MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2243b96e5d10ea3cde814d3f9656d4dda67fdc75174f528d9b7de73ec63bbd22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2243b96e5d10ea3cde814d3f9656d4dda67fdc75174f528d9b7de73ec63bbd22
SHA3-384 hash: 958e081fa2723311448fcc849d09e9518ca54c7b50047c13b091c6b7a592ed8b6f7e56983c6d3ef7e412472b29821745
SHA1 hash: 594562448b5362060e25409f29f3f50e89888a62
MD5 hash: cff0d2216262f0c765d42b7a8c025962
humanhash: crazy-two-winter-high
File name:Dekont2024-02-01-PDF.pif
Download: download sample
Signature AgentTesla
Create hunting rule
File size:771'072 bytes
First seen:2024-02-01 08:46:00 UTC
Last seen:2024-02-01 10:22:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:qNvrd53rD22qr+Adx2ITRsRuB5y7UN/BjUJCXVFsdvBw5H4Nyfq8ox/48f4W:ql3rDIZdkIlKuTy7gpUOLaBw5Hsyy8oe
Threatray 5'290 similar samples on MalwareBazaar
TLSH T16EF4126492ED4F26C67C87F9386090000FF3B9697620E79E2FC960ED1AA3B45CB91757
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 13333b33333b3b23 (11 x AgentTesla, 5 x Formbook, 2 x SnakeKeylogger)
Reporter abuse_ch
Tags:AgentTesla exe geo pif TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
289
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/473986/
Detection(s):
SecuriteInfo.com.Win32.InjectorX-gen.1821.27640.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd explorer hook keylogger lolbin masquerade packed regedit
Link:
https://www.filescan.io/uploads/65bb5a5abc91f83c80753fa5/reports/03edc022-0f87-419d-8046-11fd547980e1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2243b96e5d10ea3cde814d3f9656d4dda67fdc75174f528d9b7de73ec63bbd22
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/edc4fbad-fc31-4ddd-abb2-7f7b344fd960
Result
Threat name:
AgentTesla, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1384664
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2243b96e5d10ea3cde814d3f9656d4dda67fdc75174f528d9b7de73ec63bbd22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2243b96e5d10ea3cde814d3f9656d4dda67fdc75174f528d9b7de73ec63bbd22/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2024-02-01 08:46:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ejb3s3s5cdvdzxubju7zmvwu3wth7xdvc5hvfdm3pxtt5rr3xura._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
772c3cd8d8d7bc1043d33a0f97e74e9e97754752f0a3d9c50aa28bfc1784acd3
AgentTesla
a22a4df8d6f89b8a880e15dc6ee0c197252d8bd70b6b98ddfafcc73f9bc274ba
AgentTesla
e6d8312356c497c9781cf72f5bbb56a16643c7c3dd4fbc1745fa92577702de62
AgentTesla
e9da8094392d8124c615595ebabc8e3ce15c94922c7f5540e12974eee9113a86
AgentTesla
fd3c1907423ee42b394833ce43061bd8656e4250b63b5f0da32d6b101c99cfe8
AgentTesla
+ 5'280 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240201-kpbrrsaacj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla
Unpacked files
SH256 hash:
00b8391a010107fcc18c0e06431b0156292b2487c1d4888d95f4ca09d17cdce4
MD5 hash:
bb75d3e5acffffcd10dc98856ea74cc5
SHA1 hash:
c66e5a369455a1369bb110a55a72ef5f0c449c65
Detections:
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
MALWARE_Win_AgentTeslaV2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/3ecd32e6-7afb-4250-826e-787e7084e9de/
Parent samples :
a22a4df8d6f89b8a880e15dc6ee0c197252d8bd70b6b98ddfafcc73f9bc274ba
e9da8094392d8124c615595ebabc8e3ce15c94922c7f5540e12974eee9113a86
336e8eb3106938d99dc7e86e9cbf838c346b59c651a25fde531a0535af2bcb29
e6d8312356c497c9781cf72f5bbb56a16643c7c3dd4fbc1745fa92577702de62
772c3cd8d8d7bc1043d33a0f97e74e9e97754752f0a3d9c50aa28bfc1784acd3
9a4013cdd5488461e82b55c160a6ce67b72064b559433126ebfdef69b34b32f8
9332e08a8bb23a66d9c1003c97fa4efbe3b5aaaf804d8a4ebb51323df3ade564
fd3c1907423ee42b394833ce43061bd8656e4250b63b5f0da32d6b101c99cfe8
86285f3a7c555199aa898576925efe7020933bfe73ea07aff19712b651dabdf1
02f07b4febbbf92a6bf6b30a6dd98ea51df1792f014eff9483f57feb0ee97538
26ed08d9f1a0832cc912b2b997685a52a8d3ac1b65bcc425b317db53446f7ffe
c9299fe5ed7896a57647e91989b9f0eaaaf695a0327badb974c595f461602645
2243b96e5d10ea3cde814d3f9656d4dda67fdc75174f528d9b7de73ec63bbd22
SH256 hash:
d2cf3273461ffa1b29715828f358368312ae4f08a731f4e449a44f6dc50e26c5
MD5 hash:
df7936d5ea0c80f3003b445c7f8deb44
SHA1 hash:
b995b22e77a11cda256e84a01ccadb85451460ed
Link:
https://www.unpac.me/results/3ecd32e6-7afb-4250-826e-787e7084e9de/
SH256 hash:
a91462e9c8e5d78d4047a80eb89a38c6e76e5d4cf6ac8ff7142e19bb7ecfbb82
MD5 hash:
b3200a8295f2098fa0078754ab6728ce
SHA1 hash:
b84d3cbebfd2eb9822664ca47fe56e6ee95e0ddc
Link:
https://www.unpac.me/results/3ecd32e6-7afb-4250-826e-787e7084e9de/
SH256 hash:
581b4dc91ca1f0539f700fadda377b1ecf4c8f48baf4c1ed2ced0b8672757cb9
MD5 hash:
cbce50a4e44b2f57861da18778f7513b
SHA1 hash:
b7bf99865d944f46cdf16f6fd6c7e52b2aea07eb
Link:
https://www.unpac.me/results/3ecd32e6-7afb-4250-826e-787e7084e9de/
SH256 hash:
0943725ea68f4e824444180ce2f48532de124ee5261fcaf2ea91a4032526d547
MD5 hash:
ed543bcd4d982f2b4a337417b3761c2f
SHA1 hash:
89fdca6062c71f0e7d661585bbf647b83236080c
Link:
https://www.unpac.me/results/3ecd32e6-7afb-4250-826e-787e7084e9de/
SH256 hash:
2243b96e5d10ea3cde814d3f9656d4dda67fdc75174f528d9b7de73ec63bbd22
MD5 hash:
cff0d2216262f0c765d42b7a8c025962
SHA1 hash:
594562448b5362060e25409f29f3f50e89888a62
Link:
https://www.unpac.me/results/3ecd32e6-7afb-4250-826e-787e7084e9de/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2243b96e5d10/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.93
Link:
https://yomi.yoroi.company/submissions/2243b96e5d10ea3cde814d3f9656d4dda67fdc75174f528d9b7de73ec63bbd22

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 2243b96e5d10ea3cde814d3f9656d4dda67fdc75174f528d9b7de73ec63bbd22

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/473986/

Comments