MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1822d8a4ee73275bfdd30f46630b488c8baeb428476e9004d782f968c9ecc1a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1822d8a4ee73275bfdd30f46630b488c8baeb428476e9004d782f968c9ecc1a8
SHA3-384 hash: 1eff3f2caff1d266733a229f846535e839f5b73bffc09a63815e9589db0fa3ac923d29d6d1571b487d7026defc9c757a
SHA1 hash: 1a14bd772bd2d2d6758e09e4c1b40c5a4a1160ef
MD5 hash: 9fed6df15ba91b7396841183624f90be
humanhash: oregon-snake-alpha-mexico
File name:TT copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:3'137'536 bytes
First seen:2021-07-23 06:11:56 UTC
Last seen:2021-07-23 06:58:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:pmhMPyfd/ueTyvx68dsq/jgHOzqAOI5DjD+j9S2bhk+9EZjnLjcLq2biexzr0q:pI9FT08usAjgubOIZ/+x/bG+9sLLjWDX
Threatray 31 similar samples on MalwareBazaar
TLSH T136E501224DCE4667D26449B3D330EF02DEF15C662544EE162EC1F0AB9D3729A98DED0E
dhash icon f8dcbeffbffecee8 (13 x AgentTesla, 7 x Formbook, 5 x Loki)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TT copy.exe
Verdict:
Malicious activity
Analysis date:
2021-07-23 06:12:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/831ba67d-e91a-460c-8c4e-e2f15fbb005f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173508/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.27475.16116.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d446358-2309-4e0e-b56d-4438d7f9ca20
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820551
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452961 Sample: TT copy.exe Startdate: 23/07/2021 Architecture: WINDOWS Score: 100 25 Found malware configuration 2->25 27 Multi AV Scanner detection for dropped file 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 7 other signatures 2->31 7 TT copy.exe 6 2->7         started        process3 file4 19 C:\Users\user\AppData\Roaming\vTLIJWQSX.exe, PE32 7->19 dropped 21 C:\Users\user\AppData\Local\...\tmpE531.tmp, XML 7->21 dropped 23 C:\Users\user\AppData\...\TT copy.exe.log, ASCII 7->23 dropped 33 Injects a PE file into a foreign processes 7->33 11 schtasks.exe 1 7->11         started        13 TT copy.exe 1 7->13         started        15 TT copy.exe 7->15         started        signatures5 process6 process7 17 conhost.exe 11->17         started       
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1822d8a4ee73275bfdd30f46630b488c8baeb428476e9004d782f968c9ecc1a8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 00:56:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
43
AV detection:
11 of 27 (40.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=darnrjhoomtvx7otb5dggc2irsf25nbii5xjabgxql4wrspmygua._file
Verdict:
unknown
Similar samples:
280cc07780558d0d3368a4e8b5b4caa401e2049c7c256e24cd02cd989713142f
AgentTesla
289e754a2cf583d9f99c47497555cc32130db6dc115e5bdcc18498bc23fb2f2a
AgentTesla
70466eb081829487f1d792ca76eafd8c1b2a7a0c8662bab867cb9d04f5ba1ea4
AgentTesla
932f441f48b8141855595770e135e4835569547461b337fea67a695f33e1e65a
AgentTesla
9f75d7b0a9006f15297ee21ed5aa35c3a27835b18c83854479e900118fab75ca
AgentTesla
ae37bee148d1523236eef975fd02b5c461bae3e9edd4dfcb12d76a0b8015a5fe
AgentTesla
b11a974fee906fcfbfadce6a615552bb396a0ab0fa891f87f78476f5e63da275
AgentTesla
bdf4f9852ab895ece675c5b98ab1fc53fa962a7550385cb72cfb407968254e01
AgentTesla
e50bf20dc2d0f80249246b50ae0b4a780442f3162f3d9e1b471d52ce7c24ab80
AgentTesla
f540c5efdad496c600faa92500d473c40f22a49897f12ace8c0f7ab09cdee1b0
AgentTesla
+ 21 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210723-q2xrjltcds/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
UAC bypass
Unpacked files
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/649f6bd8-0b33-4308-9de3-6feaec7fbdab/
SH256 hash:
6f481f2bbf277cfd7d94757f2f3b0cc0db11b8502c995b15df61f5b7ff3d916f
MD5 hash:
950f58ef0d0777772ab44c8506dce1a4
SHA1 hash:
caf8d15ce8da601212cb5bc491efffa42da01e28
Link:
https://www.unpac.me/results/649f6bd8-0b33-4308-9de3-6feaec7fbdab/
SH256 hash:
e8f67480218834b4894ee0d5d4e178a219a37f486847da154452431e1eefcdc2
MD5 hash:
2b4b7420817b55fd3831e99adbe74c66
SHA1 hash:
434abf1496b07339814fd546dd48bb662a9749ef
Link:
https://www.unpac.me/results/649f6bd8-0b33-4308-9de3-6feaec7fbdab/
SH256 hash:
4e97a7e6544f4e4d75652b7812376dda06274c21ad94e67b2ba912d49927dd5a
MD5 hash:
2bad87d1bb6c9804705c81b56731aa43
SHA1 hash:
303f30103acdff64c7b6343fe08259775fde776d
Link:
https://www.unpac.me/results/649f6bd8-0b33-4308-9de3-6feaec7fbdab/
SH256 hash:
1822d8a4ee73275bfdd30f46630b488c8baeb428476e9004d782f968c9ecc1a8
MD5 hash:
9fed6df15ba91b7396841183624f90be
SHA1 hash:
1a14bd772bd2d2d6758e09e4c1b40c5a4a1160ef
Link:
https://www.unpac.me/results/649f6bd8-0b33-4308-9de3-6feaec7fbdab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1822d8a4ee73275bfdd30f46630b488c8baeb428476e9004d782f968c9ecc1a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

c687593f3c6251bf3a36d4d66af4624bfb854f526622f0564639b6afe6f9adb4

AgentTesla

Executable exe 1822d8a4ee73275bfdd30f46630b488c8baeb428476e9004d782f968c9ecc1a8

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 c687593f3c6251bf3a36d4d66af4624bfb854f526622f0564639b6afe6f9adb4
Cape
Cape
https://www.capesandbox.com/analysis/173508/

Comments