MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14480f4ce9a1c99ea2336e2d28ccd37aac77275f8adde88ef001318b45a644b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14480f4ce9a1c99ea2336e2d28ccd37aac77275f8adde88ef001318b45a644b7
SHA3-384 hash: b60bbbd2a84a233d695f69e69da999632ee8feaea674f79148cc443050a9fa441225a3d7f87170c259f50e6b376ff9dd
SHA1 hash: 3371c16c53377acce7865d1373ddbe6f37476a0a
MD5 hash: f5ed6d70b2c05c5b9beb673c250df3a4
humanhash: ack-november-montana-hawaii
File name:Halkbank_Ekstre_20230614_073809_405251-PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:910'848 bytes
First seen:2023-06-16 11:18:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:r5LbzIu9+r9N6VCIbtDN9u22xrSuO9RlhigU:r5LA9xMYL0P9rh/
Threatray 5'450 similar samples on MalwareBazaar
TLSH T18015E023F5CDE7C9E09E06789D24F7BE22226D615431CD6B2C96F1886934B0625F387E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 72ceaeaeb2968eaa (57 x AgentTesla, 9 x Formbook, 7 x RemcosRAT)
Reporter abuse_ch
Tags:AgentTesla exe geo Halkbank Telegram TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
321
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Halkbank_Ekstre_20230614_073809_405251-PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-06-16 11:26:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/115f533b-1195-4f30-8ccf-4138d4cd3728

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/399463/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.26333.7751.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo jigsaw packed
Link:
https://www.filescan.io/uploads/648c452dc251abcf5c7a0db7/reports/e664b57f-ceac-4de6-b093-787f59e047a9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/14480f4ce9a1c99ea2336e2d28ccd37aac77275f8adde88ef001318b45a644b7
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ae60ab2b-8616-4238-b060-3df80fc55a2f
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1255977
Signature
.NET source code contains potential unpacker
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/14480f4ce9a1c99ea2336e2d28ccd37aac77275f8adde88ef001318b45a644b7/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-16 06:37:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
22 of 36 (61.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=crea6thjuhez5irtnywsrtgtpkwhoj27rlo6rdxqaeyywrngis3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d8247c4ed6a49e33ac5d481f08cdef22d2ed7caf2434d031e0a0cebe296893d
AgentTesla
0ffb2f62c79661847214dbf0242b3ccb488782b9a06278a1b66244f9338f2525
AgentTesla
12384caecb7a336ae37a29e642488b5cc45559c321dad21c4c8fa7868a2ce859
AgentTesla
204f9fbd3fb79151782fec13185b3c55e0109ad3e27e91fe1410cc1171106ff8
AgentTesla
213c731aacc82ea20f97417a4adf5d4a024e52798d07f05b704711cb1f5c6248
AgentTesla
4913dda08726dc0fcc3b36bb5daf24556364937a7c4950698e8f2cc0691aefc6
AgentTesla
d7abd39aef9b875bc280512418843d56e027212adfd34c36d7d20203168b8bad
AgentTesla
e9104c6f82a1b8c52bb881161440b8b1a8e3bf358cd60672dbfc14a2bc12518d
AgentTesla
f3053c7e048f3a0446a3a5b005a73173720e037f7372c4dad57955b23c42d3f0
AgentTesla
+ 5'440 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230616-nevnnsed5w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5817723059:AAHLBu2CaRbhv8Vp2UNvh8S3DM3a6i7mZsk/
Unpacked files
SH256 hash:
44e898c13b8933ef2386e350159d819a4b7e432ddce027e3d1e699ef2e15ef2b
MD5 hash:
a2f9853ea209cc920efceddd589241e9
SHA1 hash:
d516fb8797825e6b46345efb0a75bed6b1406c8d
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/9b899866-8afd-4ce9-a6ad-bbeab8d83baa/
Parent samples :
14480f4ce9a1c99ea2336e2d28ccd37aac77275f8adde88ef001318b45a644b7
0a50e4e96fe3948c570214cd5dcdf34b3a2625742eaf15ebdde41d0cd75dea61
9535651c3045997ff8c014100fa84d249541469028b3366624a4f472ed08f644
5ed11a0df9fba27a5396e764f91ffdef4cc12784303f8d48bd1090528df306de
39893af7f960c76c20ab2b99e5caa2acabab3c7fc01e47791586f451eba5be5b
3884e567629d6433ebefa10b2e6d53a27f7b19c9d2e1c4ca7126fc4ceeda230f
SH256 hash:
b86193f0f5eeadf451f23596dffb4d015245311c67bc15244c2b1c81293d3679
MD5 hash:
be09d1a9fbdc7fe4ad47e49a0ccf2a0e
SHA1 hash:
3eea7d856de59fefd670110c2edda63c319a5a1b
Link:
https://www.unpac.me/results/9b899866-8afd-4ce9-a6ad-bbeab8d83baa/
SH256 hash:
b7f69598592cdd4a7e3a796ca39c31dfd718f243de57836db78cdf5f73a1d4a1
MD5 hash:
8061c77d78803175edc82b37123aa1e9
SHA1 hash:
3dc839c739e61dc3c7faf0762f95d59a384c5609
Link:
https://www.unpac.me/results/9b899866-8afd-4ce9-a6ad-bbeab8d83baa/
SH256 hash:
fca8ccfa3d93c61f9ac0d39bdffb54e6f35b98bd67abffc012ef009ce8715be7
MD5 hash:
f2a7d48b5d3eb26ae5c759b132f67fef
SHA1 hash:
26fed138e0dc2b4a695302c65d16a03b17d11d0a
Link:
https://www.unpac.me/results/9b899866-8afd-4ce9-a6ad-bbeab8d83baa/
SH256 hash:
ac1ba48867bd45f65a9af4afb1bb8a8a77a7cfacc1915599a369fba9a650dbc8
MD5 hash:
38d13d5ff6f11756c2d3a244068752c5
SHA1 hash:
1914476b161158b290413d9abe44f0c7df275d82
Link:
https://www.unpac.me/results/9b899866-8afd-4ce9-a6ad-bbeab8d83baa/
SH256 hash:
14480f4ce9a1c99ea2336e2d28ccd37aac77275f8adde88ef001318b45a644b7
MD5 hash:
f5ed6d70b2c05c5b9beb673c250df3a4
SHA1 hash:
3371c16c53377acce7865d1373ddbe6f37476a0a
Link:
https://www.unpac.me/results/9b899866-8afd-4ce9-a6ad-bbeab8d83baa/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/14480f4ce9a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/14480f4ce9a1c99ea2336e2d28ccd37aac77275f8adde88ef001318b45a644b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/399463/

Comments