MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a22d4d82cd5d187ce6df806f22f93f8dd83619e91595c34332286bbcc4ac7ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a22d4d82cd5d187ce6df806f22f93f8dd83619e91595c34332286bbcc4ac7ce
SHA3-384 hash: adf4cd90f517dd94a72bb4486d865ce6b38a142401dc9069ead0f82f16f00eecf0dcc6f6eb51d85c1a958dcd2eac4086
SHA1 hash: 23aeebb32b86956a62e8c5c44d5da9715e4ef3df
MD5 hash: e0c895fc97263d8424dcc9946184f476
humanhash: papa-venus-alabama-oklahoma
File name:e0c895fc97263d8424dcc9946184f476
Download: download sample
Signature AgentTesla
Create hunting rule
File size:835'584 bytes
First seen:2023-08-05 10:52:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:4FeuWCXd1YGm5jqc1co/P8ep5WN4iWkxYI:q1Ybjqc7TmxPCI
Threatray 5'589 similar samples on MalwareBazaar
TLSH T1EA05CE926046F6D9C91CA07A4597C5D800F42F3AB4718F9729C1616BB8FF3D8AE0EDE1
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b464ecd0f0e8dcd0 (7 x RemcosRAT, 6 x SnakeKeylogger, 3 x AgentTesla)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
RFQ.lnk
Verdict:
Malicious activity
Analysis date:
2023-08-05 10:06:08 UTC
Tags:
loader stealer agenttesla
Link:
https://app.any.run/tasks/c8077282-ee6a-49c3-96dc-6f8a6225d316

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/440812/
Detection(s):
Win.Trojan.Autoit-7356348-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Creating a window
Setting a keyboard event handler
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed
Link:
https://www.filescan.io/uploads/64ce2a10eb483deb840b2aab/reports/6c375b83-f1ad-427d-a04f-d730e7234b6e/overview
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/2a22d4d82cd5d187ce6df806f22f93f8dd83619e91595c34332286bbcc4ac7ce
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5985cfe9-6359-4083-9617-2ddbf393206d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1286444
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Copy file to startup via Powershell
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1286444 Sample: zhhbeqKvx5.exe Startdate: 05/08/2023 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Multi AV Scanner detection for domain / URL 2->43 45 Found malware configuration 2->45 47 15 other signatures 2->47 7 zhhbeqKvx5.exe 3 2->7         started        10 zoom.exe.exe 3 2->10         started        process3 signatures4 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->49 51 May check the online IP address of the machine 7->51 53 Bypasses PowerShell execution policy 7->53 12 zhhbeqKvx5.exe 15 2 7->12         started        16 powershell.exe 13 7->16         started        19 zhhbeqKvx5.exe 7->19         started        55 Injects a PE file into a foreign processes 10->55 21 zoom.exe.exe 14 2 10->21         started        23 powershell.exe 12 10->23         started        process5 dnsIp6 31 api4.ipify.org 173.231.16.76, 443, 49700 WEBNXUS United States 12->31 33 api.telegram.org 149.154.167.220, 443, 49701, 49702 TELEGRAMRU United Kingdom 12->33 35 api.ipify.org 12->35 57 Installs a global keyboard hook 12->57 29 C:\Users\user\AppData\...\zoom.exe.exe, PE32 16->29 dropped 59 Drops PE files to the startup folder 16->59 61 Powershell drops PE file 16->61 25 conhost.exe 16->25         started        37 104.237.62.211, 443, 49703 WEBNXUS United States 21->37 39 api.ipify.org 21->39 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->63 65 Tries to steal Mail credentials (via file / registry access) 21->65 67 Tries to harvest and steal browser information (history, passwords, etc) 21->67 27 conhost.exe 23->27         started        file7 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a22d4d82cd5d187ce6df806f22f93f8dd83619e91595c34332286bbcc4ac7ce/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-05 10:53:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=firnjwbm2xiypttn7adpel4t7doygym6sfmvynbtekdlxtcky7ha._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
129f85ae2da5c30f9439ef123d09d75e2930f1c025e9913a91c212bbe5758c0b
AgentTesla
1b91aa318e9c011abed18662e8c577ddcb12499de26e2fd19bfb4a4ea81f7450
AgentTesla
2239586010f3c269899805ff3fa259a1da9ece54e8fdf43e8ebcb3990ba6724a
AgentTesla
40b0a076e904042e87b4cfae93b7ae9ac00db794675cc4bfd2ca57fe55fb0949
AgentTesla
52a1809773419caafe264fc932eb4dc72f45e59401ea3c3e73072665ae1ada6f
AgentTesla
5732cbf307b96dece46843921f2936cd87a2541b62f095dbf4ab17a8354f7410
AgentTesla
68cab573aabc49f6164dbf01e2bcdcb9707839ba7b567e8bd6f45911baba9b2e
AgentTesla
86427b8288b61c876a94f3d5226fb04f843ee245ad937dcdb4b974e81ec8b404
AgentTesla
bd8c4eb8ae0047367c1d20d2132d3a2fe2bdf0d197001ea4ecaa3816d59c84e9
AgentTesla
+ 5'579 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230805-myzajadc4w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
4de91f9e99b34b8a78049378097a952e45e62b6f952b934c2a0801c2b8b6d207
MD5 hash:
f57fa0cbb8c21b5b3d049955cd3d7655
SHA1 hash:
e98776031295e8d495a1f7068c66ada3e132f615
Link:
https://www.unpac.me/results/234a4ff7-3aa5-498f-9f43-54ed9e7b8dce/
SH256 hash:
38e5c2f9c9cbe8cd629d501aa586214f9a66b7b02876862152584c77fba80a2d
MD5 hash:
39d81804f2f2465d54e74dfad12e1578
SHA1 hash:
e44c0f6a81afa718e35612879bb484e53be45829
Link:
https://www.unpac.me/results/234a4ff7-3aa5-498f-9f43-54ed9e7b8dce/
SH256 hash:
65e47578274d16be1be0f50767bad0af16930df43556dd23d7ad5e4adc2bcbe3
MD5 hash:
848b847cd19805d19235b5acb8ef2bef
SHA1 hash:
38100751a4ae45a143232cbacf9bb441b31fb211
Link:
https://www.unpac.me/results/234a4ff7-3aa5-498f-9f43-54ed9e7b8dce/
SH256 hash:
2a22d4d82cd5d187ce6df806f22f93f8dd83619e91595c34332286bbcc4ac7ce
MD5 hash:
e0c895fc97263d8424dcc9946184f476
SHA1 hash:
23aeebb32b86956a62e8c5c44d5da9715e4ef3df
Link:
https://www.unpac.me/results/234a4ff7-3aa5-498f-9f43-54ed9e7b8dce/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2a22d4d82cd5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a22d4d82cd5d187ce6df806f22f93f8dd83619e91595c34332286bbcc4ac7ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 2a22d4d82cd5d187ce6df806f22f93f8dd83619e91595c34332286bbcc4ac7ce

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2699149/
Cape
Cape
https://www.capesandbox.com/analysis/440812/

Comments


Avatar
zbet commented on 2023-08-05 10:52:12 UTC

url : hxxp://hiqsolution.com/snow.exe