MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f519abedceeaca2fffef4410b7e05feda1f2449cb49d4e7d6bbe4ce2b567c95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f519abedceeaca2fffef4410b7e05feda1f2449cb49d4e7d6bbe4ce2b567c95
SHA3-384 hash: a1ac29d2495b484f752dcac35c8d1a0169f325fa4f87fbb0603e56ee0797f8ab0fade18fd640d88c1d58c683b4a3804d
SHA1 hash: d20cb1a53108cfab91222538d8f6a76ea1bcff78
MD5 hash: 0b5925272e4eb33f2974619ab59dd141
humanhash: green-edward-bluebird-stairway
File name:Trasferimento-2022-06-1T11395.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:764'416 bytes
First seen:2022-06-01 11:54:37 UTC
Last seen:2022-06-02 13:49:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:FB6SIcd1Aas8kAIQwENhgbvVdqpafJdVoI25BlpfXV2rSWsfsLE:7z0fAIQwENhgxdrfjhGBDfFUhskL
Threatray 17'993 similar samples on MalwareBazaar
TLSH T19DF4F114336C1698CA6A87761476C210533D395AAB6EDB0D3AD3648E2DF37818F077EB
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Trasferimento-2022-06-1T11395.exe
Verdict:
Malicious activity
Analysis date:
2022-06-01 11:58:12 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/11e89d40-5256-43da-8fdc-4173003a5829

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/276043/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.24303.28573.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c8f369d-80bb-45e0-aa2a-8ec0e31dda52
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1005000
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1f519abedceeaca2fffef4410b7e05feda1f2449cb49d4e7d6bbe4ce2b567c95/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-01 10:29:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
38
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d5izvpw452wkf7766raqw7qf73nb6jcjzne5jz6wxpsm4k2wpskq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
081195bc21c899200745e9639e1d3f5080bea9d0dd1ce66af784b8a32ea874e9
AgentTesla
138a3d541879aa44ba06ae20b2a307be5598b014977ccf18458ec3fedb102dfd
AgentTesla
1f519abedceeaca2fffef4410b7e05feda1f2449cb49d4e7d6bbe4ce2b567c95
AgentTesla
395eecdb77b7712a6b03d2aadc271d3aba5819af234565ca0d7a5a69bbb901a3
AgentTesla
49566553ad805571bd7813810b7775ad25f4acf8ba3f4b0f63abd0c5f7ddcb84
AgentTesla
63c4c713e7543f56d5e72ab4bba9422b16d451db0a901da4bcc305ba9490ed2b
AgentTesla
7561da032e558833ca895b4f0541d9c60305b3f352994b90f7db2fa845c23ef4
AgentTesla
dc4439002daba1a135459eec3633d80af47ef577535a0b32eb283525274f5fec
AgentTesla
+ 17'983 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220601-n3fjnagdf5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
7f4b794cbe8f114959f2b8f2c62f8df3a8bb118596fe8271689ed1e13150688c
MD5 hash:
be04dfd2ccd624d9d56e9b3a9b5e43bc
SHA1 hash:
6358864c3e175c09a2f5bd94a42ace3e03743984
Link:
https://www.unpac.me/results/aa8d0c79-0637-4526-9cab-7926fa41efdc/
SH256 hash:
26f313ee1529d7e8907761d1e61073acb785e34578063dfa133c28e4dfec31a3
MD5 hash:
489b808f2509eec6adff8da5308c595c
SHA1 hash:
14f44381bbede1f1eb6efc546b87ba27e1e43966
Link:
https://www.unpac.me/results/aa8d0c79-0637-4526-9cab-7926fa41efdc/
SH256 hash:
afa1d4cad580f651f33666bfbfe17f5bc599b8bb978df68f8ddf3e0c64545e7e
MD5 hash:
6d390aa38a1f4156cdee62f74cd32a12
SHA1 hash:
7948f837d62bc05bae8bf4f5cbb7ef68aa9c2674
Link:
https://www.unpac.me/results/aa8d0c79-0637-4526-9cab-7926fa41efdc/
SH256 hash:
879c29560b21be7d9b69ca27ca4756df86e080fa3e34cb191aad5cb1e5f05504
MD5 hash:
30b6a54a992eae921a2eb8c5ea130911
SHA1 hash:
1c83f0319bffe007077c6656418c9b7344d5affe
Link:
https://www.unpac.me/results/aa8d0c79-0637-4526-9cab-7926fa41efdc/
SH256 hash:
1f519abedceeaca2fffef4410b7e05feda1f2449cb49d4e7d6bbe4ce2b567c95
MD5 hash:
0b5925272e4eb33f2974619ab59dd141
SHA1 hash:
d20cb1a53108cfab91222538d8f6a76ea1bcff78
Link:
https://www.unpac.me/results/aa8d0c79-0637-4526-9cab-7926fa41efdc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f519abedceeaca2fffef4410b7e05feda1f2449cb49d4e7d6bbe4ce2b567c95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 1f519abedceeaca2fffef4410b7e05feda1f2449cb49d4e7d6bbe4ce2b567c95

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/276043/

Comments