MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2272345c34a9a89b1bc3803e5904206aa662690621cd6efd210f92c94811c1de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2272345c34a9a89b1bc3803e5904206aa662690621cd6efd210f92c94811c1de
SHA3-384 hash: f534c413039ab78f737e9641e9446532029137ee870e4f853840bd963eda24e1caeb9e5ce584bf3e99caa0c2bbf9494c
SHA1 hash: d61e69ba0c964840af02dae73d99cbce8d1cbba4
MD5 hash: fbb368f11e24f0913fabfec7ce885ab7
humanhash: music-kilo-steak-diet
File name:NEW ORDER STS5492(338)042023_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:576'000 bytes
First seen:2023-04-18 06:13:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:BLcLc+Ahu2Xed/GilHVm3umjD2SgScOKz6S0F/DeJ:BLcLKb8+ilHVIVf2jS8zRODi
Threatray 2'200 similar samples on MalwareBazaar
TLSH T1EEC4F129C175ADF2E6ED0A32041436EDDE3096E37877C53C0B9674DAEB9EB192D84087
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW ORDER STS5492(338)042023_PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-04-18 06:15:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c18f1907-3ebe-4d0e-af6e-f79334d41bbd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382941/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/643e352b46e0911fda9ebd77/reports/196896b3-e30a-4d4a-96e8-2c1ad5936fb7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/2272345c34a9a89b1bc3803e5904206aa662690621cd6efd210f92c94811c1de
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/99425616-59d5-4563-a424-15000b5cfe97
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1215667
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2272345c34a9a89b1bc3803e5904206aa662690621cd6efd210f92c94811c1de/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ejzdixbuvgujwg6dqa7fsbbanktge2igehgw57jbb6jmssaryhpa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1e73aae6a487b8bd66f0faf160523ff271831de6039de29b5e93289bab655382
AgentTesla
397ca8a839fae5e6c07fd3036a25e5df37220967ad381ca181da0a97354ed8cd
AgentTesla
6afbb9ebc94ae5fbc1a98207af3ce84dec75c243605ebbd6b15b721165e4130a
AgentTesla
875f736e15e9825359679dd4482ef43a0d4ac3274c9ea4b3a8df90fa5d9ed47c
AgentTesla
898d893d7c46d0c70d498f0323b24175c4d49df99b88f57d30aef08cb3e3edca
AgentTesla
a036acc68623b42509e807b81be7270e1fc0c626aa15d8164d2f52bd321be1fd
AgentTesla
d5d18f9417c9f5268a707e6c276d8318f0bc399302ff07d8d8319257c9dac063
AgentTesla
d8d96fb0f87869e18b2f527be9a50e08768896ae6df8df2311a71bac4281a1e2
AgentTesla
e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef
AgentTesla
+ 2'190 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230418-gzbmzaaa24/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
21f0154b51a09767f94922b81f5fcd15cf4a6390ab7314e40d0e17b2dcdfe6ba
MD5 hash:
c926563698de3a89ad20474c85122f73
SHA1 hash:
ed1a3b2527ace111e6f39880c7ee3965f301330d
Link:
https://www.unpac.me/results/cd8eea59-e3db-40a2-a400-11c430ff5dd6/
SH256 hash:
e346e546291022b91d7ae8c1a6253e3e110b1bf4e8581e2f878a0fd412595570
MD5 hash:
a8d14deedd54f23e13b3f4fb5a067ea1
SHA1 hash:
d3a5fae88cb2615d42ff1ba0e02562c2c95cd0ba
Link:
https://www.unpac.me/results/cd8eea59-e3db-40a2-a400-11c430ff5dd6/
SH256 hash:
46072018443cdfb307ef241c0ce18b432e118ff03e2eeb72dd658053b1f0910f
MD5 hash:
1e2987cdcc4382d19dd1a7432f18ac7d
SHA1 hash:
bbf49c7c1e3c3ba1e13a1c1e28c16b0d0f0f6bcd
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/cd8eea59-e3db-40a2-a400-11c430ff5dd6/
Parent samples :
2272345c34a9a89b1bc3803e5904206aa662690621cd6efd210f92c94811c1de
21267f1c9f80d23b5c5199bddeec69bfc45b04de306bf05939622c5c4ca8887a
83d1c6995d6bb86139c6ead750d64648c2f0dd60d759e34ebbf3725518de8fdf
746604779bf099b84b5a237bc6e777b10cd9ca0d02e49e136f4856debbb89d65
f1dcc38bd18b2cc106bcf1c3800931658d0b7463f7259916dec7c123830045c5
SH256 hash:
0fd1f00d94aff36ad8f02077efb33ddf269985ea37038aae554ff6202fdc020f
MD5 hash:
8dfd8e44c82066f4aeeff652fa2a33c5
SHA1 hash:
b844952e48ecab0e7ab2e3d5e38a20629399f94c
Link:
https://www.unpac.me/results/cd8eea59-e3db-40a2-a400-11c430ff5dd6/
SH256 hash:
32c4a1c869bf0979ed6b2cfa6aff0e4904386854ecfbc4bdfb98b78950e212cc
MD5 hash:
9249c1018e0c79474a7bc8d2cea9eeec
SHA1 hash:
14ce10b1d67a95389f6a3014998cc14af26f2314
Link:
https://www.unpac.me/results/cd8eea59-e3db-40a2-a400-11c430ff5dd6/
SH256 hash:
2272345c34a9a89b1bc3803e5904206aa662690621cd6efd210f92c94811c1de
MD5 hash:
fbb368f11e24f0913fabfec7ce885ab7
SHA1 hash:
d61e69ba0c964840af02dae73d99cbce8d1cbba4
Link:
https://www.unpac.me/results/cd8eea59-e3db-40a2-a400-11c430ff5dd6/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2272345c34a9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2272345c34a9a89b1bc3803e5904206aa662690621cd6efd210f92c94811c1de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 2272345c34a9a89b1bc3803e5904206aa662690621cd6efd210f92c94811c1de

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382941/

Comments