MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2adced1fcc20537c8781ffc85614ea22378125595dbf77dd7403dde711048c89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2adced1fcc20537c8781ffc85614ea22378125595dbf77dd7403dde711048c89
SHA3-384 hash: 8f423d00e03f3f26d790a0728e550ffe10db17e1d9cd5bc126c602b4c3d80f6722ff17b54f4a2df52e65287d55036501
SHA1 hash: 6ad4e41047050dd6d761c4d719f4275292caa050
MD5 hash: bf47a7f7a4bca87822a426c3e0d97db3
humanhash: sink-robin-mango-high
File name:Revised Inv with new bank details.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:673'792 bytes
First seen:2023-09-19 10:51:20 UTC
Last seen:2023-09-20 07:27:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:cQbqNMnUTAxxJq/O7XSdFLSYAJTumnsRUqALhxuEl5zhtxxvpVRnOJTEB:c7NLYxJGOT6FLSYxqcshxuEl5zhtxxvd
Threatray 5'601 similar samples on MalwareBazaar
TLSH T106E49E2572DF1646C77AABB10BD09C6E93E5F167531BF63B3FE119C64B22A408902732
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cocaman
Tags:AgentTesla exe INVOICE

Intelligence

File Origin
# of uploads :
3
# of downloads :
317
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/449653/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.23734.30063.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/65097d5432ffdb7a7a0b784e/reports/0e6d260f-7078-49ae-ac8f-5ba13a770951/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/2adced1fcc20537c8781ffc85614ea22378125595dbf77dd7403dde711048c89
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e9ea761d-5931-4e2e-9439-b9c6752968be
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1310712
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1310712 Sample: Revised_Inv_with_new_bank_d... Startdate: 19/09/2023 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Found malware configuration 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 11 other signatures 2->49 7 FqtZmOdKSdYUP.exe 5 2->7         started        10 Revised_Inv_with_new_bank_details.exe 6 2->10         started        process3 file4 51 Antivirus detection for dropped file 7->51 53 Multi AV Scanner detection for dropped file 7->53 55 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->55 65 2 other signatures 7->65 13 FqtZmOdKSdYUP.exe 14 2 7->13         started        17 schtasks.exe 1 7->17         started        27 C:\Users\user\AppData\...\FqtZmOdKSdYUP.exe, PE32 10->27 dropped 29 C:\Users\user\AppData\Local\...\tmp9718.tmp, XML 10->29 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->57 59 May check the online IP address of the machine 10->59 61 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 10->63 19 Revised_Inv_with_new_bank_details.exe 15 2 10->19         started        21 schtasks.exe 1 10->21         started        signatures5 process6 dnsIp7 31 208.91.198.143, 49711, 587 PUBLIC-DOMAIN-REGISTRYUS United States 13->31 33 smtp.rniles.com 13->33 39 2 other IPs or domains 13->39 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->67 69 Tries to steal Mail credentials (via file / registry access) 13->69 71 Tries to harvest and steal browser information (history, passwords, etc) 13->71 23 conhost.exe 17->23         started        35 smtp.rniles.com 19->35 37 api4.ipify.org 104.237.62.212, 443, 49708 WEBNXUS United States 19->37 41 2 other IPs or domains 19->41 25 conhost.exe 21->25         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2adced1fcc20537c8781ffc85614ea22378125595dbf77dd7403dde711048c89/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-19 08:14:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=floo2h6mebjxzb4b77efmfhkei3ycjkzlw7xpxluapo6oeierseq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
12e5b82532b73abb25218f602cc9df661e9f58a771631e3baf1f0145db6d74b5
AgentTesla
186e9ac371aaa85c335ee912e54c1d8d444022268dd47570a7373c6cb830ae8f
AgentTesla
217a04102c6021e98815a35feab526e99a259f01c9baee3e143288dbc160b920
AgentTesla
2adced1fcc20537c8781ffc85614ea22378125595dbf77dd7403dde711048c89
AgentTesla
5167b917426b8435d81522f885966f00cbf7f5b896e2a6b18696bb0f1194756c
AgentTesla
5eaee0dafc1a86ccfbb28508d7ff975a85329f8a8722baebddaefa553593b80f
AgentTesla
80dd6624e723c71bda0bb04573a1e96662184bd5dbef76c824c884df8afa2e15
AgentTesla
83e202c299d139b909d80f39e81487515d2f21a9a0b6546f42dbd194088e07e7
AgentTesla
99e76ca97c74ea9e8fe112a45a88f4fd6a684cda8d8666dfe20dc2eef4d61455
AgentTesla
+ 5'591 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230919-mydntsae88/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
960d38917ba5663ae9c1bfc3826cfb41f9efab596ae56a0a9d4005032a0719ae
MD5 hash:
a9159efd80eee1ef07f64e3594e61e5f
SHA1 hash:
e75ec42ed7a4830e1d6958ad6aa8048892a976c5
Link:
https://www.unpac.me/results/5bf39929-d57e-45d9-b92f-fe07cdb972d8/
SH256 hash:
0b4c93addb0071e4cc368bc5e46a535e2eafd360b5db8b6c87620d7225eade2d
MD5 hash:
e17d9bb18c1bf12de8c75fa570f4cf72
SHA1 hash:
97751a31524557387d136e0e42e204186d00b5dd
Link:
https://www.unpac.me/results/5bf39929-d57e-45d9-b92f-fe07cdb972d8/
SH256 hash:
dcdf858ec9b17c8637a178fda10603a1a6d824cd589b29b18317d8f4fcf63b25
MD5 hash:
aefcf3b1c1ff38b2e6661e1531d18d44
SHA1 hash:
700b8b2faec844ec99848f6aff637c24e8b996ef
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/5bf39929-d57e-45d9-b92f-fe07cdb972d8/
SH256 hash:
2adced1fcc20537c8781ffc85614ea22378125595dbf77dd7403dde711048c89
MD5 hash:
bf47a7f7a4bca87822a426c3e0d97db3
SHA1 hash:
6ad4e41047050dd6d761c4d719f4275292caa050
Link:
https://www.unpac.me/results/5bf39929-d57e-45d9-b92f-fe07cdb972d8/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2adced1fcc20/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2adced1fcc20537c8781ffc85614ea22378125595dbf77dd7403dde711048c89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

ace 91dc77569ecffe02d7b76edc7d57457541eed136816a56569141bc4f07439aa8

AgentTesla

Executable exe 2adced1fcc20537c8781ffc85614ea22378125595dbf77dd7403dde711048c89

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 91dc77569ecffe02d7b76edc7d57457541eed136816a56569141bc4f07439aa8
Cape
Cape
https://www.capesandbox.com/analysis/449653/
  
Dropped by
MD5 c8e5e9dacdaaeeff038fa949136f14db

Comments