MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2713d5f063d131de0d8ab8c4768401364b4f512c7b79cf6ab14f8d596a725af2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2713d5f063d131de0d8ab8c4768401364b4f512c7b79cf6ab14f8d596a725af2
SHA3-384 hash: 6bfddea3577ad2d054ad523c8f7df06c38987db56bc3883033b4bc675078868029660c194d3ea96d9c773cdcebfb7d65
SHA1 hash: 9cbf23aca943aefdc2e46b6447d91bcb98a2d1ce
MD5 hash: b8de74c80e48286027ad48d108989b89
humanhash: four-emma-thirteen-nevada
File name:b8de74c80e48286027ad48d108989b89.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:567'296 bytes
First seen:2023-04-14 06:57:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:nyV7pLKc1PdCuP6onq92W9BkY87f6641fi:yvKctdCuTnOl9vUO1f
Threatray 2'088 similar samples on MalwareBazaar
TLSH T136C4235732984B76F1FD63FA2818494913732927E532EB0C1D8CE4FD6A64B6A0352EC7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b8de74c80e48286027ad48d108989b89.exe
Verdict:
Malicious activity
Analysis date:
2023-04-14 07:00:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7503b3df-c1bd-41df-b5aa-1b3e5d6d1082

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382203/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo packed
Link:
https://www.filescan.io/uploads/6438f9808d365949bb74e171/reports/c05b3ee1-b25a-4641-8077-00ae05ceed0a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2713d5f063d131de0d8ab8c4768401364b4f512c7b79cf6ab14f8d596a725af2
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/66c97285-a31c-45d6-a1fb-0fe78ded446f
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213728
Signature
.NET source code contains potential unpacker
Contains functionality to register a low level keyboard hook
Creates autostart registry keys with suspicious names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 846657 Sample: j2cDlEn8A0.exe Startdate: 14/04/2023 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 4 other signatures 2->57 6 j2cDlEn8A0.exe 3 2->6         started        10 svchost#.exe 3 2->10         started        12 svchost#.exe 2 2->12         started        process3 file4 23 C:\Users\user\AppData\...\j2cDlEn8A0.exe.log, ASCII 6->23 dropped 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->59 61 May check the online IP address of the machine 6->61 63 Contains functionality to register a low level keyboard hook 6->63 14 j2cDlEn8A0.exe 17 10 6->14         started        65 Multi AV Scanner detection for dropped file 10->65 67 Machine Learning detection for dropped file 10->67 19 svchost#.exe 14 7 10->19         started        21 svchost#.exe 7 12->21         started        signatures5 process6 dnsIp7 29 api4.ipify.org 104.237.62.211, 443, 49695, 49700 WEBNXUS United States 14->29 31 mail.privateemail.com 198.54.122.135, 49698, 49699, 49702 NAMECHEAP-NETUS United States 14->31 37 2 other IPs or domains 14->37 25 C:\Users\user\AppData\...\svchost#.exe, PE32 14->25 dropped 27 C:\Users\...\svchost#.exe:Zone.Identifier, ASCII 14->27 dropped 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->39 41 Tries to steal Mail credentials (via file / registry access) 14->41 43 Creates autostart registry keys with suspicious names 14->43 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->45 33 api.ipify.org 19->33 35 api.ipify.org 21->35 47 Tries to harvest and steal browser information (history, passwords, etc) 21->47 49 Installs a global keyboard hook 21->49 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2713d5f063d131de0d8ab8c4768401364b4f512c7b79cf6ab14f8d596a725af2/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-04-14 06:58:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e4j5l4dd2ey54dmkxdchnbabgzfu6ujmpn4462vrj6gvs2tsllza._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0442d940427ea6e7f9d614bb83ca56d539bed99c4307b7a6f13c35d73c002ef6
AgentTesla
5139217f06a06c8e1ed07dc698e466753577c1b5d8c54bf9fb698d13df19b31a
AgentTesla
69fa15d77275d1d0383f6a1ec7137989a392fe17050cb90f3670e8e834f931be
AgentTesla
74f0cd3a4b819ccc977a778fccba82e096dec880a6dba59641fedbdcfb4f7292
AgentTesla
8a03b8808de5dc90141e961a89350e8e50ad3f8410ec4e2d5b4fa64cfc310519
AgentTesla
9c2c8761ad2b6ff1f1210799eb5235fe597150650e7d593c65a55c39185f4acd
AgentTesla
c86d38aa757ac108e7d31f03848e49091391730cf0d132b71e70d487c919f68c
AgentTesla
ce0dafe328f758e308ede4abcc1ab07c6dacaad8597c688a51acfc4110b0c74b
AgentTesla
f7ac7260d713a1c0ffa1b24b5b83dd4bd662252788844f6d023a0657d275d6ef
AgentTesla
f86378105b4028797386149c63ced3dfb596164326381b99257b49ae61d90db9
AgentTesla
+ 2'078 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230414-hrha8agg64/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
4fcc4a86d3972b95b6856dccfaccf3da1e3c246c828473b505142ea2dd67632c
MD5 hash:
913b2daf239b974430e486b2be79ed47
SHA1 hash:
f19703f5f221c3928c33d6f715bdbdc020d42b6a
Link:
https://www.unpac.me/results/51a9cd79-22b3-45e7-b33a-ac5876eae98f/
SH256 hash:
381eab67b9eda160c2215b39b0f1543fe202395647385a4acb3eb27f2da8710e
MD5 hash:
f29a1dbf184951fe94d5e05a4bd4aaf2
SHA1 hash:
d56ae8221126805276133bbfb8dae333ad4f3f16
Link:
https://www.unpac.me/results/51a9cd79-22b3-45e7-b33a-ac5876eae98f/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/51a9cd79-22b3-45e7-b33a-ac5876eae98f/
SH256 hash:
1b5a798bc26aa7672241eb90b8dbbf99b2595451222c17951af53713f117c8da
MD5 hash:
cb7988b160bfa35335a307177911ee57
SHA1 hash:
7ec1d4eeda4354a4628662ed0a9b371affb8972b
Link:
https://www.unpac.me/results/51a9cd79-22b3-45e7-b33a-ac5876eae98f/
SH256 hash:
358b0f7399c7c6ab9e5028e3ad13e79b2da8b317de73d49a5897f5289f3dba5b
MD5 hash:
2fe69cdbb3d537facc256b84f8c2e0dc
SHA1 hash:
4c3e623a445be735dfa7744716444f2eb1bcf73c
Link:
https://www.unpac.me/results/51a9cd79-22b3-45e7-b33a-ac5876eae98f/
SH256 hash:
2713d5f063d131de0d8ab8c4768401364b4f512c7b79cf6ab14f8d596a725af2
MD5 hash:
b8de74c80e48286027ad48d108989b89
SHA1 hash:
9cbf23aca943aefdc2e46b6447d91bcb98a2d1ce
Link:
https://www.unpac.me/results/51a9cd79-22b3-45e7-b33a-ac5876eae98f/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2713d5f063d1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 2713d5f063d131de0d8ab8c4768401364b4f512c7b79cf6ab14f8d596a725af2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2259317/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/382203/

Comments