MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 226e0022648aedb9a4a3524e4cc346e8670f8e727b7c587747e2c5806388b0b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 226e0022648aedb9a4a3524e4cc346e8670f8e727b7c587747e2c5806388b0b2
SHA3-384 hash: 38f3a5e7cbe2535c66b5a320ca7ce5389953b1be003d3b69fedf1cf82f740608cdb3f9b7672e75ca82a016ffcc37dffe
SHA1 hash: f35c832a622e34915f9cff6184d1cabcc738eeea
MD5 hash: b8c587dd3b21c37840151a5196514081
humanhash: steak-edward-romeo-arkansas
File name:Order-202309876........pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:655'872 bytes
First seen:2023-07-12 13:31:35 UTC
Last seen:2023-07-12 14:42:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:Xfruu90/bsY0cQWMOiSXVBuaSoYjMBx6XSzpkORJjaFh/a:XDV90/bS4i3gBQizKKjU/
Threatray 495 similar samples on MalwareBazaar
TLSH T15AD4ACC6E17AE2D3D82436B9244505042E383FC17865F2A49C7BB1F676F5A0433A76BE
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
265
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Order-202309876........pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-07-12 13:37:04 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/13de1da5-07f8-412b-915a-c807b29b094f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/416846/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop22.33874.11194.30954.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64aeab556da82c3a59cc1c38/reports/ff95e235-a886-47f0-822f-7d2b82c11062/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/226e0022648aedb9a4a3524e4cc346e8670f8e727b7c587747e2c5806388b0b2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d43abddb-18a1-4c43-9846-3121331c799c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1271788
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1271788 Sample: Order-202309876........pdf.exe Startdate: 12/07/2023 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Found malware configuration 2->45 47 Sigma detected: Scheduled temp file as task from temp location 2->47 49 5 other signatures 2->49 7 Order-202309876........pdf.exe 7 2->7         started        11 VWdKJwv.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\Roaming\VWdKJwv.exe, PE32 7->31 dropped 33 C:\Users\user\...\VWdKJwv.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmpFBCD.tmp, XML 7->35 dropped 37 C:\...\Order-202309876........pdf.exe.log, ASCII 7->37 dropped 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 7->53 55 Adds a directory exclusion to Windows Defender 7->55 13 Order-202309876........pdf.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        57 Multi AV Scanner detection for dropped file 11->57 59 Machine Learning detection for dropped file 11->59 21 VWdKJwv.exe 14 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 discord.com 162.159.138.232, 443, 49694, 49695 CLOUDFLARENETUS United States 13->39 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        41 192.168.2.1 unknown unknown 21->41 61 Tries to steal Mail credentials (via file / registry access) 21->61 63 Tries to harvest and steal browser information (history, passwords, etc) 21->63 65 Installs a global keyboard hook 21->65 29 conhost.exe 23->29         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/226e0022648aedb9a4a3524e4cc346e8670f8e727b7c587747e2c5806388b0b2/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-07-11 08:04:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
24 of 38 (63.16%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ejxaaiterlw3tjfdkjhezq2g5btq7dtspn6fq52h4lcyay4iwcza._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4935b7b5bdb8c0c1e2cf55a18e34ad005f079ec2a0a2bddaa73fdd8589e27bb0
AgentTesla
566f2fd2ff0412f8332a6fd9c476118042ef9d036bdcba60dedf9a57004aceb0
AgentTesla
5e881d862c1fcfad157b83ace7ec9bb4dca45ded3d70b1e19223ab7c0e2e9839
AgentTesla
60755b9a1273f9dc3834df3111a64542a47ea1cb334aa95ae4515476a8b048da
AgentTesla
6c635a7964534b07a6f3de24276ee3b7313c008721584847397cb89dcc536f0b
AgentTesla
9e3f6e981b57721cd4ba45235870449e34b48b49b5242c7973cfb02cceba77d4
AgentTesla
9f29c03e841135fcb0dab46e9b00e50def6d3427d53ce4e8a4c3e06d0c15d1d6
AgentTesla
c5c27f94d50eca563c17c9c60ee6676f59e5254d0a9b29dfc445d6782d217c3f
AgentTesla
ec59b27201c294ab408c3b8dbea942bc83659efe39417e84f2af6e84baf16ff7
AgentTesla
+ 485 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230712-qsyctsed6z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1127497008349991052/2pfgcCkg9HhvFXz-_67eTXedKLfy0wDVySLWXg-KoDMnLLYTn9NHg5SgWpVBc_bPoSsa
Unpacked files
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/7bf68666-4f70-4dd6-b58e-9350e08cca4c/
SH256 hash:
9f04f685e753f0b5b765670c6d3fdf68f703d83b51acaf80c46933f075cbb74e
MD5 hash:
45fecd229aa36cfc2820163a9718a8e4
SHA1 hash:
80e6dcfdd34cd51bca1fa158a6029dd8f1e78992
Link:
https://www.unpac.me/results/7bf68666-4f70-4dd6-b58e-9350e08cca4c/
SH256 hash:
2533d367f9ac30872666f71c6c786ddf9c1a60e24e07dfbc015d1640c5882743
MD5 hash:
8f43f2be0d3afe4c94a76594f04a9735
SHA1 hash:
6ab89fc9c930c99412593c7237baccc90f8c4c5b
Link:
https://www.unpac.me/results/7bf68666-4f70-4dd6-b58e-9350e08cca4c/
SH256 hash:
770a759e96cbf45ce42671337ca09dce09bd24d67ed262c2efe948958d7c1331
MD5 hash:
0deae38d78a3ce4aff531fe512e2eeb5
SHA1 hash:
564deae9e9a7f9fb9ddae972ecea4f627364c8a9
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/7bf68666-4f70-4dd6-b58e-9350e08cca4c/
Parent samples :
09581fc9ed4ea3eac091a119cd524856ef8a9236c54b3269c3c7898d380b2a4d
226e0022648aedb9a4a3524e4cc346e8670f8e727b7c587747e2c5806388b0b2
SH256 hash:
226e0022648aedb9a4a3524e4cc346e8670f8e727b7c587747e2c5806388b0b2
MD5 hash:
b8c587dd3b21c37840151a5196514081
SHA1 hash:
f35c832a622e34915f9cff6184d1cabcc738eeea
Link:
https://www.unpac.me/results/7bf68666-4f70-4dd6-b58e-9350e08cca4c/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/226e0022648a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/226e0022648aedb9a4a3524e4cc346e8670f8e727b7c587747e2c5806388b0b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/416846/

Comments