MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b5879eec079a7a193c6cde2954793a5ff597689cd4546ff37f96fd7d5470471. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b5879eec079a7a193c6cde2954793a5ff597689cd4546ff37f96fd7d5470471
SHA3-384 hash: 38bef08b7af85d980fe470e19f6c6fa340f4271668c68e52d1e673990dc06e129d185cbfd1f959278c37088cfff9cd72
SHA1 hash: d9c5aa337261a1df5c78d77fd85c639565dbeddb
MD5 hash: 12a678bc0e0f3fc7a8ef30aa7c335c6e
humanhash: hawaii-north-item-monkey
File name:346931080_2020112416.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:955'904 bytes
First seen:2022-01-25 15:21:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:KnZQaAixdaN3hiPyhP175KDoW8Z5dk8ojdoMr:KneajvPsN7kDc5dkVo
Threatray 14'414 similar samples on MalwareBazaar
TLSH T16415F1047BA5C762C13A9BF404F230148BB9396AA53ED5D92DCB51DB4BF9F208166F0B
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
346931080_2020112416.exe
Verdict:
Malicious activity
Analysis date:
2022-01-25 15:32:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7e57d21d-1bed-4a08-8de7-dd7d4aed2e05

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/222559/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61f015a0d73ca9d46487b879/reports/52fb1468-c13c-4539-bd8d-11dfe8c11187/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f9308a8-dda3-4526-be15-67741048cc48
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/927619
Signature
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 560093 Sample: 346931080_2020112416.exe Startdate: 26/01/2022 Architecture: WINDOWS Score: 100 31 server54.web-hosting.com 2->31 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected AgentTesla 2->43 45 Yara detected AntiVM3 2->45 47 3 other signatures 2->47 7 346931080_2020112416.exe 3 2->7         started        11 TmZaMAa.exe 3 2->11         started        13 TmZaMAa.exe 2 2->13         started        signatures3 process4 file5 25 C:\Users\...\346931080_2020112416.exe.log, ASCII 7->25 dropped 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->51 53 Injects a PE file into a foreign processes 7->53 15 346931080_2020112416.exe 2 5 7->15         started        55 Multi AV Scanner detection for dropped file 11->55 57 Machine Learning detection for dropped file 11->57 19 TmZaMAa.exe 2 11->19         started        21 TmZaMAa.exe 11->21         started        23 TmZaMAa.exe 2 13->23         started        signatures6 process7 file8 27 C:\Users\user\AppData\Roaming\...\TmZaMAa.exe, PE32 15->27 dropped 29 C:\Users\user\...\TmZaMAa.exe:Zone.Identifier, ASCII 15->29 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->33 35 Tries to steal Mail credentials (via file / registry access) 15->35 37 Tries to harvest and steal ftp login credentials 15->37 39 2 other signatures 15->39 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2b5879eec079a7a193c6cde2954793a5ff597689cd4546ff37f96fd7d5470471/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-25 15:22:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fnmht3wapgt2de6gzxrjkr4tux7vs5ujzvcun7zx7fx5pvkharyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05edc3fe4fb4bfa22e5e3ce66e66a4f258adc1aebbb26142bafd1a9264feb4b9
AgentTesla
1109e9c4a8dceb63160c59807b81adc6d4e82c28529c80bd1ff80993dc906508
AgentTesla
1c4cbe5a3adfa0a596eabff32c6a43fe2f5fc2be1dcf71bddbd0c1200d7451a8
AgentTesla
82974999943578ea16bc86bc5e87c7a6122e24593a9adc2f069f81be85ed79cd
AgentTesla
8b345f73d84e6fc765d7907aaa33d844ef2c180024baeaa53ff895bab8e19356
AgentTesla
b1fe3e4522b701047d35e034db5ed2e9b8b10619b15f3d1a0b44b8da1a499352
AgentTesla
da1621ccdb3714c1fda08f6e783ff18962e4803fff14b3095d3e260c26642648
AgentTesla
e2ef34d6833b50a6bb0c28e94c5f1f0c7454d13b41c14b5b5a8de2a84f8a8771
AgentTesla
+ 14'404 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220125-sr2d7shggl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
b55feb12f36c01c29594222750b200425577d78440ef0dcb878ef8daac70385f
MD5 hash:
7ed133bd5619baabcb51479a274e4bc1
SHA1 hash:
97e4724c696655979315f4b2f430c4131020fe8b
Link:
https://www.unpac.me/results/f912fdf3-7cf2-467f-bbb7-ff2296ff2136/
SH256 hash:
8325a5cf7942bb46ac528c836b79180c05d71a4e7de108693d303d56bcc5def1
MD5 hash:
efdf2c54a74297c24bc73285376c432b
SHA1 hash:
564f25afb6c5599cdcd5fafaff32c1475e581af4
Link:
https://www.unpac.me/results/f912fdf3-7cf2-467f-bbb7-ff2296ff2136/
SH256 hash:
2efbe455b1c67bf1a7635ab08c462f7fb35bad907a74b4cc6ed7e74a1e2fe15a
MD5 hash:
a049299a80f63979043434bc33a788b2
SHA1 hash:
50d7cef712acbb9ffba86da77a34ada17fcd7d57
Link:
https://www.unpac.me/results/f912fdf3-7cf2-467f-bbb7-ff2296ff2136/
SH256 hash:
2b5879eec079a7a193c6cde2954793a5ff597689cd4546ff37f96fd7d5470471
MD5 hash:
12a678bc0e0f3fc7a8ef30aa7c335c6e
SHA1 hash:
d9c5aa337261a1df5c78d77fd85c639565dbeddb
Link:
https://www.unpac.me/results/f912fdf3-7cf2-467f-bbb7-ff2296ff2136/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/2b5879eec079a7a193c6cde2954793a5ff597689cd4546ff37f96fd7d5470471

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 2b5879eec079a7a193c6cde2954793a5ff597689cd4546ff37f96fd7d5470471

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/222559/

Comments