MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26ec84d86c07a621e86269544e8e4018d40bfe4c19a3ced4ee3749155bc4acc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26ec84d86c07a621e86269544e8e4018d40bfe4c19a3ced4ee3749155bc4acc8
SHA3-384 hash: f709668e39e86edeb96d387fe1f77140e222429e60b768c99c1c9c11731b52d931ad12cb274237c64b509f48df5c7d39
SHA1 hash: 2d301b8c0305f44ad14d8ba4fddeda3ed30c791b
MD5 hash: 48f7c90f9038debcfd1cc836118582af
humanhash: lion-dakota-sodium-low
File name:No.13234290.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:741'376 bytes
First seen:2023-05-04 08:33:29 UTC
Last seen:2023-05-13 22:54:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:QOuKuTxnueUElRHvxsXxs2egQVtwOVYYc9NftxzyRdhHCM4vPkAAJ2rxs:4T3UElPshsDYYcHzzyFjSMBJ2ds
Threatray 2'989 similar samples on MalwareBazaar
TLSH T17BF49C169014C81FFE1AEB70C1A4FFE4A6F1FD73A4E5542223793989EAB9F011E8D119
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 8e173733330f693b (14 x AgentTesla, 4 x Loki, 2 x njrat)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
239
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
No.13234290.scr
Verdict:
Malicious activity
Analysis date:
2023-05-04 08:36:00 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/815ce6a5-a351-4e96-aa88-bd3aca1a095c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/386412/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64536dfc3d47a64d306bdb58/reports/4478970b-6997-4217-84b3-73ef1788977b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/26ec84d86c07a621e86269544e8e4018d40bfe4c19a3ced4ee3749155bc4acc8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c80e4462-f6ad-41dc-8181-770443f7f3c6
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1225971
Signature
.NET source code contains potential unpacker
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26ec84d86c07a621e86269544e8e4018d40bfe4c19a3ced4ee3749155bc4acc8/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-04-28 05:29:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
25 of 37 (67.57%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e3wijwdma6tcd2dcnfke5dsaddkax7smdgr45vhog5erkw6evtea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01f8e351ce7ac28d0dcd75701dc8a55a7efa31d5d5c4915ce96505ebbc36a966
AgentTesla
3104fa64c32a8333437eecd7781d4617f221d12975b4167338dfff37a1022177
AgentTesla
3978001ee5d6b75a65ba8f881ec75caca178dc690bd1e55b90a977b1d23fbd2d
AgentTesla
60b3645a7d02232fd97ba076bdb88e6a801f462ce972d79366df9261a9f62720
AgentTesla
878f78260ff0cc10af5b6aef90f7352b83dd20db8394db7ba06bb3230a54e674
AgentTesla
b81b5d7a927299cc54748988d70523c615e82e21482652510a1a95db89b3521d
AgentTesla
c89bf6380445a49127491a4c68b77bc9ff8ba9b8fa016846ed6cc2274b6133d0
AgentTesla
cad87d2ba2f829cef46aa8195561a9feb19e96c559e8dcb707a68778cecd13e5
AgentTesla
cdca513e22701403a62e153f5d197a4d7e3f0fb3ed18f66021e00b7b3720713a
AgentTesla
+ 2'979 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230504-kgf2hsba57/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
6de65853fa529a5c023ddbc8a841c24e42cf9d78e27eb2d46d1dcee699c9d511
MD5 hash:
3b2bc025309c7b8ad273c2e54a82f0bd
SHA1 hash:
6885cb01068a7b88cef87e0eef45ece0ad078a7d
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/ef986d4d-f7c3-4581-a4f3-3930a05317cb/
Parent samples :
231a82ded923d41465ce13e21138c2e15eaf3f2b4c41d9c4da1caebb1fca08f9
01f8e351ce7ac28d0dcd75701dc8a55a7efa31d5d5c4915ce96505ebbc36a966
576a17172b6d30950fec9fbf882297f3e7e058a57b8e871fffc983fa5b173bd5
3978001ee5d6b75a65ba8f881ec75caca178dc690bd1e55b90a977b1d23fbd2d
cad87d2ba2f829cef46aa8195561a9feb19e96c559e8dcb707a68778cecd13e5
26ec84d86c07a621e86269544e8e4018d40bfe4c19a3ced4ee3749155bc4acc8
SH256 hash:
f557af21ec95103a168c61d9cfbc84842b1069d98ce3260b8773ac5e3753d50f
MD5 hash:
efab64c0ee6391d7986b27060fe1a2b1
SHA1 hash:
12ab2d30e62830d59c0c18675447c51bc7d167a1
Link:
https://www.unpac.me/results/ef986d4d-f7c3-4581-a4f3-3930a05317cb/
SH256 hash:
7bfbc7e72f73fe2b47747c46eb012fb61424d451ea56acb4a580456e13e7ef86
MD5 hash:
4f4734a9546f3ab795e682287aaf1824
SHA1 hash:
f5fb9d356d3dea69617f1027bfbe7070d8e8c595
Link:
https://www.unpac.me/results/ef986d4d-f7c3-4581-a4f3-3930a05317cb/
SH256 hash:
af0925e4c632166ff87032bc43ea4f85a3805db3782a49724d125f44c0731114
MD5 hash:
b9897ba5e468e516e162fd3790a9ddbc
SHA1 hash:
db264c796e4a36a45af11e8a7bf71cf0dadce0f0
Link:
https://www.unpac.me/results/ef986d4d-f7c3-4581-a4f3-3930a05317cb/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/ef986d4d-f7c3-4581-a4f3-3930a05317cb/
SH256 hash:
26ec84d86c07a621e86269544e8e4018d40bfe4c19a3ced4ee3749155bc4acc8
MD5 hash:
48f7c90f9038debcfd1cc836118582af
SHA1 hash:
2d301b8c0305f44ad14d8ba4fddeda3ed30c791b
Link:
https://www.unpac.me/results/ef986d4d-f7c3-4581-a4f3-3930a05317cb/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/26ec84d86c07/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 26ec84d86c07a621e86269544e8e4018d40bfe4c19a3ced4ee3749155bc4acc8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/386412/

Comments