MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2980f607058a2ba908559bdedbbd019edd4b52377e5f884d36a62bf9aac8be00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2980f607058a2ba908559bdedbbd019edd4b52377e5f884d36a62bf9aac8be00
SHA3-384 hash: 076f186ff03e8fcfb4f281c488cb6c19214431fa0c5263cf6b2ad3823cae4ec1fdc0b669124d4df5e48c9b7fb5d38b93
SHA1 hash: 2aaccc31c06a2b025b6cf755c6bae0a385568398
MD5 hash: 895ebaf32f2cf5f84f9cfecf203c9d33
humanhash: golf-triple-blossom-north
File name:XBH2wJXWhhezh1n.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'074'688 bytes
First seen:2022-11-22 14:41:49 UTC
Last seen:2022-11-22 16:26:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:I1u5qdO0LY5A23/vuY0l+2qSf/DEeA+ZeCK:IoqdO0m9T9C/7Ze
Threatray 22'356 similar samples on MalwareBazaar
TLSH T120357BCB2F300E84CB4F34715D8C1B8862923DA159F59CF32B75AA7469464BFA69237C
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
XBH2wJXWhhezh1n.exe
Verdict:
Malicious activity
Analysis date:
2022-11-22 14:43:30 UTC
Tags:
agenttesla keylogger stealer
Link:
https://app.any.run/tasks/7b5ec8d1-5248-40f0-b1df-8529d5ebe3dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337254/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.389-2.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637cdfbadc2469274feeb62c/reports/7cf92f21-1385-43c3-8f4e-09e52e0379ee/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03c81509-4e68-44ab-9ab2-9ce758dc9d51
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1118984
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 751701 Sample: XBH2wJXWhhezh1n.exe Startdate: 22/11/2022 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus / Scanner detection for submitted sample 2->68 70 11 other signatures 2->70 7 XBH2wJXWhhezh1n.exe 7 2->7         started        11 lWjWWmgm.exe 5 2->11         started        13 MYAPP.exe 2 2->13         started        15 MYAPP.exe 2->15         started        process3 file4 46 C:\Users\user\AppData\Roaming\lWjWWmgm.exe, PE32 7->46 dropped 48 C:\Users\...\lWjWWmgm.exe:Zone.Identifier, ASCII 7->48 dropped 50 C:\Users\user\AppData\Local\...\tmp3F92.tmp, XML 7->50 dropped 52 C:\Users\user\...\XBH2wJXWhhezh1n.exe.log, ASCII 7->52 dropped 86 Uses schtasks.exe or at.exe to add and modify task schedules 7->86 88 Writes to foreign memory regions 7->88 90 Adds a directory exclusion to Windows Defender 7->90 92 Injects a PE file into a foreign processes 7->92 17 MSBuild.exe 17 5 7->17         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        94 Antivirus detection for dropped file 11->94 96 Multi AV Scanner detection for dropped file 11->96 98 Machine Learning detection for dropped file 11->98 26 MSBuild.exe 11->26         started        28 schtasks.exe 11->28         started        30 MSBuild.exe 11->30         started        32 MSBuild.exe 11->32         started        100 Tries to detect sandboxes / dynamic malware analysis system (file name check) 13->100 34 conhost.exe 13->34         started        36 conhost.exe 15->36         started        signatures5 process6 dnsIp7 54 api.telegram.org 149.154.167.220, 443, 49719, 49723 TELEGRAMRU United Kingdom 17->54 56 api.ipify.org.herokudns.com 52.20.78.240, 443, 49714 AMAZON-AESUS United States 17->56 58 api.ipify.org 17->58 44 C:\Users\user\AppData\Roaming\...\MYAPP.exe, PE32 17->44 dropped 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->72 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->74 76 May check the online IP address of the machine 17->76 84 2 other signatures 17->84 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        60 54.91.59.199, 443, 49721 AMAZON-AESUS United States 26->60 62 api.ipify.org 26->62 78 Tries to steal Mail credentials (via file / registry access) 26->78 80 Tries to harvest and steal ftp login credentials 26->80 82 Tries to harvest and steal browser information (history, passwords, etc) 26->82 42 conhost.exe 28->42         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2980f607058a2ba908559bdedbbd019edd4b52377e5f884d36a62bf9aac8be00/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-11-22 12:35:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fgapmbyfriv2sccvtppnxpibt3ouwurxpzpyqtjwuyv7tkwixyaa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
31602473d531ad4d07ab7c5ef1a75f8c3d594fd626fb279028f37350cf91e5f3
AgentTesla
38eb513c7b5f13dc2253584e86228128153e4cb038b9a5eb6999c2dbf85915ea
AgentTesla
42cb095fcf7bce147419fe87bffc91a1c0c189f731daaa819b17d371594b868f
AgentTesla
54983544e9fd6e0423bcd9ea883e4ff1375abcdd58876d79701e9d24882500ed
AgentTesla
5b03580eb279892ac9a03742ea838ffc55bfde4c4a1edf66a03cceec400c81e2
AgentTesla
663796a5ce4127446f60d77bca21aee44037d4c0eaf3b14449f4a54ecb359428
AgentTesla
707f1a98a3ae159f94ce852b36350c721f7dcf585797ce88008ecd6a7674879c
AgentTesla
9187a97218dc01aa09f09a164ce662cd7e579252f0fcb41e140a5d110efd0a9f
AgentTesla
d18ceb0ff0f9457759ecc501fbf6f9e9cb3e59a4f92cd53f215a9e3b4e7c31df
AgentTesla
+ 22'346 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221122-r21d8abb4s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5453942321:AAF6CS9julQ6K7s5pxacNALwWJ2A52D0EC4/
Unpacked files
SH256 hash:
e17215a47782e0905902f0acc157108a5099a18955c3af501c1c57fd5848a66d
MD5 hash:
e6d6a3247d49e56c7f8f28f42fb7f01f
SHA1 hash:
ff08942fbdc9e9004b0af944f6d4a89126c1ab10
Link:
https://www.unpac.me/results/dfb218f1-3a84-4663-a980-7bb499a46c62/
SH256 hash:
88a9bb73fbf20f8b448d4f68839b392e30dacd54bb6383856955016e5ada08fc
MD5 hash:
83da2fca7a89b097f686bf4167bbe183
SHA1 hash:
9d7a133a0349d2272ee453977a08b0546cc64911
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/dfb218f1-3a84-4663-a980-7bb499a46c62/
Parent samples :
2980f607058a2ba908559bdedbbd019edd4b52377e5f884d36a62bf9aac8be00
4e917ed708e6c20ca6f74372e37680aac6af8a9fc214e903ff4297438cf94261
8cdd2376c22a3f37faafe3a39f3730b7c03c9e641b729607ca2b083abbc3f05e
4a18558d47715d4869b75f738052786c8b85681aea3ff093002cd6b9dfd55c1c
6e91ea05f6e530c2092d498bc56c7de9fe1cc16e74538c9ace01c3c2b79ee74d
5fc28dba0030fcbcc62c9ca9c6da94dbecd6e50ee64f4f5380e6a73adf16f627
bd9e8e98b57be42915462ea8282987ebe17d779ead3d4c6461ec9e4d59150b3a
09f3a3ec989361e622f1ac9b42bc380846518c270dac7783e6e38aa1f12ccee4
bb504515c55056366648ad196e46f804221e248e4d41fda2ba3a243e23309794
SH256 hash:
00e235f40a9e794b9d6cb9fb9244e321a4e632951bdb809044b0e2af07b98d35
MD5 hash:
48c6f000da9a80f92b48ef6099fa8a37
SHA1 hash:
9b43df5e56005d1ee03f16ff02f26e76272aca7c
Link:
https://www.unpac.me/results/dfb218f1-3a84-4663-a980-7bb499a46c62/
SH256 hash:
895ca6d646a968f80e2c333c8d9abc265eb4e12f95237469fd4386bfdc461aa7
MD5 hash:
f46f8c3fbe0033c0d1ebbf6608c08927
SHA1 hash:
16f2063ce8ce3a871312bda97a0e05a971938fa5
Link:
https://www.unpac.me/results/dfb218f1-3a84-4663-a980-7bb499a46c62/
SH256 hash:
54af409a2999bad7ec8659db3adee7193c27c513f4c8b2f72b5bb09aefecc81c
MD5 hash:
1b42c21148561bff040af5f80973e70c
SHA1 hash:
04bf237c5631e2532213490bbf223eebe60760ab
Link:
https://www.unpac.me/results/dfb218f1-3a84-4663-a980-7bb499a46c62/
SH256 hash:
2980f607058a2ba908559bdedbbd019edd4b52377e5f884d36a62bf9aac8be00
MD5 hash:
895ebaf32f2cf5f84f9cfecf203c9d33
SHA1 hash:
2aaccc31c06a2b025b6cf755c6bae0a385568398
Link:
https://www.unpac.me/results/dfb218f1-3a84-4663-a980-7bb499a46c62/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2980f607058a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2980f607058a2ba908559bdedbbd019edd4b52377e5f884d36a62bf9aac8be00

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/337254/

Comments