MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22c3a95888a885a0120c5e991ca0dda76239b5c92a1a416465edfe67d4d0a160. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	22c3a95888a885a0120c5e991ca0dda76239b5c92a1a416465edfe67d4d0a160
SHA3-384 hash:	4e86a3db125aaf76fa934aaa08d0b4c5244c9a8ac907daff41ce4f248aa8896df124ff5b783fb8b7cab612a014d45e2e
SHA1 hash:	6fcfda68866f6679cd01daf1cff34cbe60a22644
MD5 hash:	b6ef6516aed2a69b2633413a46c317f6
humanhash:	beryllium-carbon-delta-steak
File name:	BNE9C0-Unpacked.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'052'160 bytes
First seen:	2020-07-18 15:05:03 UTC
Last seen:	2020-07-18 16:08:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	24576:RWoYYtUIA6KPBkQ4RHjr/oKTVAsEZEvdB1NwJPo+Nx0ws1sqo052:8DiC4sgpWqo0w
Threatray	9 similar samples on MalwareBazaar
TLSH	0C25394177EB8656E2AE93FA94B1186C8BF4F001EA63EF4F1D8154AA0C937416D443BF
Reporter	3xp0rtblog
Tags:	AgentTesla AvalonStealer

Intelligence

File Origin

# of uploads :

# of downloads :

181

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/27711/

Detection(s):

SecuriteInfo.com.Generic.DataStealer.1.C9B2B6D6.28982.10168.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Connection attempt to an infection source

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/389314

Signature

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/22c3a95888a885a0120c5e991ca0dda76239b5c92a1a416465edfe67d4d0a160/

Threat name:

ByteCode-MSIL.Trojan.DataStealer

Status:

Malicious

First seen:

2020-07-18 15:06:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=elb2sweivcc2aeqml2mrzig5u5rdtnojfineczdf5x7gpvgqufqa._file

Verdict:

unknown

AgentTesla

264662e60005a099f9aaaa88e1dcee1381a3a187a158fdfbc40bbd5024407cb1

AgentTesla

36f7bb3f776e1b4d97a2cf8cd65aac04593a797a8d46936d0900041995020465

AgentTesla

422761ce807ba569d378b3130493e84a531d310d1ed8e0559d6313fdf91cd5b0

AgentTesla

4e14841c96a09f5850d1cf5fcb3526714c22d7174e3f75c8a309d8db36ecef93

AgentTesla

861878b319e66fd632f7d7623f0b56028f18d1e315680a15fc161a451ac9c788

AgentTesla

9a3b89ea2396b22020fc8e3bde1b832ca70d8b875b088f451f54e85f359380df

AgentTesla

b60f00c8d27d8282118e085eb407d706388186487ff014b1dcf238efe1ed940f

AgentTesla

e892e7f5b3919e1c3d92ee26e7b4313e753cad797e3397138a1ccef2b1289b1d

AgentTesla

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200718-bp531bqp2x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/22c3a95888a885a0120c5e991ca0dda76239b5c92a1a416465edfe67d4d0a160

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/32979865-b96c-4af8-9bf1-024158ef413f/

https://twitter.com/3xp0rtblog/status/1284503833222287360?s=20

Cape

https://www.capesandbox.com/analysis/27711/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample