MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 289f300b6b1d7d1db1651b85b687a3f6419d69cd5dacc037a0b702ce37616f92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	289f300b6b1d7d1db1651b85b687a3f6419d69cd5dacc037a0b702ce37616f92
SHA3-384 hash:	446798ce6061d696c194e9e3064d310a71b52fa92b178b21664d86aff5ea01dc9a1e8522515c7d7596d0d26cb6b8e7e6
SHA1 hash:	7010efc234ee545bf80dbfaef063988cbcc32028
MD5 hash:	efa92ecd651fed70d3623861af5afeef
humanhash:	nevada-cup-low-kentucky
File name:	TT SLIP.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'188'352 bytes
First seen:	2023-03-14 04:51:45 UTC
Last seen:	2023-03-14 06:30:43 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:PVrxCK/es64C4khFG0Lipbn9xIv+31hfieeVjS19swXRIldsVYBz1D2wVBLqhR4p:tdYFzL6qQuQz0Gqwjkzx5S5E
Threatray	1'177 similar samples on MalwareBazaar
TLSH	T14645392439FA501AB173EFAA8BE475EADA6FB7733B07645D109003864723981DEC153E
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

217

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

TT SLIP.exe

Verdict:

Malicious activity

Analysis date:

2023-03-14 04:52:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e9bd5ab3-9284-412b-a51d-55bbc0fff910

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/374135/

Detection(s):

SecuriteInfo.com.Variant.Cerbu.165753.2809.13004.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

DNS request

Sending a custom TCP request

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/640ffd7556d2bc8d80b763fb/reports/67c110f2-bb03-4210-b64f-64891f04937b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/289f300b6b1d7d1db1651b85b687a3f6419d69cd5dacc037a0b702ce37616f92

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/674eebe8-9949-4fb9-b7f6-e55bfa1ddf31

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1193026

Signature

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/289f300b6b1d7d1db1651b85b687a3f6419d69cd5dacc037a0b702ce37616f92/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-03-14 00:45:50 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

17 of 39 (43.59%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fcptac3ldv6r3mlfdoc3nb5d6zaz22onlwwman5aw4bm4n3bn6ja._file

Verdict:

malicious

AgentTesla

2779b729bdaa3807f8cb81e680a8497a1694345b5214db7648e7624f545991b3

AgentTesla

6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778

AgentTesla

914e09b5e1bee2e3bbb2d77f8fae1a8069f67b887f6abf9c5785e9fc5e39dd1c

AgentTesla

96af204d2dfb74c2fba800c451c04b6c71443be7bd68fadcf718cfda4cfb20e5

AgentTesla

9a2232a4a9ceef2c3fcfee0acca71d5717395aff8abd1b6b26aa3a5c266b3fae

AgentTesla

a0bf8575052b720932ab96605b4622a07453b1ace7cd73a8f262ca3e7fa7317a

AgentTesla

bc9a80c327839012274d763d66186497685a6b73e0b20eea73c720d61f5c9407

AgentTesla

f01102bc0d4dd2e2508bcf195df1e52fe46afeba7b079cd7d9f51007ed9b6141

AgentTesla

+ 1'167 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230314-fhdwbsfe6y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Uses the VBS compiler for execution

AgentTesla

Unpacked files

SH256 hash:

289f300b6b1d7d1db1651b85b687a3f6419d69cd5dacc037a0b702ce37616f92

MD5 hash:

efa92ecd651fed70d3623861af5afeef

SHA1 hash:

7010efc234ee545bf80dbfaef063988cbcc32028

Link:

https://www.unpac.me/results/afcaf698-bf1b-4fe2-ac09-ef86192bd8b4/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/289f300b6b1d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/289f300b6b1d7d1db1651b85b687a3f6419d69cd5dacc037a0b702ce37616f92

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 3ff7eee82116738074e5f2a12419798ea53004ba1565a7a2c67ecbd2f26626af

AgentTesla

exe 289f300b6b1d7d1db1651b85b687a3f6419d69cd5dacc037a0b702ce37616f92

(this sample)

Delivery method

Other

Dropped by

SHA256 3ff7eee82116738074e5f2a12419798ea53004ba1565a7a2c67ecbd2f26626af

Cape

https://www.capesandbox.com/analysis/374135/

Dropped by

MD5 f6bf7115e535a368ff4bc1b29c9099ca

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample