MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14997972307c483549e7e7818855d1e2cd889598a943fdc3dfff67e69e20946c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14997972307c483549e7e7818855d1e2cd889598a943fdc3dfff67e69e20946c
SHA3-384 hash: ab17d0b0693241887e8d02ed4216fa4ba88e8f789cd792bd847a6157a52035a8eccf39d942adb4a7f14ffbd1bad48fef
SHA1 hash: aa3d3d5d6318b537046a3bbdd5af6a8e7b9dd579
MD5 hash: bf933d32a2b536fc785fd73a6fc9b8f3
humanhash: quiet-chicken-nineteen-uniform
File name:bf933d32a2b536fc785fd73a6fc9b8f3.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:684'032 bytes
First seen:2023-01-19 15:37:11 UTC
Last seen:2023-01-19 17:39:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:2mTlmnu0bg8ZW5P/S9+0HjuieiND47es1ogkz+NRRih:2mTlm3gzd0HjuieqSDm8Ri
Threatray 24'855 similar samples on MalwareBazaar
TLSH T141E45A415A7B87E2E4F94E78163CA5142BA11CD147ACA13EBD827DBE9CE770F0095723
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bf933d32a2b536fc785fd73a6fc9b8f3.exe
Verdict:
Malicious activity
Analysis date:
2023-01-19 15:39:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/74f9d35b-1cd5-4ca5-9f6c-9ddd191c117e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354636/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.738.1954.29119.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c965b0deddc48f89f824c2/reports/8eb0fe91-e009-4949-9d7e-703dba7dd97f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/51b7ca46-c736-4fdc-96b6-270028703935
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1154811
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/14997972307c483549e7e7818855d1e2cd889598a943fdc3dfff67e69e20946c/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-01-19 09:58:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=csmxs4rqpredksph46ayqvor4lgyrfmyvfb73q6775t6nhrasrwa._file
Verdict:
malicious
Similar samples:
175b18fc4d1ce73099a94c25d5fee0af5704e47b37803137368bdf416fc8a364
AgentTesla
1818cc0b97f34215f7b517c8cccf9b7d2c38df6526782c9a24a935e2f1f2fd55
AgentTesla
4ec961389dcf825881ba0f1100d9ee32d5f7087e2337425d087fc0c5d768a990
AgentTesla
71f2b84781d797f891bf4e7c9b19de48ccac1928305afa0e8f264c736a3fdb1a
AgentTesla
b65c9b32608d8cb0f3fab995466eadf5461a471069dc7b801c3c5b14fa75fdb8
AgentTesla
bf5fcf3bef3263d12338e52f704bda62ff8e2518e99e019571e10ceca167f18c
AgentTesla
ce5c147f75c354710869fde43cdc99afb90de8f43d5a0a58cd7456ade759b110
AgentTesla
d6aeb3ff89d6756a14f8a7731c4caa67fa652a5a4709c6804b94879f751a3c6f
AgentTesla
de7da8b54474a61449ac0c8a9feebc5708d73e8cf14bd2b74125d20cdf67bb84
AgentTesla
+ 24'845 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
collection
Link:
https://tria.ge/reports/230119-s224gsdd5v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Unpacked files
SH256 hash:
5a4cec198201afbc04bf2b873d248661a2b65757076efdf10b173b15a4982e3a
MD5 hash:
1a7d87852aacb8f7c50e10939923b767
SHA1 hash:
c213bc1cb1c47835c156fa332a97b905b1473250
Link:
https://www.unpac.me/results/96256884-05a3-4093-af34-d6ff2c2944e2/
SH256 hash:
54d781f0dee6692c47390edf1ada295fb17a7e80ed5ccd58ab14c6ddf80a0ad8
MD5 hash:
4f6caebd865502f7c8046fbae3284c61
SHA1 hash:
be357e832bf6f61454875b37a1759cf1c5fa5ca4
Link:
https://www.unpac.me/results/96256884-05a3-4093-af34-d6ff2c2944e2/
SH256 hash:
4305dd2c5f5d122f9082c0d79d814194b8cd8a0a51ca390dda75b962c268fa4b
MD5 hash:
9f1ec91540f833cf8f02e391a7bdbc49
SHA1 hash:
a9410417176b92c93ed5cf7ba381bce70c9aaf7a
Link:
https://www.unpac.me/results/96256884-05a3-4093-af34-d6ff2c2944e2/
SH256 hash:
24a9b40525514ef83760b363dc879641e6dfa74737772c5123a43a05f0546a97
MD5 hash:
6167b1697c91c02ae032280b750116cd
SHA1 hash:
7bd948192c2e6298b98cbffe67af10b3485fd069
Link:
https://www.unpac.me/results/96256884-05a3-4093-af34-d6ff2c2944e2/
SH256 hash:
fe3f595e59ac44bb25b344ba911d473b3e39b4b616baeede85f2bfc0a061fc12
MD5 hash:
c66cea2530cc078d07a3ac1d17b2bf87
SHA1 hash:
034c492db206ef2a4aaaa14460d19c3ba2f112ee
Link:
https://www.unpac.me/results/96256884-05a3-4093-af34-d6ff2c2944e2/
SH256 hash:
14997972307c483549e7e7818855d1e2cd889598a943fdc3dfff67e69e20946c
MD5 hash:
bf933d32a2b536fc785fd73a6fc9b8f3
SHA1 hash:
aa3d3d5d6318b537046a3bbdd5af6a8e7b9dd579
Link:
https://www.unpac.me/results/96256884-05a3-4093-af34-d6ff2c2944e2/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/14997972307c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/14997972307c483549e7e7818855d1e2cd889598a943fdc3dfff67e69e20946c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 14997972307c483549e7e7818855d1e2cd889598a943fdc3dfff67e69e20946c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2511641/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/354636/

Comments