MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 248b5eeaa5a7e8f3269532fd94ef555ebbaeae792c67f8186df0884f343050e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 248b5eeaa5a7e8f3269532fd94ef555ebbaeae792c67f8186df0884f343050e9
SHA3-384 hash: 27dda2577756b40feac2e32026edc555daeb317852fe1d4c71af99129579b22b6621fce757a882b39023ac2141b36eea
SHA1 hash: 2ed9f42b0aab091bcb1de1516b572f7dedd58025
MD5 hash: 3605c168d1f482f8965e1065184d688f
humanhash: alanine-aspen-jersey-uniform
File name:AKIBET202205240000000000000,xls.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:749'568 bytes
First seen:2022-05-24 13:39:12 UTC
Last seen:2022-05-24 14:45:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:L2Vo4DTnMFg/dMimr+RApY68kue/6+8lRKjmOoXxF20WDYhymD+Y1vS:LcnMeeimrO8t2um/2ZDYhRv
Threatray 16'909 similar samples on MalwareBazaar
TLSH T1A6F4F004BB92DE13C26816B7C5C3151403F695479332D7873FDAAAD60E03BA26DD9B8B
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d2961d3133038ee8 (24 x AgentTesla, 18 x FormBook, 8 x Loki)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
330
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
AKIBET202205240000000000000,xls.exe
Verdict:
Malicious activity
Analysis date:
2022-05-25 01:07:04 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/9d05e4db-2231-454a-8281-6ae3a52dc659

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274128/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/628ce0440be8a16da4e91d70/reports/483858f0-98b5-4656-9610-e8050be9416c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b4a42594-602d-4fda-8dab-b99f893d4fbf
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1000680
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 633172 Sample: AKIBET202205240000000000000... Startdate: 24/05/2022 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 11 other signatures 2->37 7 AKIBET202205240000000000000,xls.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\...\wljzanJFqp.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmp848E.tmp, XML 7->25 dropped 27 AKIBET202205240000000000000,xls.exe.log, ASCII 7->27 dropped 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->41 43 Uses schtasks.exe or at.exe to add and modify task schedules 7->43 45 2 other signatures 7->45 11 AKIBET202205240000000000000,xls.exe 15 2 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 29 api.telegram.org 149.154.167.220, 443, 49728 TELEGRAMRU United Kingdom 11->29 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->47 49 Tries to steal Mail credentials (via file / registry access) 11->49 51 Tries to harvest and steal ftp login credentials 11->51 53 Tries to harvest and steal browser information (history, passwords, etc) 11->53 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/248b5eeaa5a7e8f3269532fd94ef555ebbaeae792c67f8186df0884f343050e9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-24 10:56:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=esfv52vfu7upgjuvgl6zj32vl2525ltzfrt7qgdn6cee6nbqkduq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
21872d29795b2487ee5e10d4dac7aaeec6b823fe56be45905e785f58f4802e23
AgentTesla
2a4468df049b2ebcb4ed7ef66dbf0476765343612c13dc962752f5a56a50676b
AgentTesla
5bf9f321e795da8caa68cef487b457a673fc98aca56cbbcf70fdf7f180d32ec9
AgentTesla
6131b03eaf029cbe944219f41fc09fa65fbf15bac4de218ad1210bbc29e22772
AgentTesla
b2340963087eeade7fcdae5b1dfb1b45680247aee534d34b546711cf2a4d8a98
AgentTesla
b3587ff41c4ab5cfd37aa464d4f32ec71e86860b9089da3ea4df459a3d44b446
AgentTesla
c9ead75d0d9084665d004c3d42a3ffc3c87bb826c79d33f5852df1caddf10755
AgentTesla
fb6c380b910cba16a60426c3671d3b19e5a90fa1061769178edc7a0821c8224f
AgentTesla
+ 16'899 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220524-qyh54agcfr/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
7fc3a061a6e1994477839381444ed4f983946612d0089e6831bd2bade175f9ca
MD5 hash:
748acb34a51e6c4974b38c39ae84f3fe
SHA1 hash:
89b81512a0111f8c4e43387fd26cc253b35fa07e
Link:
https://www.unpac.me/results/21f401e4-ab91-44de-9cc8-4cae8b5476f1/
SH256 hash:
5213a587b836f3dacf0225391d81a8b95e45f36ef811ee058922bce2cbe70f06
MD5 hash:
b73e34f89a810bdc2631f57751c25973
SHA1 hash:
5019667f4de4af2ae5109fc30308b27868e02151
Link:
https://www.unpac.me/results/21f401e4-ab91-44de-9cc8-4cae8b5476f1/
SH256 hash:
9a59f2e953179787d86142fb8500dcfcf9d24a3b55b498fc9ba0fb425075ba49
MD5 hash:
6adfad2799979d4778d5f19aea5a5142
SHA1 hash:
3b928ebe40f09fa9a951612a8457e1691f513eb3
Link:
https://www.unpac.me/results/21f401e4-ab91-44de-9cc8-4cae8b5476f1/
SH256 hash:
1ba41779ce705b22b7debab0caf0fa801c4e7208fe87174325b052dcf60d14fb
MD5 hash:
ebfd7b6738c0dba309d8f5ae46e26bb7
SHA1 hash:
eae95238ab256ddd5bd4e46d70e07eeb5c5f088a
Link:
https://www.unpac.me/results/21f401e4-ab91-44de-9cc8-4cae8b5476f1/
SH256 hash:
23fd766caff0f3fd946d0f56bcee616c73d555775d96acefb7a152636f5db69e
MD5 hash:
5eea5eb5051be881c84254c3a55a5400
SHA1 hash:
cdb4d272842633fbc37708d3a82b035175252bc2
Link:
https://www.unpac.me/results/21f401e4-ab91-44de-9cc8-4cae8b5476f1/
SH256 hash:
248b5eeaa5a7e8f3269532fd94ef555ebbaeae792c67f8186df0884f343050e9
MD5 hash:
3605c168d1f482f8965e1065184d688f
SHA1 hash:
2ed9f42b0aab091bcb1de1516b572f7dedd58025
Link:
https://www.unpac.me/results/21f401e4-ab91-44de-9cc8-4cae8b5476f1/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/248b5eeaa5a7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/248b5eeaa5a7e8f3269532fd94ef555ebbaeae792c67f8186df0884f343050e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 248b5eeaa5a7e8f3269532fd94ef555ebbaeae792c67f8186df0884f343050e9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/274128/

Comments