MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 288d6515e800b45a2d38aeff4bf92819ff0e6e90fd9391b375403858aa12764e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 288d6515e800b45a2d38aeff4bf92819ff0e6e90fd9391b375403858aa12764e
SHA3-384 hash: e5c2378a0075002899e956d39ae7c4e0a8d56000db0903e4e8c95d2db43bfcfdf03ae7d9593ec019697dc23ca6a0bd4c
SHA1 hash: 5fc6b29e79bf4be30acf2291ee81a968b6bb316b
MD5 hash: 29e6bb72e756fee67a97d22e0fc05d11
humanhash: stairway-sink-fifteen-stream
File name:SBI PO P010457399.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:612'352 bytes
First seen:2022-02-01 06:37:52 UTC
Last seen:2022-02-01 14:17:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:g+IDq1RWVO7J5xFCdX0WuruoYHtNRuYC59TueYg5yIdHK:g+DWVOV5x4d/aYHLe59tyIBK
Threatray 14'542 similar samples on MalwareBazaar
TLSH T1DBD4BF74A1A74A91F01B8B7520B8F96007B271E3BACA8D3957383585CF9AF553F4860F
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SBI PO P010457399.exe
Verdict:
Malicious activity
Analysis date:
2022-02-01 06:59:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bf4db15b-9507-4d1e-9afb-22b0447a7035

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/229020/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file
Sending an HTTP GET request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/61f8d54f6d25ac9e79f3e031/reports/cef918c5-94c0-40cb-b531-ece1594b46c9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1dca9bb6-082d-42ac-974a-8097111064b0
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/931407
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 563886 Sample: SBI PO P010457399.exe Startdate: 01/02/2022 Architecture: WINDOWS Score: 100 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for dropped file 2->36 38 13 other signatures 2->38 7 SBI PO P010457399.exe 7 2->7         started        process3 file4 26 C:\Users\user\AppData\Roaming\gTISeHQFS.exe, PE32 7->26 dropped 28 C:\Users\user\AppData\Local\...\tmpCD6C.tmp, XML 7->28 dropped 30 C:\Users\user\...\SBI PO P010457399.exe.log, ASCII 7->30 dropped 40 Adds a directory exclusion to Windows Defender 7->40 42 Injects a PE file into a foreign processes 7->42 11 SBI PO P010457399.exe 7->11         started        14 powershell.exe 23 7->14         started        16 powershell.exe 25 7->16         started        18 schtasks.exe 7->18         started        signatures5 process6 signatures7 44 Moves itself to temp directory 11->44 20 conhost.exe 14->20         started        22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        process8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/288d6515e800b45a2d38aeff4bf92819ff0e6e90fd9391b375403858aa12764e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-01 01:56:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fcgwkfpiac2fuljyv37ux6jidh7q43uq7wjzdm3via4frkqsozha._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
6f605c15b2480a3a0e93a9f45dd658cdfc0cd03349c8da5380976d65f1c747c5
AgentTesla
728280f122d363764d84ed26d8c96ab58cf524a102c928f6941c6689677db8ba
AgentTesla
7ef2a4ddbdb6f28ec39e26bbd6883221326eaf51babfca78fdb27f1d5f4fdbe1
AgentTesla
88d6342ccae8c8af4195bcb8c8d41230821ff2d1d5d559e074e240d903af840d
AgentTesla
c9a6d59745a7eff46ed411e4f7f4894eec5df85d70d931082194b35becc25799
AgentTesla
eafbc4c031ce80d3b797f067bf78058ba1fee03ee2d335a2e7217371206b3b2f
AgentTesla
f3a3699e78a1a54ea10b4dc8f03044ec422c22c7a6c5ee69b3c7248272e6d2ac
AgentTesla
+ 14'532 additional samples on MalwareBazaar
Unpacked files
SH256 hash:
6f1b89bc3013177c101fe4448340c48c0dd08d19017a798bd11c2d0f76be1fbc
MD5 hash:
60a604887b3616e3ed86d81fab0a9ebb
SHA1 hash:
8db84f5f4c569c86c69aff464b2ffc4ce3dafa20
Link:
https://www.unpac.me/results/74a69d03-7e9c-48f8-88a4-62f0df88b1ca/
SH256 hash:
4ed4c6fa42e480d12918408f7cd5275d198bc6b4512b232f0c7eb1e2f5bc12b4
MD5 hash:
217737ad7f132f789b9ba90b8b3a20ed
SHA1 hash:
52edd368edb082f9c50ba1b2854945c7b69269ed
Link:
https://www.unpac.me/results/74a69d03-7e9c-48f8-88a4-62f0df88b1ca/
SH256 hash:
b968c5776cb0329db8f47a76c13bd3d769401bf7cc89f533f1521aa5ddecc982
MD5 hash:
d3ff0dd4dcbf8612ebd1ce33d77c8249
SHA1 hash:
2e0340a353b669960e92fded7162d03cf98ccdeb
Link:
https://www.unpac.me/results/74a69d03-7e9c-48f8-88a4-62f0df88b1ca/
SH256 hash:
288d6515e800b45a2d38aeff4bf92819ff0e6e90fd9391b375403858aa12764e
MD5 hash:
29e6bb72e756fee67a97d22e0fc05d11
SHA1 hash:
5fc6b29e79bf4be30acf2291ee81a968b6bb316b
Link:
https://www.unpac.me/results/74a69d03-7e9c-48f8-88a4-62f0df88b1ca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/288d6515e800b45a2d38aeff4bf92819ff0e6e90fd9391b375403858aa12764e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 288d6515e800b45a2d38aeff4bf92819ff0e6e90fd9391b375403858aa12764e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/229020/

Comments