MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22059817e04f84b60175d20e225c713482cd8091ecd4bb74a70946d4826da7f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	22059817e04f84b60175d20e225c713482cd8091ecd4bb74a70946d4826da7f4
SHA3-384 hash:	5d0040dcdbc9b60e0a4b36b17c9afd7fc5147219650f55bcc8a2590bad31a1d778d652c3cf3a474dc92edbda9fe1cd64
SHA1 hash:	4ff3db18d389c2d89acdba0740405059f193b92f
MD5 hash:	329bcd5a70b96270e6f2e310e75a0a42
humanhash:	double-moon-oven-magnesium
File name:	SHIPPING INVOICE DOCUMENTS.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	31'744 bytes
First seen:	2023-06-16 05:50:54 UTC
Last seen:	2023-06-19 15:42:16 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	384:J/IVY81CIzFoOt9eTmdIxrWa3huASlvgCN1iE7ZBNvWZXb95rZOVyYzbQt5z6HlQ:J/IVNl3tIThxJaLtSXz1gyYnQnal0wFk
Threatray	2 similar samples on MalwareBazaar
TLSH	T199E23A146BF88362E5AD4B7E9471111403B6BB733633E32C5FC658D92AA33908A55BF3
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	lowmal3
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

377

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SHIPPING INVOICE DOCUMENTS.pdf.exe

Verdict:

No threats detected

Analysis date:

2023-06-16 05:53:08 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a5808bcf-2086-4f60-9ff6-dd6d27b14cb5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/399402/

Detection(s):

SecuriteInfo.com.Win64.WormX-gen.7839.24880.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Sending a custom TCP request

Reading critical registry keys

Creating a window

Forced shutdown of a system process

Stealing user critical data

Sending an HTTP GET request to an infection source

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin masquerade

Link:

https://www.filescan.io/uploads/648bf848153b44fd385a1059/reports/b90c87b6-edb1-431d-a18d-f6e34c795b69/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/22059817e04f84b60175d20e225c713482cd8091ecd4bb74a70946d4826da7f4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/96f92a97-e327-466b-9cb6-5d2271f8ee80

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1255786

Signature

.NET source code references suspicious native API functions

Antivirus detection for URL or domain

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample has a suspicious name (potential lure to open the executable)

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/22059817e04f84b60175d20e225c713482cd8091ecd4bb74a70946d4826da7f4/

Threat name:

Win64.Trojan.Leonem

Status:

Malicious

First seen:

2023-06-15 17:27:33 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

18 of 36 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eiczqf7aj6clmalv2ihcexdrgsbm3aer5tklw5fhbfdnjatnu72a._file

Verdict:

malicious

AgentTesla

a26842becdd6ced8f2b44de90122dbd4cc027348b569ef32703749bac877ca6f

AgentTesla

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230616-gj6headb32/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Uses the VBS compiler for execution

Unpacked files

SH256 hash:

22059817e04f84b60175d20e225c713482cd8091ecd4bb74a70946d4826da7f4

MD5 hash:

329bcd5a70b96270e6f2e310e75a0a42

SHA1 hash:

4ff3db18d389c2d89acdba0740405059f193b92f

Link:

https://www.unpac.me/results/14596af8-6832-48a3-a73a-11e7c7232683/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/22059817e04f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/22059817e04f84b60175d20e225c713482cd8091ecd4bb74a70946d4826da7f4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 22059817e04f84b60175d20e225c713482cd8091ecd4bb74a70946d4826da7f4

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/399402/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample