MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a5098792b07f38355f0e06fee170432226013a21bc18c129212bb868e98f478. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a5098792b07f38355f0e06fee170432226013a21bc18c129212bb868e98f478
SHA3-384 hash: 43c8f33bdaafcc0212edb4050ee594600b3e58a6a323eba655c4bf18e8fb30a83643a09f5412e350572a833187798e68
SHA1 hash: 35feb281ab5089e4cc0c5061b56e64ae0553a903
MD5 hash: 89a051195ae739f9c9404c7beaa4f0d5
humanhash: sink-uncle-quiet-coffee
File name:Halkbank_Ekstre_20230123_07.pdf.pdf
Download: download sample
Signature AgentTesla
Create hunting rule
File size:313'420 bytes
First seen:2023-01-23 18:49:46 UTC
Last seen:2023-02-01 21:17:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:PYa6Tw5f31fqfh1MoMRDqK7NTD6BFxhfXkn+jY3XtFK3BHZkEKUa+q:PYhw5lAynRGIlD6BdXkecXUBiE+9
Threatray 25'512 similar samples on MalwareBazaar
TLSH T1DE64122D779ADC7BEC731071AE7C0A7EADA4EC2001709B5717614A29BD32926DC0F792
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe geo Halkbank pdf TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Halkbank_Ekstre_20230123_07.pdf.pdf
Verdict:
Malicious activity
Analysis date:
2023-01-23 18:57:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/55c5f332-84c4-4ff8-90e8-aebc304b1921

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356049/
Detection(s):
SecuriteInfo.com.Variant.Lazy.264429.602.16485.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Searching for the window
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/62543/overview
Behaviour
MalwareBazaar
Verdict:
No Threat
Threat level:
  2/10
Confidence:
83%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63ced6de905a5ac3b90889b7/reports/013bfacf-6bee-4a1c-8421-e415c7d4098a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ced7e181-43fc-4361-b6ab-0842bb53526f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1157392
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a5098792b07f38355f0e06fee170432226013a21bc18c129212bb868e98f478/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fjijq6jla7zygvpq4bx64fyegirgae5cdpayyeusck5ynduy6r4a._file
Verdict:
malicious
Similar samples:
011c5a93fcf5f1fda343e254b6be02737381be4df4bdec1aa07c8ad23b540599
AgentTesla
106e615cf4c53bf171b4dfc288bdddb82e3eddb407399bc18488cd2483f9d871
AgentTesla
1143b577b1f61ea03807acd45383937486fd8f7873df1d1485848e0af7bc8780
AgentTesla
1326d9172aa0687e037a43b532cf2fb0e2ba90bff2e35efdebac87c3b06560f2
AgentTesla
24902a43196fd02d2939443510181c165980bd71e889dcff559ca25153c76d81
AgentTesla
67750f03899be15c0f79fa9f86aa3ad52012f4db0d6e2522146491e4bc657a32
AgentTesla
6e990492f3bb08e8ae69669a7c491e9d401fc10f0c2ed6ab9377c385acab5aac
AgentTesla
a7d2bd1e968aea0e81664aa5aabd428a57d12bc8573611543ad72a57661180b8
AgentTesla
e981e1db1021b07c50b3d819e4ac62f5b1cad2bc64c591fd59c427f57ecb1fb6
AgentTesla
+ 25'502 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection persistence spyware stealer
Link:
https://tria.ge/reports/230123-xgy9baeg45/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
88b9eda74a0edef7de92182f86d52fb3fca53af463c7375f69a83322c2b9dcd8
MD5 hash:
b4f9ad1ef85e0cf52e8842cfa98e7964
SHA1 hash:
ee4a4c7f62d8fa7a0e07813a3a2c5ae4a921bb7b
Link:
https://www.unpac.me/results/af69fd7d-ab92-43e7-8b70-d28bda21bfd0/
SH256 hash:
e5d142df0df5a06823d404f6eb106e97b5217c177ed7951a8b2b8d0dc1af86b4
MD5 hash:
f3073fa21029d1f083f56ddd8f96f663
SHA1 hash:
484408ff3e588902aeefcaa65029db396a9446ea
Link:
https://www.unpac.me/results/af69fd7d-ab92-43e7-8b70-d28bda21bfd0/
SH256 hash:
1c2b61408585c840201ee5c4b34a01dc84f760ec640e639100bdc6bd46665f76
MD5 hash:
610e8fef8f59d8df8bcc52214a1fdbc1
SHA1 hash:
0f55c19425f26d153ccf8f64706b215546ec91db
Link:
https://www.unpac.me/results/af69fd7d-ab92-43e7-8b70-d28bda21bfd0/
SH256 hash:
2a5098792b07f38355f0e06fee170432226013a21bc18c129212bb868e98f478
MD5 hash:
89a051195ae739f9c9404c7beaa4f0d5
SHA1 hash:
35feb281ab5089e4cc0c5061b56e64ae0553a903
Link:
https://www.unpac.me/results/af69fd7d-ab92-43e7-8b70-d28bda21bfd0/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2a5098792b07/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a5098792b07f38355f0e06fee170432226013a21bc18c129212bb868e98f478

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 2a5098792b07f38355f0e06fee170432226013a21bc18c129212bb868e98f478

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/356049/

Comments