MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22512680072190841299ff6b78ddc17fe240c0a7600b51ec7e14b35403c7a8a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22512680072190841299ff6b78ddc17fe240c0a7600b51ec7e14b35403c7a8a7
SHA3-384 hash: c12c86d7a21e61a5b819d509574e4ae5a224e52ae7bd0875e7789987560b2861e922bfd107a35f1d9ac2b79fcc669c28
SHA1 hash: f9850aa0de1148d5e5755d88145fe70393a9067f
MD5 hash: 85bf4951511bb73cb0dd00c7f5b225a5
humanhash: uniform-alpha-beer-fish
File name:PAYMENT_SLIP‮lecxe.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:540'672 bytes
First seen:2022-02-02 12:08:23 UTC
Last seen:2022-02-02 14:17:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:+hNt5H5YhbdQmEV6SCMx6co9iugTqUfvlT3pQN/ZeBtx5lEe6hU7prl6Uc8rQE5r:Ct5CLkp4gbsRKtJEFUZl6CrL5
Threatray 18'737 similar samples on MalwareBazaar
TLSH T1A2B4AD36239C2B58F03DB73AD124560183F4F917E722E6EFFDA990D81491F424BA2B56
Reporter ffforward
Tags:AgentTesla exe RTLO scr

Intelligence

File Origin
# of uploads :
2
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/230018/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.20882.20692.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Running batch commands
Launching a process
Creating a file
Sending a custom TCP request
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/61fa74616d25ac9e79fbe8eb/reports/601c64e3-401e-42b8-b3a3-fe91dc8e971e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d1f3384c-8ba3-452e-94fa-5fedf3ac4f40
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/932592
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Creates an undocumented autostart registry key
Drops PE files to the document folder of the user
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 565071 Sample: PAYMENT_SLIPlecxe.scr Startdate: 02/02/2022 Architecture: WINDOWS Score: 88 41 Multi AV Scanner detection for dropped file 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 .NET source code contains method to dynamically call methods (often used by packers) 2->45 47 2 other signatures 2->47 7 PAYMENT_SLIPlecxe.exe 3 2->7         started        process3 file4 29 C:\Users\user\...\PAYMENT_SLIPlecxe.exe.log, ASCII 7->29 dropped 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->49 11 cmd.exe 1 7->11         started        14 cmd.exe 1 7->14         started        signatures5 process6 file7 51 Drops PE files to the document folder of the user 11->51 53 Uses ping.exe to sleep 11->53 55 Uses ping.exe to check the status of other devices and networks 11->55 17 reg.exe 1 1 11->17         started        20 PING.EXE 1 11->20         started        23 conhost.exe 11->23         started        31 C:\Users\user\Documents\team.exe, PE32 14->31 dropped 33 C:\Users\user\...\team.exe:Zone.Identifier, ASCII 14->33 dropped 25 conhost.exe 14->25         started        27 PING.EXE 1 14->27         started        signatures8 process9 dnsIp10 39 Creates an undocumented autostart registry key 17->39 35 127.0.0.1 unknown unknown 20->35 37 192.168.2.1 unknown unknown 20->37 signatures11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/22512680072190841299ff6b78ddc17fe240c0a7600b51ec7e14b35403c7a8a7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-02 12:09:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
62
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ejisnaahegiiieuz75vxrxobp7rebqfhmafvd3d6cszvia6hvctq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
57d174cba1f8d71729c92a0f826b379491585dd53e1d1a11397b46ae6049f217
AgentTesla
6047a91d032880e1ea8040478c47524e3940f786fcb4e2708428e9db81fb559e
AgentTesla
68c0f9e10a5529d1a3d7031f4364a7e04746db13515041c94ceecf9a706fc671
AgentTesla
6a24ab81488efe130ff37ee21f06443dd8c23c156ca94a714907798fd1fae44b
AgentTesla
9d8d3289fc5f2622930c11efcd85d177175e1809a1a50fd366ea9f00e37acd2b
AgentTesla
9f3e8d8d088ecf0b56a9550796d1df4168ba8354c26b8a2692703ff691e47b1e
AgentTesla
ced2482a9d4316028a8ae3edc49a1dbe1ecd1f76b1a4c6a682505d3b7dd78146
AgentTesla
d5f80e9387db18edbf4d102bbdb0fc8e9234674c9ccfd7e198f348c4be55e8bf
AgentTesla
fdc6147674cf5ca10fa32f9ad8b7f8710e2759d4a8fe997f0404866d106a3b98
AgentTesla
+ 18'727 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/220202-pbgs3sacb2/
Behaviour
Checks processor information in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
48a28ec7c5d33367e167b9cbe8f815accc90018cbeffca8650bb77eab7bf4c8c
MD5 hash:
2ba2d580b5cbb744fe56126d656292c6
SHA1 hash:
b56c4c30515f35c4a00f240e316732a38ca40d7e
Link:
https://www.unpac.me/results/262a35e7-e99d-428e-b987-5f5d5985d40f/
SH256 hash:
e036660b56e1439cf1706f557444222038a1da26190dffe5c27e9ea006cd1708
MD5 hash:
4d1b753a65eda9b108806b70e17f85d0
SHA1 hash:
4018fd3cb7f05868618be82c7498028dd79aab75
Link:
https://www.unpac.me/results/262a35e7-e99d-428e-b987-5f5d5985d40f/
SH256 hash:
22512680072190841299ff6b78ddc17fe240c0a7600b51ec7e14b35403c7a8a7
MD5 hash:
85bf4951511bb73cb0dd00c7f5b225a5
SHA1 hash:
f9850aa0de1148d5e5755d88145fe70393a9067f
Link:
https://www.unpac.me/results/262a35e7-e99d-428e-b987-5f5d5985d40f/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/225126800721/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22512680072190841299ff6b78ddc17fe240c0a7600b51ec7e14b35403c7a8a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 22512680072190841299ff6b78ddc17fe240c0a7600b51ec7e14b35403c7a8a7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/230018/

Comments