MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18e0ffc3832b0fbe21ce279e267bd20e602c2d316a7a9d6dbefc1a7338ff53ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18e0ffc3832b0fbe21ce279e267bd20e602c2d316a7a9d6dbefc1a7338ff53ff
SHA3-384 hash: 92a278eebae1cce54c3e61264abdbe36f3f9e8bae47243e2a7c6f569b670901d1156bd629d72ac82645d7bf1025d3ba2
SHA1 hash: 2883df3d3ea56cb6cae8457fa46e1ab5528f005c
MD5 hash: dd9c60ba0357c2df4a276e1bacdfaf34
humanhash: texas-sweet-pizza-equal
File name:FPm8wPrVo63a1D2.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:499'712 bytes
First seen:2022-07-25 09:09:47 UTC
Last seen:2022-07-25 09:52:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'472 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:HIPyrOZyog7hp9BrSAQxV45kDPyqYgWasbe:H5OZglBenvLMTa
Threatray 18'236 similar samples on MalwareBazaar
TLSH T1D1B412E573A80533DF2409F958C6D68413F9CB226856FF4B7CCC54AA2B86BC949803E3
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 44e288ae8ace7898 (3 x Formbook, 3 x SnakeKeylogger, 2 x AgentTesla)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293955/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.38201.17123.17159.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62de5e04b3bb70bb32df3d5b/reports/8e727811-1c7e-4332-bf85-a839700763cd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0d57c714-24e1-4e11-be2f-dbe722b56edb
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1040306
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 672800 Sample: FPm8wPrVo63a1D2.exe Startdate: 25/07/2022 Architecture: WINDOWS Score: 100 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 10 other signatures 2->39 7 FPm8wPrVo63a1D2.exe 7 2->7         started        process3 file4 25 C:\Users\user\AppData\...\YEGcwHQiOCcn.exe, PE32 7->25 dropped 27 C:\Users\...\YEGcwHQiOCcn.exe:Zone.Identifier, ASCII 7->27 dropped 29 C:\Users\user\AppData\Local\...\tmp6FC1.tmp, XML 7->29 dropped 31 C:\Users\user\...\FPm8wPrVo63a1D2.exe.log, ASCII 7->31 dropped 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->41 43 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->43 45 Uses schtasks.exe or at.exe to add and modify task schedules 7->45 47 2 other signatures 7->47 11 powershell.exe 24 7->11         started        13 powershell.exe 23 7->13         started        15 schtasks.exe 7->15         started        17 FPm8wPrVo63a1D2.exe 7->17         started        signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/18e0ffc3832b0fbe21ce279e267bd20e602c2d316a7a9d6dbefc1a7338ff53ff/
Threat name:
ByteCode-MSIL.Trojan.RealProtect
Create hunting rule
Status:
Malicious
First seen:
2022-07-20 18:07:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ddqp7q4dfmh34iooe6pcm66sbzqcyljrnj5j23n67qnhgoh7kp7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
416f95fa60681b85d328c5612f410650825908b3e1fb58af634b60bb35ac1969
AgentTesla
672f129436328ef22b40863bd0158d013bb4925cbbd4d6b7d5b031a9d56bbd53
AgentTesla
6d1674b2782a12aac4c8f067446299924ecc123c77a7a346775eb41fc4648047
AgentTesla
6f37f6928a005cab38dc68e03843756f90d2d56e3e68110ddece060e11a98d88
AgentTesla
8126addf40ee416e253cf5b46048633dc836856575e92ce271854417a1ddf9f7
AgentTesla
8c0726ab5d6f41c5e8d123d8c2444eb709543ee350dcecfe6e5190ddfe32e337
AgentTesla
a0669c333cd5683b938d7525828022547ddcaa61e924ca7f4a29e484d0c7100a
AgentTesla
abd0a804168a65ceb8827d34d11b58601eb5d947637ee9fdd2dffa3a4afc9961
AgentTesla
b993421e49aafc2f381919313d92dd6f89ac99d67b5e650734abd5d3499eff5f
AgentTesla
cfe8883503f6c675d58b8d30c1d0a9064da329fc82bf4f5cd4230783d53a5c6c
AgentTesla
+ 18'226 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220725-k43tssbaf3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
AgentTesla payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendDocument
Unpacked files
SH256 hash:
1a14fc1057b8f64fc8c4b4454119af2d22837e5884f056d7e093ece666cd7b64
MD5 hash:
16c2f0aa4995d49f3604eabcf2872056
SHA1 hash:
e53e78520b1a4f484bb4fd71d4042deaec424395
Link:
https://www.unpac.me/results/e135f1b3-6c7d-4eec-b882-85c26b23923a/
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/e135f1b3-6c7d-4eec-b882-85c26b23923a/
SH256 hash:
6ebb9d783534cd3a2e81e3d8b8d3b0e0644e9fbe41c0a932ae43b93595dc572a
MD5 hash:
3bc2c1cea8a7d4c7c04c9a2a22d34b1d
SHA1 hash:
d8ee789bc0e4f39433d1c0eeb22ff42f0bcaa407
Link:
https://www.unpac.me/results/e135f1b3-6c7d-4eec-b882-85c26b23923a/
SH256 hash:
c78401563e8d5557050f906f12a71b10d5f0a6650d012ba6c8fbe99a11f80668
MD5 hash:
55b76ea1ac804d6fed4f499ba47a070c
SHA1 hash:
8aed16136be9eec31bc1d0c38513008acd286d9a
Link:
https://www.unpac.me/results/e135f1b3-6c7d-4eec-b882-85c26b23923a/
Parent samples :
ee786b17c0debabc35aaa386da758c13cc9e0952b0d2d4e265756f493f82c2ed
9bf192a23eeb844b6e8b01c41d085d1c2bfb576653732d99d7468571f1a28fb5
53643684e723ff5fe2cfef8ab65cd8395120f618223e4fa44c2fad60e0b0e29a
9196273424391332296b033958a8271b9937e8688e3a3c36bd04d5dd62f164cc
SH256 hash:
f6d1cda2efe2622064025631b2a1ee8e5bdc057798de203ed5841916e662b4a1
MD5 hash:
fb7cc194309b03e66b160fe20f371762
SHA1 hash:
7b6fe95b9b6af1328d43ef9fff27919d807b9c47
Link:
https://www.unpac.me/results/e135f1b3-6c7d-4eec-b882-85c26b23923a/
SH256 hash:
18e0ffc3832b0fbe21ce279e267bd20e602c2d316a7a9d6dbefc1a7338ff53ff
MD5 hash:
dd9c60ba0357c2df4a276e1bacdfaf34
SHA1 hash:
2883df3d3ea56cb6cae8457fa46e1ab5528f005c
Link:
https://www.unpac.me/results/e135f1b3-6c7d-4eec-b882-85c26b23923a/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/18e0ffc3832b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/18e0ffc3832b0fbe21ce279e267bd20e602c2d316a7a9d6dbefc1a7338ff53ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 18e0ffc3832b0fbe21ce279e267bd20e602c2d316a7a9d6dbefc1a7338ff53ff

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/293955/

Comments