MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bd3fa491c5de8cb9189ff8f86fd1a7e27a8140e3578f8fa9ebb23931550cc5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	1bd3fa491c5de8cb9189ff8f86fd1a7e27a8140e3578f8fa9ebb23931550cc5b
SHA3-384 hash:	348509240440b34b3d33ffd5d49c2b7270103a864d8892ceb3dfbc150b014bcb93c7b66d6f7e89828645025219a89103
SHA1 hash:	52d0f0a4cc753daae727e5d79ae575f37042e6c2
MD5 hash:	d93ae89b2dd80e754f282db2f968e537
humanhash:	bluebird-lemon-ten-five
File name:	221020555777222pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	458'240 bytes
First seen:	2022-10-24 18:04:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:1HW9ZEjeXjYA2ospqAlwdVgDmETmGJE9i/pfp5thhhhYPDK2gIKb:mZ3XjYA2oXCRBuwpBrjYPDC
Threatray	515 similar samples on MalwareBazaar
TLSH	T195A4BF6AE026AEE2D1F71478DC55408056FDCF1BB8F28CA1D8CEED69B6EDD1D6093900
TrID	63.5% (.EXE) Win64 Executable (generic) (10523/12/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

202

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

221020555777222pdf.exe

Verdict:

No threats detected

Analysis date:

2022-10-24 18:06:15 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f2009b00-f771-409f-a8f6-0294460114e8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/323580/

Detection(s):

Win.Dropper.Formbook-9975594-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Сreating synchronization primitives

DNS request

Reading critical registry keys

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0dd923d7-c230-4fa8-9228-d4510e6440a9

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1096826

Signature

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1bd3fa491c5de8cb9189ff8f86fd1a7e27a8140e3578f8fa9ebb23931550cc5b/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-10-20 11:39:58 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

26 of 42 (61.90%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dpj7usi4lxumxemj76hyn7i2pyt2qfaogv4pr6u6xmrzgfkqzrnq._file

Verdict:

malicious

AgentTesla

84103df35fb10d7045ef98daa14a78f906287c6e9e226d7bf08753bc0722cde0

AgentTesla

9316de8b3697c6a6f1fba5bc0b653cfb6202aa7429b5d203523a9768e9a772e9

AgentTesla

a0b829fae3c9ce99cd60eda2fd16812b75b380b0f7adb3e56ead69e087c2d574

AgentTesla

b0e9ac1486908cd1351af5f5cb102d16ed197dee031f9f07d996f62248fdd481

AgentTesla

b13bc9c14764fa971ad6e5f0d4583ed0a25b4ffd7a426a2b7e28567f78c4d165

AgentTesla

b613f08a0063de54e6ee9b6d3beb3ad93c1cfeb277304de7491321276d5ddc45

AgentTesla

bb06bf5d8b68991bf2545a1b560b535d35ec17f870f4b53f62c31dc3d1148408

AgentTesla

ea22f746189bf2d6ad50b7e04bf79cc153ce431f04dd2c5437632949d7eb66d0

AgentTesla

+ 505 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221024-wn6rasaaa9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

1bd3fa491c5de8cb9189ff8f86fd1a7e27a8140e3578f8fa9ebb23931550cc5b

MD5 hash:

d93ae89b2dd80e754f282db2f968e537

SHA1 hash:

52d0f0a4cc753daae727e5d79ae575f37042e6c2

Link:

https://www.unpac.me/results/7e9609bf-47a6-4815-a467-b629d746704b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/1bd3fa491c5de8cb9189ff8f86fd1a7e27a8140e3578f8fa9ebb23931550cc5b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/323580/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample