MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2245bf156417ad067db2163d23eb95772269af952be2af6af857596bcaa8efea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2245bf156417ad067db2163d23eb95772269af952be2af6af857596bcaa8efea
SHA3-384 hash: 32340899eba1766ac4a74f18268faf27902578e8c7acff0c324bcad0d4a0252edbc8a0d1d91977dbbdcfd030ce8d0982
SHA1 hash: ee322c5652d3e1900a0c9379d93f3c297ee22b7c
MD5 hash: efb7a8e2326440fd5ddb9ec49f509b41
humanhash: beryllium-solar-louisiana-wyoming
File name:efb7a8e2326440fd5ddb9ec49f509b41.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'165'824 bytes
First seen:2022-10-18 11:34:21 UTC
Last seen:2022-10-18 13:17:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:yxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNussFUCSxsip:bdosi6/jUl2Fdj
TLSH T1DE4528BA22C0229FD426B1758153E9B366F77D226116D1C750D30FAFBC482BBDA12397
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 1031ccc4ccccaa10 (14 x Loki, 12 x SnakeKeylogger, 11 x Formbook)
Reporter abuse_ch
Tags:AgentTesla exe Telegram

Intelligence

File Origin
# of uploads :
2
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Shipment Document BL,INV and packing list.doc
Verdict:
Malicious activity
Analysis date:
2022-10-19 07:05:29 UTC
Tags:
exploit cve-2017-11882 loader agenttesla
Link:
https://app.any.run/tasks/c7b3ee51-880e-4bee-a5c5-28e2ba64effe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321383/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.11436.6965.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/634e8f678a8cb5d2d4a9df5d/reports/93ddecd0-9690-42d4-bb32-4bb0d7c624dd/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a3425886-2f79-48cd-a208-ce5138184b33
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1092691
Signature
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2245bf156417ad067db2163d23eb95772269af952be2af6af857596bcaa8efea/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-18 10:10:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ejc36flec6wqm7nscy6sh24vo4rgtl4vfprk62xyk5mwxsvi57va._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221018-np1mnsfhej/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5343531330:AAGJBRXMXstUjUCkHWRQxeLoip9bwkKXmx8/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/94462cdf-ffd8-4286-aac8-d583819dc50a
Unpacked files
SH256 hash:
b8ebf15134e1c3cb775f602bf901fe336cede57e9579ba4b8923a1177281a20e
MD5 hash:
826804647dd2ade28879c029f70c2d61
SHA1 hash:
bcbbb70e4ad5c54eafdeeb904564afcb511324d1
Link:
https://www.unpac.me/results/4b9baa72-6d6a-4f7d-9764-6acfc1125f8b/
SH256 hash:
f6ec93cbcf07bfa9fcb0b8d68d710159cfd37c16999fd4d5819d1359e3d3be4b
MD5 hash:
13b2cfad0d618009064619e5e6d74a66
SHA1 hash:
b81f6c8b744ef79bda857fc62b59bdffba0abc79
Link:
https://www.unpac.me/results/4b9baa72-6d6a-4f7d-9764-6acfc1125f8b/
SH256 hash:
f9d52c082efcce55d4728caa7c5bf6289e13c93bd327b01d17d4452ebe73b431
MD5 hash:
bd7d73f17c5ce7f18380e43c6f5313c2
SHA1 hash:
249b527af7b4b8d8cf84c7571c4175cc4436586e
Link:
https://www.unpac.me/results/4b9baa72-6d6a-4f7d-9764-6acfc1125f8b/
SH256 hash:
678d527fc01a0eaa1be366ca97b0ad5a3fe890b1ef8267d2fc981ff43c4d08e5
MD5 hash:
2da433d67db4775d8f02a8fed4b31bf3
SHA1 hash:
235fe8f2076f3b5cfffacc574825550cee8e61e9
Link:
https://www.unpac.me/results/4b9baa72-6d6a-4f7d-9764-6acfc1125f8b/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/4b9baa72-6d6a-4f7d-9764-6acfc1125f8b/
SH256 hash:
2245bf156417ad067db2163d23eb95772269af952be2af6af857596bcaa8efea
MD5 hash:
efb7a8e2326440fd5ddb9ec49f509b41
SHA1 hash:
ee322c5652d3e1900a0c9379d93f3c297ee22b7c
Link:
https://www.unpac.me/results/4b9baa72-6d6a-4f7d-9764-6acfc1125f8b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/2245bf156417ad067db2163d23eb95772269af952be2af6af857596bcaa8efea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 2245bf156417ad067db2163d23eb95772269af952be2af6af857596bcaa8efea

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/321383/
  
URLhaus
https://urlhaus.abuse.ch/url/2283205/
  
Delivery method
Distributed via web download

Comments