MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 146d606712c3be019a12bb7024be28453bb13f6bcfb2b9f29d9ed495b1e08eb2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 146d606712c3be019a12bb7024be28453bb13f6bcfb2b9f29d9ed495b1e08eb2
SHA3-384 hash: f52c801b5adf8927321d599917f68c4d12e08c15cabda2a68d9a1c905986c0f6664e4664a27b91dbd30398450b332236
SHA1 hash: d88f599290203965140f0e46df46ccb3643b4914
MD5 hash: c2bd07e27b90e1a278b5b9395695a280
humanhash: bacon-purple-uranus-dakota
File name:c2bd07e27b90e1a278b5b9395695a280.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:710'656 bytes
First seen:2022-06-09 08:29:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:aGvX52iN/I9qbz1LI18smb4YDwb3FiV1XBjbpQEcY5VNVfKvBjYV5fM:am51pIKS18slYhV1xxNV+BkfM
Threatray 17'772 similar samples on MalwareBazaar
TLSH T17BE4F1F4DBF9B96AE00820B6B090607C77E29D0EDC62963BD59BF90B30A65D101F1D57
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 4dec9ea6f47c3697 (1 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
297
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
c2bd07e27b90e1a278b5b9395695a280.exe
Verdict:
Malicious activity
Analysis date:
2022-06-10 00:26:34 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/48f15c6b-f853-4572-857d-1fa546ac7d69

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/278135/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/62a1af8f635bd7ad01cb49b1/reports/d4e71157-e0b4-43aa-9764-9f6f49535c0e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/325f14dd-c5bd-409a-b658-a9dfe4a4f9b2
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1009848
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 642349 Sample: AX093HXFQb.exe Startdate: 09/06/2022 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected AgentTesla 2->53 55 5 other signatures 2->55 6 AX093HXFQb.exe 3 2->6         started        10 MsBulLd.exe 3 2->10         started        12 MsBulLd.exe 2 2->12         started        process3 file4 25 C:\Users\user\AppData\...\AX093HXFQb.exe.log, ASCII 6->25 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->57 59 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->59 14 AX093HXFQb.exe 17 5 6->14         started        19 AX093HXFQb.exe 6->19         started        61 Multi AV Scanner detection for dropped file 10->61 63 Injects a PE file into a foreign processes 10->63 21 MsBulLd.exe 14 2 10->21         started        23 MsBulLd.exe 12->23         started        signatures5 process6 dnsIp7 31 api.telegram.org 149.154.167.220, 443, 49757, 49758 TELEGRAMRU United Kingdom 14->31 33 192.168.2.1 unknown unknown 14->33 27 C:\Users\user\AppData\Roaming\...\MsBulLd.exe, PE32 14->27 dropped 29 C:\Users\user\...\MsBulLd.exe:Zone.Identifier, ASCII 14->29 dropped 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->35 37 Moves itself to temp directory 14->37 39 Tries to steal Mail credentials (via file / registry access) 14->39 41 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->41 43 Tries to harvest and steal ftp login credentials 23->43 45 Tries to harvest and steal browser information (history, passwords, etc) 23->45 47 Installs a global keyboard hook 23->47 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/146d606712c3be019a12bb7024be28453bb13f6bcfb2b9f29d9ed495b1e08eb2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-09 07:12:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=crwwazysyo7adgqsxnycjpriiu53cp3lz6zlt4u5t3kjlmpar2za._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c847fcaed96b7e9a24dfa595b0e88f3280f60e1ad2756d898d30a256863d1dd
AgentTesla
16b1cff94d925182e95124fa432b55cc290fc81d9480493b3ff09e139eb0da6c
AgentTesla
24096a8e15f5cc1c4f4c87c928fb0fb655bfb0acb798b299a00a217f2fdbab7a
AgentTesla
3331deb34392052ae790d4977ae1f7b50118ff35973b6555b5bb367917f09da1
AgentTesla
554bf783cd947c0743e81f65c550a45eae8a4021b1e1700b590939dd3cae3321
AgentTesla
6df25138d92024a948e9ed655ca1da3dbf631113b67375e53fa6598d4fd62c05
AgentTesla
70cdb9db8282adb1bb6180798f3b35f3b69baf831fbe03e2ae38166b36a25c83
AgentTesla
fb13f5302756081d7dc2545468beddd187e44de679d3a776c62298bc18cf28c8
AgentTesla
+ 17'762 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220609-kd5kpshbe8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5402132605:AAGV8fwvNu8SuOrEEIDGn3S28kAWymSUXPI/sendDocument
Unpacked files
SH256 hash:
a4cbdbcb82f657eeeb60f3d3af9f02eabb82fd4cf16e3c65d84d2e4b89fdebd7
MD5 hash:
89ad9edb8decfee49bf911b989c61d73
SHA1 hash:
ea29a94e8908765a4fe97aef359a3a975a717b44
Link:
https://www.unpac.me/results/973c4fb3-7c6d-45fc-83f0-f7fd602a3bd8/
SH256 hash:
3c1d5bf074526080f99f5a5bb3ea27187840fe074535e1e0570f422afb670e13
MD5 hash:
530c651eba216c157cc598235a52e301
SHA1 hash:
89e547dd3c02514bc492de4792e4a8c09c2bad93
Link:
https://www.unpac.me/results/973c4fb3-7c6d-45fc-83f0-f7fd602a3bd8/
SH256 hash:
fe78017f2153de0c5ca645c4255899ab044502fe5c77d5c04ced635d9fe981d9
MD5 hash:
ab47b292d4d39311539a0b97e6661f4f
SHA1 hash:
54cd9efbebe4f41b23e6f24fffac0da8f72d921b
Link:
https://www.unpac.me/results/973c4fb3-7c6d-45fc-83f0-f7fd602a3bd8/
SH256 hash:
f2154186cbc8a52ee3e8b851dceb1e7b0738a0597f0335631e56ea40ddaefa6b
MD5 hash:
797c79f2042b938985ad87ed1939814e
SHA1 hash:
340a7060615cbdc326fa2c7f331fec7897796297
Link:
https://www.unpac.me/results/973c4fb3-7c6d-45fc-83f0-f7fd602a3bd8/
SH256 hash:
146d606712c3be019a12bb7024be28453bb13f6bcfb2b9f29d9ed495b1e08eb2
MD5 hash:
c2bd07e27b90e1a278b5b9395695a280
SHA1 hash:
d88f599290203965140f0e46df46ccb3643b4914
Link:
https://www.unpac.me/results/973c4fb3-7c6d-45fc-83f0-f7fd602a3bd8/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/146d606712c3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/146d606712c3be019a12bb7024be28453bb13f6bcfb2b9f29d9ed495b1e08eb2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 146d606712c3be019a12bb7024be28453bb13f6bcfb2b9f29d9ed495b1e08eb2

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/278135/
  
URLhaus
https://urlhaus.abuse.ch/url/2212369/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2223599/

Comments