MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22c4b05bcf26647a2464500666ec31c235599a73765d4cd3452721eb2cf2b020. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 18

Intelligence 18 IOCs YARA 2 File information Comments

SHA256 hash:	22c4b05bcf26647a2464500666ec31c235599a73765d4cd3452721eb2cf2b020
SHA3-384 hash:	36760509386f2782ba21ee257f9540e9997c33e6ec7ab6ae3b0ff7fe3500af73b727c5af470010097a91e2584beba604
SHA1 hash:	2aff7c4bc5baba90c871513a1d5f9e17e2846b8f
MD5 hash:	340abe0007e32743fc701080d3c4a7e5
humanhash:	wyoming-kansas-delaware-undress
File name:	CTM REQUEST BIRTHSHIP.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	592'384 bytes
First seen:	2023-06-27 06:15:49 UTC
Last seen:	2023-06-27 06:16:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:EFtpAq2iNCXqf52uanTd0ti5ljWBw+mmewtzDrEj5C1F5bxKqo1a:EFUq1kXkYnpf5Em+mFazD
Threatray	4'139 similar samples on MalwareBazaar
TLSH	T1EDC4F19C369072EFC467C9779EA82C64F620B87B930BD613A01311AC9E4E697CF155F2
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

269

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

CTM REQUEST BIRTHSHIP.exe

Verdict:

Malicious activity

Analysis date:

2023-06-27 06:16:57 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/38f6ad8e-8f85-4b7a-b733-19b00453f126

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/403109/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook packed

Link:

https://www.filescan.io/uploads/649a7ea64a3ab977be88f84c/reports/980607ac-db0b-4feb-aeed-f27930a70de2/overview

Verdict:

Malicious

Labled as:

Ransom.Loki.Generic

Link:

https://www.hybrid-analysis.com/sample/22c4b05bcf26647a2464500666ec31c235599a73765d4cd3452721eb2cf2b020

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e097bd01-e332-4b7b-967a-07e93458cb35

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1261828

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/22c4b05bcf26647a2464500666ec31c235599a73765d4cd3452721eb2cf2b020/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-06-27 02:40:53 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=elclaw6pezshujdekadgn3bryi2vtgttozouzu2fe4q6wlhswaqa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0b27deefbf362687701891f8fcbacf4122ce0a6e4972bc7b68cc8f3e7034b1eb

AgentTesla

1e78015efee2b6e94749afd35ae539a88520ff959e06ca20683c6d0d7218b4c2

AgentTesla

269eb2984329ea60c2c535da059d969281c23a75acab61503e10dfc00e1381b3

AgentTesla

2f64531d71dd54c1e57e33a70a8b019bfb7997a2552f1b4ec63ce80bc6b07fff

AgentTesla

3d3b0128f3bd2fd0c85b37496812b834ae8b2a9bc454eab9d04748182da5d25d

AgentTesla

7581026b5d2f0521ed0e40ef5ad28dec7c9b3e2b113cceea5eb63483af1463d6

AgentTesla

f9b13ca40817f89e08b9487deabbf646e94d0d3b37b47c1292c8910d1f330a5a

AgentTesla

+ 4'129 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230627-g1f9vaeb51/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla

Unpacked files

SH256 hash:

94d341df30a3c6ce139f083130367e95fe8013493eb24492d45112229a10bb0d

MD5 hash:

679b96b9c6239afa9e77857541699ee5

SHA1 hash:

9460f7df2b036ab6be7eca0fb7b22aeeb76c033c

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/c4847bc6-ac45-4373-9d9e-e5d93f92207e/

Parent samples :

720be830d608d17de8f83bde1fd7a90db5bd75ebad8fbe10d60ea4bd1fa9f760
1e78015efee2b6e94749afd35ae539a88520ff959e06ca20683c6d0d7218b4c2
22c4b05bcf26647a2464500666ec31c235599a73765d4cd3452721eb2cf2b020
0b4d7a81cb8f89e34562cd756540d3dd62176c0fa829d7dba9db2c727b92aef0
b017455b50865cfdd26486b8c6d8348294ee6fba27ea97eb2d94e6a56b7397b5
edc2598baa07918d489c7642acc5d1051506ca818323627769d3b4d6f218eacb

SH256 hash:

68f415ab5ad686e3c50f2bd080b5dae527005907fa2757d675fe4fabce466541

MD5 hash:

fe1dc254ed9e3501b7a6a5f6a20194e7

SHA1 hash:

31971347bf63d60cadcfba6857b8b7237bfc986f

Link:

https://www.unpac.me/results/c4847bc6-ac45-4373-9d9e-e5d93f92207e/

SH256 hash:

973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130

MD5 hash:

3794c5f7b240e4184d6ea90c5bdd9ec6

SHA1 hash:

26b9c4a753779b4994fe38c16dfe70b07efd3e0d

Link:

https://www.unpac.me/results/c4847bc6-ac45-4373-9d9e-e5d93f92207e/

SH256 hash:

1010cb1708c92af55bb83f438c414eba4f07330b749d9d4b91497dd4ab58b55a

MD5 hash:

74cc3258a14dd19bb5b42f5c7a5e664e

SHA1 hash:

055473c7006b38ab11eb4988d5d55b553e4f1d51

Link:

https://www.unpac.me/results/c4847bc6-ac45-4373-9d9e-e5d93f92207e/

SH256 hash:

94d341df30a3c6ce139f083130367e95fe8013493eb24492d45112229a10bb0d

MD5 hash:

679b96b9c6239afa9e77857541699ee5

SHA1 hash:

9460f7df2b036ab6be7eca0fb7b22aeeb76c033c

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/c4847bc6-ac45-4373-9d9e-e5d93f92207e/

Parent samples :

SH256 hash:

68f415ab5ad686e3c50f2bd080b5dae527005907fa2757d675fe4fabce466541

MD5 hash:

fe1dc254ed9e3501b7a6a5f6a20194e7

SHA1 hash:

31971347bf63d60cadcfba6857b8b7237bfc986f

Link:

https://www.unpac.me/results/c4847bc6-ac45-4373-9d9e-e5d93f92207e/

SH256 hash:

94d341df30a3c6ce139f083130367e95fe8013493eb24492d45112229a10bb0d

MD5 hash:

679b96b9c6239afa9e77857541699ee5

SHA1 hash:

9460f7df2b036ab6be7eca0fb7b22aeeb76c033c

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/c4847bc6-ac45-4373-9d9e-e5d93f92207e/

Parent samples :

SH256 hash:

973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130

MD5 hash:

3794c5f7b240e4184d6ea90c5bdd9ec6

SHA1 hash:

26b9c4a753779b4994fe38c16dfe70b07efd3e0d

Link:

https://www.unpac.me/results/c4847bc6-ac45-4373-9d9e-e5d93f92207e/

SH256 hash:

1010cb1708c92af55bb83f438c414eba4f07330b749d9d4b91497dd4ab58b55a

MD5 hash:

74cc3258a14dd19bb5b42f5c7a5e664e

SHA1 hash:

055473c7006b38ab11eb4988d5d55b553e4f1d51

Link:

https://www.unpac.me/results/c4847bc6-ac45-4373-9d9e-e5d93f92207e/

SH256 hash:

68f415ab5ad686e3c50f2bd080b5dae527005907fa2757d675fe4fabce466541

MD5 hash:

fe1dc254ed9e3501b7a6a5f6a20194e7

SHA1 hash:

31971347bf63d60cadcfba6857b8b7237bfc986f

Link:

https://www.unpac.me/results/c4847bc6-ac45-4373-9d9e-e5d93f92207e/

SH256 hash:

973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130

MD5 hash:

3794c5f7b240e4184d6ea90c5bdd9ec6

SHA1 hash:

26b9c4a753779b4994fe38c16dfe70b07efd3e0d

Link:

https://www.unpac.me/results/c4847bc6-ac45-4373-9d9e-e5d93f92207e/

SH256 hash:

1010cb1708c92af55bb83f438c414eba4f07330b749d9d4b91497dd4ab58b55a

MD5 hash:

74cc3258a14dd19bb5b42f5c7a5e664e

SHA1 hash:

055473c7006b38ab11eb4988d5d55b553e4f1d51

Link:

https://www.unpac.me/results/c4847bc6-ac45-4373-9d9e-e5d93f92207e/

SH256 hash:

94d341df30a3c6ce139f083130367e95fe8013493eb24492d45112229a10bb0d

MD5 hash:

679b96b9c6239afa9e77857541699ee5

SHA1 hash:

9460f7df2b036ab6be7eca0fb7b22aeeb76c033c

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/c4847bc6-ac45-4373-9d9e-e5d93f92207e/

Parent samples :

SH256 hash:

68f415ab5ad686e3c50f2bd080b5dae527005907fa2757d675fe4fabce466541

MD5 hash:

fe1dc254ed9e3501b7a6a5f6a20194e7

SHA1 hash:

31971347bf63d60cadcfba6857b8b7237bfc986f

Link:

https://www.unpac.me/results/c4847bc6-ac45-4373-9d9e-e5d93f92207e/

SH256 hash:

973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130

MD5 hash:

3794c5f7b240e4184d6ea90c5bdd9ec6

SHA1 hash:

26b9c4a753779b4994fe38c16dfe70b07efd3e0d

Link:

https://www.unpac.me/results/c4847bc6-ac45-4373-9d9e-e5d93f92207e/

SH256 hash:

1010cb1708c92af55bb83f438c414eba4f07330b749d9d4b91497dd4ab58b55a

MD5 hash:

74cc3258a14dd19bb5b42f5c7a5e664e

SHA1 hash:

055473c7006b38ab11eb4988d5d55b553e4f1d51

Link:

https://www.unpac.me/results/c4847bc6-ac45-4373-9d9e-e5d93f92207e/

SH256 hash:

22c4b05bcf26647a2464500666ec31c235599a73765d4cd3452721eb2cf2b020

MD5 hash:

340abe0007e32743fc701080d3c4a7e5

SHA1 hash:

2aff7c4bc5baba90c871513a1d5f9e17e2846b8f

Link:

https://www.unpac.me/results/c4847bc6-ac45-4373-9d9e-e5d93f92207e/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/22c4b05bcf26/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.91

Link:

https://yomi.yoroi.company/submissions/22c4b05bcf26647a2464500666ec31c235599a73765d4cd3452721eb2cf2b020

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.