MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2706b5e3328e52a1395d3d7877f577c39a2bdb553f707e9c42861e91441dbaba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2706b5e3328e52a1395d3d7877f577c39a2bdb553f707e9c42861e91441dbaba
SHA3-384 hash: cec2e562edab79c18d06e49a79efc097ce9a2e3a5d0dd51732904bb10a33ac1ad33334bbf044b5a8a6262175f113ba17
SHA1 hash: 2ce702b061002a16c1a9e238d203502f0814e368
MD5 hash: 1286686847023fddf36525e00ebbc424
humanhash: east-blossom-montana-batman
File name:r844633_37.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:784'896 bytes
First seen:2023-06-23 12:11:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:9M1JCIQfNsVcuoQHT2iNoxnFPR6i171BcXEInvnmnOTnBsjOZLe:u1KNoT1iFFPp+dPzsjoS
Threatray 5'535 similar samples on MalwareBazaar
TLSH T11FF42309566F1017F0BB0B78349113B2437AAEDDB04AA0678F6773EAD5FA6C34671293
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter FXOLabs
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
r844633_37.exe
Verdict:
Malicious activity
Analysis date:
2023-06-23 12:12:47 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/ad102f45-7698-4be3-ae77-3648afd3dc24

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/402183/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/64958c1343d6e275c26b1966/reports/4963335e-94db-41c6-afe3-442b9874ee1b/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/2706b5e3328e52a1395d3d7877f577c39a2bdb553f707e9c42861e91441dbaba
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3078beb6-f27e-4c76-a8c4-797080d52aa1
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1260444
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2706b5e3328e52a1395d3d7877f577c39a2bdb553f707e9c42861e91441dbaba/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-22 17:39:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e4dllyzsrzjkcok5hv4hp5lxyoncxw2vh5yh5hccqypjcra5xk5a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
122ec71f9f9911f8b80c2f2c5f26d66ffe2b62a190168ec0797072e02a8a3598
AgentTesla
1c4c7802f3a6bcc8d0355ad3e5c482c0fcdcb79845733a5ffe5c081ef59241cb
AgentTesla
3034f4c4123e20d2d2306263c3fc0cf2ddd0b9ed15e480386d45c4550140233c
AgentTesla
31cc68f5423b08e95d1099c3e5f1ee1883a3b118c3cd2f51b8175d501505e92f
AgentTesla
427883d7c6eb502e12e7ae65c1d2c241c8815998faea9dcfd9681d8f40f1f665
AgentTesla
59084f9c3435606045261122fcece85c7dcff26b245657929a983e896b905405
AgentTesla
70c499252627effa5dccc94f8cb4a7c160455ce1bc0121ba12b4d20e79f543e9
AgentTesla
987a4d7b9be473efd2aa0ff7f0958414d64e0fa058bbaadb702c2024dbc9562c
AgentTesla
dc091920175bd059d2925977e1806df9930c40db5292a73158bac390fca03d75
AgentTesla
+ 5'525 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230623-pc6htsef69/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/f8d2da91-b13c-4bf2-bf41-ed0bbbed29b9/
SH256 hash:
0160739cfd8d1897931f6821d701e3089c2bbd03d3ff8ed977ca4c618876b7e4
MD5 hash:
42fa7553572a0e8d2056a7c77597f57a
SHA1 hash:
c1beb634d03f733eedf2f2b4fc3ab14a4b388ae6
Link:
https://www.unpac.me/results/f8d2da91-b13c-4bf2-bf41-ed0bbbed29b9/
SH256 hash:
dd766447e8bac7ad74d168e547aa5f34f3efb93ea75619a242c7323dc5432615
MD5 hash:
b9fd55c8ff1c899de198e8b853f20352
SHA1 hash:
6d14b6a79973bb24a59fa7c7ea79ad88b4d41621
Link:
https://www.unpac.me/results/f8d2da91-b13c-4bf2-bf41-ed0bbbed29b9/
SH256 hash:
f415db5d423218c8523ef86fdf3afa418fa4aa7147ea5c83d76e3af19474b29a
MD5 hash:
e9c8948c47459592bcb4959da0030203
SHA1 hash:
640b36618c2b38c2ca6af4417925ad76570691be
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/f8d2da91-b13c-4bf2-bf41-ed0bbbed29b9/
Parent samples :
2706b5e3328e52a1395d3d7877f577c39a2bdb553f707e9c42861e91441dbaba
72d1ca783a74d9e5e8024a44759419ea5221177d53a2739960a8457e21e773d6
7acc949f4e01f5ee720f2821349e3a0dcf05a7ac15470a8d7f6ff9aef1d00d2e
SH256 hash:
b152e6132f4fb171dda9826760ea3dd5235068a6ed71a0934d9eeb48a74a24fa
MD5 hash:
005049b24be200d26aa9ad9136b59ec0
SHA1 hash:
1a47f2f2faa1617fe2ce05883d9cb733b06a691e
Link:
https://www.unpac.me/results/f8d2da91-b13c-4bf2-bf41-ed0bbbed29b9/
SH256 hash:
2706b5e3328e52a1395d3d7877f577c39a2bdb553f707e9c42861e91441dbaba
MD5 hash:
1286686847023fddf36525e00ebbc424
SHA1 hash:
2ce702b061002a16c1a9e238d203502f0814e368
Link:
https://www.unpac.me/results/f8d2da91-b13c-4bf2-bf41-ed0bbbed29b9/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2706b5e3328e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2706b5e3328e52a1395d3d7877f577c39a2bdb553f707e9c42861e91441dbaba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 2706b5e3328e52a1395d3d7877f577c39a2bdb553f707e9c42861e91441dbaba

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/402183/

Comments