MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2796d6f2b4298abe3e53e252c47aa3d30e038406e288443372b19de8fc44bd05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2796d6f2b4298abe3e53e252c47aa3d30e038406e288443372b19de8fc44bd05
SHA3-384 hash: 3cec4f744b8669f4972600e6b72bddc36843c1ae0b1446a4ad3920bff58c555505ae710e0c0231c7ea65143edef3cc78
SHA1 hash: 62d21b662fbdc384bdd12d9509819cc940c49c26
MD5 hash: 4ab99ae57c8a0ee08ab924e800203564
humanhash: eighteen-beer-montana-queen
File name:PR2403016.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:683'008 bytes
First seen:2024-04-23 16:41:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:uCF1CClCqfBmU7Oww579bauQy06ZqNNSjkok5RDt1PV0T65ahKAtWef3HGD:uCF1Can5Bm579EkqKLcJtlV0TSUZL/
Threatray 4'251 similar samples on MalwareBazaar
TLSH T190E42350B5A96F2DF43E97B04C26688443F8BE76A437E3AB5FC0108A1E64F50CD55B2B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
400
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
2796d6f2b4298abe3e53e252c47aa3d30e038406e288443372b19de8fc44bd05.exe
Verdict:
Malicious activity
Analysis date:
2024-04-24 05:35:10 UTC
Tags:
smtp exfiltration stealer agenttesla
Link:
https://app.any.run/tasks/02e8fa0f-23d1-4b40-8943-b4d43707fac3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Connection attempt
Sending a custom TCP request
Stealing user critical data
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/2796d6f2b4298abe3e53e252c47aa3d30e038406e288443372b19de8fc44bd05
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5ff9646a-6222-490f-82ba-b404cbac244e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1430502
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2796d6f2b4298abe3e53e252c47aa3d30e038406e288443372b19de8fc44bd05
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2796d6f2b4298abe3e53e252c47aa3d30e038406e288443372b19de8fc44bd05/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2024-04-23 16:42:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e6lnn4vufgfl4pst4jjmi6vd2mhahbag4keeim3swgo6r7cexucq._file
Verdict:
malicious
Similar samples:
02627926659db4d45ce8b82aa90ee2ff84681c9bd55d2e0a2f7b457d68d8349d
AgentTesla
1f6773b4c67343482d958302d8a6dfdb4945cb6d09410f753a55313969eaf07a
AgentTesla
2796d6f2b4298abe3e53e252c47aa3d30e038406e288443372b19de8fc44bd05
AgentTesla
4a7a6ec0cd99d2da72908fb02039f53ccce070f1d4562c9cc7e16b035bc963c8
AgentTesla
aab25b636f9de1565af12c7d0468be4dc26ea80c09e130fd9f443d714747b60f
AgentTesla
b5c09b04b22150a0765935b87d76be55e2b8a178931b23ed044cc3c58e62f0eb
AgentTesla
d2b54b2073cb0bbb794046ff67fbdc31b2cef38e1726134b64395144c4533ef8
AgentTesla
+ 4'241 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240423-t7ncysaa29/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
6d4bdc02d59648f0a0364bfb9a6463e8694189c4f5ef7a2421bed4a53e0feed4
MD5 hash:
5577880f4c017d44278467b02d6b5d8b
SHA1 hash:
ff9330d4c990e4c448b25f9d633ccd5e136ded0c
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/9a7e7787-9112-4c0a-a062-f7c704e950f9/
Parent samples :
2796d6f2b4298abe3e53e252c47aa3d30e038406e288443372b19de8fc44bd05
6d4bdc02d59648f0a0364bfb9a6463e8694189c4f5ef7a2421bed4a53e0feed4
SH256 hash:
bcd955da1a8f1efaced4d489f401719f6e4aeeecd0f431652dccd152889692d2
MD5 hash:
a51ec93c9ce000c1103445ec6f83661b
SHA1 hash:
947f73c080d9226b8fe770e3f8c84d8e0fa6b5e3
Link:
https://www.unpac.me/results/9a7e7787-9112-4c0a-a062-f7c704e950f9/
SH256 hash:
0b8ce50168530bf0cb343b44f73db26252353b48843ad163b5c4d40f750b57d0
MD5 hash:
c1ec0dcd8de33cb2d41c7473e00a291a
SHA1 hash:
6c85c33563b9d3f4731b73ec9109b0832096739c
Link:
https://www.unpac.me/results/9a7e7787-9112-4c0a-a062-f7c704e950f9/
SH256 hash:
29981be62b241ebcad087efe21676ebd62b5eeabab953a3aff9f1618a7888d09
MD5 hash:
d072d3ed475ac5196d7d6cc6ce8357c1
SHA1 hash:
3d562cee10fe22986a934668d23a3231c628ca9a
Link:
https://www.unpac.me/results/9a7e7787-9112-4c0a-a062-f7c704e950f9/
SH256 hash:
8a5d213e0b2c53fe659d2dc9824118e2159dcffe92a9ef9e8d3ff8ce165fecd7
MD5 hash:
da81f65908c9c753c23692f1b73a4328
SHA1 hash:
0eab2fbf5c935620bf2bce1f31fcc16fb2370e17
Link:
https://www.unpac.me/results/9a7e7787-9112-4c0a-a062-f7c704e950f9/
SH256 hash:
2796d6f2b4298abe3e53e252c47aa3d30e038406e288443372b19de8fc44bd05
MD5 hash:
4ab99ae57c8a0ee08ab924e800203564
SHA1 hash:
62d21b662fbdc384bdd12d9509819cc940c49c26
Link:
https://www.unpac.me/results/9a7e7787-9112-4c0a-a062-f7c704e950f9/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2796d6f2b429/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Generic_Threat_9f4a80b2
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 2796d6f2b4298abe3e53e252c47aa3d30e038406e288443372b19de8fc44bd05

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments