MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26286ef181ca7f744d73b6922aadd24bf521de09e9fd149df088247314447075. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 4 File information Comments

SHA256 hash:	26286ef181ca7f744d73b6922aadd24bf521de09e9fd149df088247314447075
SHA3-384 hash:	9684303eb66578327077b66b5037771c1ff0354cd3bb52157070a5eb9426f6e4cb0c42e695bce0aebf714839114229bb
SHA1 hash:	e2d34f41f171ca76f98bbe71aaa19e8233becfba
MD5 hash:	06c8b7f78dba2ae3b809e9421cc0fbd7
humanhash:	speaker-alpha-north-lion
File name:	TH PG FORM E DRAFT FOR CEI2303125.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	799'744 bytes
First seen:	2023-09-27 06:47:43 UTC
Last seen:	2023-09-27 07:42:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:2Qc+UwZMMMDMMMcCUipLesc/79XsnwbYIKkKSzX3JPY2iuNmkov3fY+1:XLMMMDMMMcCFesM8nwbPKkDHv4BvvYu
TLSH	T12105C01531EF5816E377EFB7C7ABF980C77EBAA0666BB217401626C586E2901F701434
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	f4d4dad2d0f4fec0 (1 x AgentTesla)
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

261

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

TH PG FORM E DRAFT FOR CEI2303125.pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-09-27 06:48:48 UTC

Tags:

agenttesla stealer

Link:

https://app.any.run/tasks/d0d088f0-a676-45a0-8d8c-3fde86bedcfb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/451459/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.8881.9116.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Sending a custom TCP request

Forced shutdown of a system process

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control lolbin masquerade packed

Link:

https://www.filescan.io/uploads/6513d0240870810f01877812/reports/6d898c35-ef06-4064-af37-c82c914ae98f/overview

Verdict:

Malicious

Labled as:

MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/26286ef181ca7f744d73b6922aadd24bf521de09e9fd149df088247314447075

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/827f0063-6991-4a8a-a581-3daa75f8ba2d

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1314993

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large strings

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/26286ef181ca7f744d73b6922aadd24bf521de09e9fd149df088247314447075/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-09-27 05:04:41 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 38 (60.53%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eyug54mbzj7xitltw2jcvlosjp2sdxqj5h6rjhpqrashgfceob2q._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/230927-hkrw3shh76/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Checks computer location settings

AgentTesla

Unpacked files

SH256 hash:

0f94d621df2d1fff635bd8e34289064700fdc2cad0471cfcffb90f49f6947f6a

MD5 hash:

41cde6de85ea0d7ad0d87b893e2977ff

SHA1 hash:

85f716a5768e179faadf90934f1de46b0b50546b

Link:

https://www.unpac.me/results/caa47c1e-da92-478c-a050-2561538946da/

SH256 hash:

fc2a512233bc2f0d30725f10f7ce46a5acf67971692ca61d8b4c2c3ed6a69fec

MD5 hash:

50cc30f54e48f35e01d634331a2b24f2

SHA1 hash:

464a467739475e1163fd485e565356dfd7dcf88b

Detections:

AgentTesla

Link:

https://www.unpac.me/results/caa47c1e-da92-478c-a050-2561538946da/

Parent samples :

b57506921f2720895173741a012333b7f8b981a58dfa16493088371371b815c3
8f59e0372fb55c7267a21c6a694e643ebdf1629f55f4815d7fc476492d5c7f08
1934c9d93e6a4198e68757441c611e6c31306b38aeec33a5f1f6c09f1f8ce466
480c296502a2e2c8cc03eb4a2bb61e25885e3a83b104399d279d6f6e0f0d44c9
e8834b3ff4a76a9e15c7a5368e7c33029f0a4fda9ea82ab501f264262b8fbbc9
e3bb4be5d6f18e8fbec6ea1a30572f9bf6bff8764fe54e0285b5ffee096683a5
26286ef181ca7f744d73b6922aadd24bf521de09e9fd149df088247314447075
e451ae19f163ea57cff01b042d69e4e939a1854adc94dff0f40dfbad06c2b19b
ac9a2aedb6a7a14dfa233489e17f6efc4ddd9cd6c12c46a10fa193fc578430f0
43b81d0ca2373e9f8746005bff03564656b711c3a0d9e81a632f703a420e1cd6
0bf2eace6c65d7ba3d5e276ca086e28b43217cfd236f88ec03551801357a0b9b

SH256 hash:

82285a575ea205476be5bf48340be52a19296fb6afff6183e6602ac8fc9a449a

MD5 hash:

4c963ce10be216472a5cc89e6866e241

SHA1 hash:

21a9a24908f421fee6a1d4b6041bd5871cffbd2f

Link:

https://www.unpac.me/results/caa47c1e-da92-478c-a050-2561538946da/

SH256 hash:

26286ef181ca7f744d73b6922aadd24bf521de09e9fd149df088247314447075

MD5 hash:

06c8b7f78dba2ae3b809e9421cc0fbd7

SHA1 hash:

e2d34f41f171ca76f98bbe71aaa19e8233becfba

Link:

https://www.unpac.me/results/caa47c1e-da92-478c-a050-2561538946da/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/26286ef181ca/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/26286ef181ca7f744d73b6922aadd24bf521de09e9fd149df088247314447075

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z e804c1c1ba4a78573799c2836aedd6c693fcafaff29af1a6b6c5eb36d86c647a

AgentTesla

exe 26286ef181ca7f744d73b6922aadd24bf521de09e9fd149df088247314447075

(this sample)

Delivery method

Other

Dropped by

SHA256 e804c1c1ba4a78573799c2836aedd6c693fcafaff29af1a6b6c5eb36d86c647a

Dropped by

SHA256 fbb13432b4fa58b7a9a24c29e0c4b296d5642450320401caf21fc1fc4f0c7b79

Cape

https://www.capesandbox.com/analysis/451459/

Dropped by

MD5 384ee1a3a0b0323c882011f49280f6ef

Dropped by

MD5 69ad3ea266f9cf8c73a0006d65eba105

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample