MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2779b729bdaa3807f8cb81e680a8497a1694345b5214db7648e7624f545991b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	2779b729bdaa3807f8cb81e680a8497a1694345b5214db7648e7624f545991b3
SHA3-384 hash:	207793f5aacc49d0a53f713e19c50b245c1c6272ef19c0b53358040d583ccc81f10f7cf1f9012d3c61efb98a62f87d5f
SHA1 hash:	8fe7626796fdeb7bee159e4b66dcb70396a6a634
MD5 hash:	790c28d1122dacff4d1becbe630ed98e
humanhash:	uranus-freddie-apart-pasta
File name:	2779b729bdaa3807f8cb81e680a8497a1694345b5214db7648e7624f545991b3
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	467'968 bytes
First seen:	2023-03-08 13:16:51 UTC
Last seen:	2023-03-08 14:31:45 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:qn+YXzV+OJ7b2xCqJlG/+/+RfwlbMdx2:qn+eYOpSRlG+M
Threatray	1'162 similar samples on MalwareBazaar
TLSH	T145A4125839808F87DCB817F94EB6684013F9D93D3972DA291E9131DA6693B404CB4FAF
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	adrian__luca
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

214

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/372582/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.65485831.25152.26806.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Sending a custom TCP request

Reading critical registry keys

Sending an HTTP GET request

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/64088acf8b48bcea611f15d3/reports/24b2bd3e-1f51-4b45-b94b-4cd50864ff2f/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/2779b729bdaa3807f8cb81e680a8497a1694345b5214db7648e7624f545991b3

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/36a645fb-20bb-4f90-ba6f-ab00a1dcab63

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1189749

Signature

Antivirus / Scanner detection for submitted sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2779b729bdaa3807f8cb81e680a8497a1694345b5214db7648e7624f545991b3/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-02-13 09:46:45 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

22 of 39 (56.41%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=e543okn5vi4ap6glqhtibkcjpiljinc3kiknw5si45re6vczsgzq._file

Verdict:

malicious

AgentTesla

030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498

AgentTesla

4ae79ceea285cbb607eddf58f18707d2920f77fc8cac6e92f26013be0f70a5f2

AgentTesla

5db5ed91c1dd5d539ccd15ea871ad9f8a567133562227df5e76fc6c4bbc5322e

AgentTesla

64e798e796ed7b87713f49d138ae36a339ab7d3ee390a701aae44ca4afa38756

AgentTesla

9a442ff6604cd89ee5f4fdf085e272ff9b0f3619ebe3b94652ae0c25679c3813

AgentTesla

c8e0dfc2f5671efee2e7a57ebcb04889730c9887e073ab93f7381a19200b4901

AgentTesla

d46b71aebfacfb2ca951e24d2fd60487c2ef99958909fb8aabefc4c1172b8f7c

AgentTesla

+ 1'152 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230308-qjc1jaff96/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

2779b729bdaa3807f8cb81e680a8497a1694345b5214db7648e7624f545991b3

MD5 hash:

790c28d1122dacff4d1becbe630ed98e

SHA1 hash:

8fe7626796fdeb7bee159e4b66dcb70396a6a634

Link:

https://www.unpac.me/results/cb62c986-61cb-4ff4-ace1-686eefa8c1c4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/2779b729bdaa3807f8cb81e680a8497a1694345b5214db7648e7624f545991b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/372582/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample