MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2547bb68679d447dbde8f5631c385ba265aaf1dd9a8b3807e77ad475ad15adfa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2547bb68679d447dbde8f5631c385ba265aaf1dd9a8b3807e77ad475ad15adfa
SHA3-384 hash: 77831c537f2b4c27afa446bb1fab0357dc25ca182df31955e0e098d504e901741f3b90dcd948eacbb4eca5916d66578d
SHA1 hash: 17fd02dc9dc2a6146746793e0801194c7532003f
MD5 hash: fb039bb33dda7790d3a66dcfcfb4b1bd
humanhash: king-california-sodium-stairway
File name:Banka ödemesi_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:624'128 bytes
First seen:2023-05-09 09:37:03 UTC
Last seen:2023-05-13 22:47:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:pNj5Ayrq0VXVWni+eyVqAC2Xvd11sS1F1zF3/1ZIS63VKyemKORjj/4Se:p3zKRe3d2fd11VF1p/1ZC3V3e/ORQh
Threatray 3'239 similar samples on MalwareBazaar
TLSH T1A9D4F1B1A19E89E1E20F89B0167CBDA21EB671E3FDD9097807795044CFA7B143F8494E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe geo TUR


Avatar
abuse_ch
AgentTesla FTP exfil server:
myogessentials.com:21

Intelligence

File Origin
# of uploads :
2
# of downloads :
264
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Banka ödemesi_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-09 09:42:55 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/efc51a0c-91b6-4689-beba-bbd39808c01d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387791/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.32412.15651.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
comodo jigsaw packed
Link:
https://www.filescan.io/uploads/645a144ad860ee3e1ca66c9c/reports/ba73b1e7-8682-44f3-8e6b-fe1866976e4c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/2547bb68679d447dbde8f5631c385ba265aaf1dd9a8b3807e77ad475ad15adfa
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f3cc280e-bca0-4184-ad35-603e09d182e0
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1229062
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 862044 Sample: Banka_#U00f6demesi_pdf.exe Startdate: 09/05/2023 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic 2->46 48 Multi AV Scanner detection for domain / URL 2->48 50 Found malware configuration 2->50 52 10 other signatures 2->52 7 Banka_#U00f6demesi_pdf.exe 4 2->7         started        11 rSZfpJM.exe 3 2->11         started        13 rSZfpJM.exe 2 2->13         started        process3 file4 32 C:\Users\...\Banka_#U00f6demesi_pdf.exe.log, ASCII 7->32 dropped 54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->54 56 Adds a directory exclusion to Windows Defender 7->56 58 Injects a PE file into a foreign processes 7->58 15 Banka_#U00f6demesi_pdf.exe 17 10 7->15         started        20 powershell.exe 21 7->20         started        60 Multi AV Scanner detection for dropped file 11->60 62 Machine Learning detection for dropped file 11->62 22 rSZfpJM.exe 11->22         started        24 rSZfpJM.exe 13->24         started        signatures5 process6 dnsIp7 34 myogessentials.com 185.174.174.220, 21, 49699, 49700 ITLDC-NLUA Ukraine 15->34 36 192.168.2.1 unknown unknown 15->36 28 C:\Users\user\AppData\Roaming\...\rSZfpJM.exe, PE32 15->28 dropped 30 C:\Users\user\...\rSZfpJM.exe:Zone.Identifier, ASCII 15->30 dropped 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->38 40 Tries to steal Mail credentials (via file / registry access) 15->40 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->42 26 conhost.exe 20->26         started        44 Tries to harvest and steal browser information (history, passwords, etc) 24->44 file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2547bb68679d447dbde8f5631c385ba265aaf1dd9a8b3807e77ad475ad15adfa/
