1858bae1b8c575e67f0b4b8077610c5597806
MD5 hash:
604ba9fe5293c6b09155e9593e5fe8b4
SHA1 hash:
c9ca531c5c50091dcdeabea6af26643e897fe3f8
Link:
https://www.unpac.me/results/e10272d7-5e45-4aef-8e25-8e82fae8b811/
SH256 hash:
090ad4256bd31685ee07dddc96b91cb5006cf427e122af1a6240490f700f34fd
MD5 hash:
20a9a1e611e34177ada770890c96035f
SHA1 hash:
9efada16eed50873395d2a6398f3942ba9e20091
Link:
https://www.unpac.me/results/e10272d7-5e45-4aef-8e25-8e82fae8b811/
SH256 hash:
0630b864e828fff2d66f33ab7d00fad231df4c00fc0bbad313ee0d12ca503198
MD5 hash:
f559a9abbd849eb977d262d597d6e4fd
SHA1 hash:
0a8769b40b026852690c89b913c2812817ef43c8
Link:
https://www.unpac.me/results/e10272d7-5e45-4aef-8e25-8e82fae8b811/
SH256 hash:
142b5c747f40768652455670aa1050e6b2cbd7cb1517c3ab0b958007ddc9e692
MD5 hash:
b3f6079092d3bb409976a3b2a638e379
SHA1 hash:
e05ec2550a0fb094798cc92ca28270e7be9dc8c0
Link:
https://www.unpac.me/results/e10272d7-5e45-4aef-8e25-8e82fae8b811/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/142b5c747f40/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/142b5c747f40768652455670aa1050e6b2cbd7cb1517c3ab0b958007ddc9e692

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/448632/

Comments