MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21872d29795b2487ee5e10d4dac7aaeec6b823fe56be45905e785f58f4802e23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21872d29795b2487ee5e10d4dac7aaeec6b823fe56be45905e785f58f4802e23
SHA3-384 hash: 2497209fb61caea3068fec2940b90c0cd8ba99e25056509615de2b2e3713f3f46c85797e9191bf06e468fa04e3552210
SHA1 hash: 3983d5d5f62b08f3b08033856253d982ed37c9b2
MD5 hash: 08aeea703b8f1cf9558eabeae48565a8
humanhash: cat-crazy-north-hamper
File name:doc202205240009987000001.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:758'272 bytes
First seen:2022-05-24 12:18:43 UTC
Last seen:2022-05-24 12:51:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:OLwNxFkQbsloAIPPFkui/Ub7lRvfwEwImITgaQ+MNBdBISI+P41wEuEFtMnP:OLOsloTe/UPLwUmMga8B6+OwEuEFtMnP
Threatray 16'618 similar samples on MalwareBazaar
TLSH T10EF4E119B6A6CD13C3281AF6C1D35A1403F19947A372D78B3ED912D20E067E5ADCE78B
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d2961d3133038ee8 (24 x AgentTesla, 18 x FormBook, 8 x Loki)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
298
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
doc202205240009987000001.exe
Verdict:
Malicious activity
Analysis date:
2022-05-25 03:49:13 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/0b060ef7-cc31-455b-af4c-adf0d3cc9bdc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274062/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/628ccd38054dcf0ecae79068/reports/7170ee73-8a67-4af9-bff5-68454f9e8abe/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4af4c31f-0668-4ba0-a4c6-32fe08ee1e75
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1000603
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 633099 Sample: doc202205240009987000001.exe Startdate: 24/05/2022 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for dropped file 2->37 39 10 other signatures 2->39 7 doc202205240009987000001.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\nzNNFeZ.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmpDF77.tmp, XML 7->25 dropped 27 C:\Users\...\doc202205240009987000001.exe.log, ASCII 7->27 dropped 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->41 43 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->43 45 Uses schtasks.exe or at.exe to add and modify task schedules 7->45 47 Adds a directory exclusion to Windows Defender 7->47 11 doc202205240009987000001.exe 15 2 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 29 api.telegram.org 149.154.167.220, 443, 49789 TELEGRAMRU United Kingdom 11->29 31 192.168.2.1 unknown unknown 11->31 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->49 51 Tries to steal Mail credentials (via file / registry access) 11->51 53 Tries to harvest and steal ftp login credentials 11->53 55 Tries to harvest and steal browser information (history, passwords, etc) 11->55 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21872d29795b2487ee5e10d4dac7aaeec6b823fe56be45905e785f58f4802e23/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-24 12:19:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=egds2klzlmsip3s6cdknvr5k53dlqi76k27elec6pbpvr5eafyrq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
5bf9f321e795da8caa68cef487b457a673fc98aca56cbbcf70fdf7f180d32ec9
AgentTesla
6131b03eaf029cbe944219f41fc09fa65fbf15bac4de218ad1210bbc29e22772
AgentTesla
71881316918836c22fd8dd6f6e7d8759cd49943ec5f467f6be628f223b37d122
AgentTesla
ada82cc63307ef87e14cfdcb3e01265fa581b4f55076dcff53e7421b6a2c8830
AgentTesla
b3587ff41c4ab5cfd37aa464d4f32ec71e86860b9089da3ea4df459a3d44b446
AgentTesla
fb6c380b910cba16a60426c3671d3b19e5a90fa1061769178edc7a0821c8224f
AgentTesla
fb72ec8effa840d66cb8783f6045590f7296d2df886b9ac5db48a684a3f87e29
AgentTesla
+ 16'608 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220524-pg6pdsaag3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5310370668:AAEdB2nfvvFj53YoaxJ-AleA2m93WUxxyM0/sendDocument
Unpacked files
SH256 hash:
a936419b701428167d1f2f6a35242a3d1b4be76314d370e3cc10654d2b46c700
MD5 hash:
782855252a5c7e51f82bc13df062af6a
SHA1 hash:
d1a28186aad122075734ee484adc541a6316099d
Link:
https://www.unpac.me/results/1e4c48e0-a5cc-4176-8859-87663516cdb3/
SH256 hash:
5af3e39dced97aa275811d3b3831fa40195038732e8881a6a98d95cb07d0620b
MD5 hash:
7b29882a364e8cd8d52c4ac8b4b791d3
SHA1 hash:
cb5ff31339dbe81ac9e465153900c14fcc253a4d
Link:
https://www.unpac.me/results/1e4c48e0-a5cc-4176-8859-87663516cdb3/
SH256 hash:
0cdb66ee6442d7989b4f951ba46c1badfe8e9a45c66d246753c233d19f93ebc1
MD5 hash:
3199b910a65e384e38a09f1d1c08e7e3
SHA1 hash:
c99ad4f639be47ebc71eb7519646e3b62f96e48c
Link:
https://www.unpac.me/results/1e4c48e0-a5cc-4176-8859-87663516cdb3/
SH256 hash:
3003bf2fc932bfb659dec290e48a106acd94cadc036cd9898526790982c042f8
MD5 hash:
eeca64f2007403190475938b2f65c1d4
SHA1 hash:
b377ad49453b5f5b7eee3902ff26feb6d7e6fed3
Link:
https://www.unpac.me/results/1e4c48e0-a5cc-4176-8859-87663516cdb3/
SH256 hash:
b962a491c44fba821cff45e563530bdd83121aa7133b2578c3f1a0280c31bef5
MD5 hash:
5f85bbdb52510d3eeb621396637bb5c8
SHA1 hash:
5a1d3a8dd38cbc9273f3432034cb581b016e1644
Link:
https://www.unpac.me/results/1e4c48e0-a5cc-4176-8859-87663516cdb3/
SH256 hash:
21872d29795b2487ee5e10d4dac7aaeec6b823fe56be45905e785f58f4802e23
MD5 hash:
08aeea703b8f1cf9558eabeae48565a8
SHA1 hash:
3983d5d5f62b08f3b08033856253d982ed37c9b2
Link:
https://www.unpac.me/results/1e4c48e0-a5cc-4176-8859-87663516cdb3/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/21872d29795b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21872d29795b2487ee5e10d4dac7aaeec6b823fe56be45905e785f58f4802e23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 21872d29795b2487ee5e10d4dac7aaeec6b823fe56be45905e785f58f4802e23

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/274062/

Comments