Threat name:
Win32.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2023-05-09 09:38:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=evd3w2dhtvch3ppi6vrryoc3ujs2v4o5tkftqb7hplkhllivvx5a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2ce7d781b4110aea5d90e86a8798e44516a33724c212e4b6099cb4babb7090d0
AgentTesla
316483bf87a8932bf0d84dd527cce96da936a5612b005f5051b2656c39a9be62
AgentTesla
392ee3c9d47409b170b5e4d6f7eedf427bf1121be42b024a663340bed3025bd4
AgentTesla
3b0acc239747010ba9c56cf22b4ace536d82bf3748dfb14e8b977c07f8dc976d
AgentTesla
4b81215a34d41cbdfa37fa7b93710ed6ddaea795f793740c9da1fe04366893b0
AgentTesla
7b4164cc352f02f53d9f49d8a5d6df6221b85c5412fcb133462c5d779730dc64
AgentTesla
a3e624899642025593a5646ecff5cbdf946e5b13debcdf57aad589d4da03de3a
AgentTesla
ac4f95e274427abe5af52a9af50ffc74db27a0c87969d1097dc35d75d36d77d7
AgentTesla
c1e3b76bda3518d5b42ef7e7bb24df83b15fb3d97632ac0951bd814a1efdf246
AgentTesla
d9577a11fb93cf09c220f70d087e55eb4c7c5fed0537aebd8013e7e01a8d5d15
AgentTesla
+ 3'229 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230509-llgz2shb3w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
83fde4c9e3bd778ea729691f2dbae3a3921ca37c620873d5015e059366bd45ab
MD5 hash:
875c44e3510ef7b26167c427e22985fb
SHA1 hash:
7085e54effb2e903cbf2bface0dad4bd28d4a7c1
Link:
https://www.unpac.me/results/afe7674f-511e-4371-aa2d-f7cd75fb51d6/
SH256 hash:
c3280530b049be54ccd663c13993445f035ab6e08c364082785583609e7d258e
MD5 hash:
24c2609f3dcce71cf28fb638ec5f364b
SHA1 hash:
5f8f7123821917aa0dc7dfeb117e0d7dd2b2b59e
Link:
https://www.unpac.me/results/afe7674f-511e-4371-aa2d-f7cd75fb51d6/
SH256 hash:
5351666d8e0f0f2e174b7e6092b86ab4064fbdbc5a48cc482186222bbfafa12d
MD5 hash:
b4f3599f47f595ec3ec8a2f993d1a146
SHA1 hash:
5f43e0940b64d3e000d3aa58861c8b7a16c2ec07
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/afe7674f-511e-4371-aa2d-f7cd75fb51d6/
Parent samples :
2547bb68679d447dbde8f5631c385ba265aaf1dd9a8b3807e77ad475ad15adfa
a1b00c2628ee45d054b257f96eb55f197fcb47928c42bb9ddb0a800546116e37
SH256 hash:
b52c29ba9ef8996bdf721950d900db96f1befb9883eb38c2075528e60c7aabd4
MD5 hash:
7b6143d9d94c8b80d191b77d8b6d1ba2
SHA1 hash:
1c91704ff6da2a9dd8aaa2ff2d5a5f69a445f76b
Link:
https://www.unpac.me/results/afe7674f-511e-4371-aa2d-f7cd75fb51d6/
SH256 hash:
1f98bfb0ef65838b1ed69943df1cf982d83efb764259688c394f32249782f242
MD5 hash:
69f658a9ea2cb8dd9f6814e25547d94b
SHA1 hash:
0a62845ac54fd5e74ba512fc48fbae8161f333fa
Link:
https://www.unpac.me/results/afe7674f-511e-4371-aa2d-f7cd75fb51d6/
SH256 hash:
2547bb68679d447dbde8f5631c385ba265aaf1dd9a8b3807e77ad475ad15adfa
MD5 hash:
fb039bb33dda7790d3a66dcfcfb4b1bd
SHA1 hash:
17fd02dc9dc2a6146746793e0801194c7532003f
Link:
https://www.unpac.me/results/afe7674f-511e-4371-aa2d-f7cd75fb51d6/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2547bb68679d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2547bb68679d447dbde8f5631c385ba265aaf1dd9a8b3807e77ad475ad15adfa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 2547bb68679d447dbde8f5631c385ba265aaf1dd9a8b3807e77ad475ad15adfa

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/387791/

Comments