MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bad3cf2729badd3d5d317b0ca215ba211ebdf12fc903f504ad81cffa22a7b93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2bad3cf2729badd3d5d317b0ca215ba211ebdf12fc903f504ad81cffa22a7b93
SHA3-384 hash: a623efb3c4787aeb55868d1a9870b0e90012ad91cd61cdc6032dce2ac49b1718854e18f3b551fff0a62fabe3dd72cf3d
SHA1 hash: f1054d04e48047d050d5524d308cc94a26f02996
MD5 hash: 6e270eee0b1cc95ce1d2f8854307f280
humanhash: three-princess-don-bakerloo
File name:freight forwarding.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:634'880 bytes
First seen:2023-07-05 14:12:42 UTC
Last seen:2023-07-06 07:14:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:IHqNSFbamWQQy8Edppn/Tq3AgpBreNdF6jgZJHd3JW97j8KXo9GLV7AiSC3X4:IK0WHyPrpLqhBsdFegZJHd3J87j8
Threatray 337 similar samples on MalwareBazaar
TLSH T15CD49DAC36107ADFC857CC769E982C64EA5074BB930BD203A06315ADDA1DA97CF245F3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
10
# of downloads :
298
Origin country :
US US
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
freight forwarding.exe
Verdict:
Malicious activity
Analysis date:
2023-07-05 14:14:29 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/7c039e31-4b0e-41d4-9c45-b8fc2ea54903

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/407782/
Detection(s):
SecuriteInfo.com.W32.MSIL_Agent.FPI.gen.Eldorado.5832.2140.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/64a57a6e1aae5c95e186bd46/reports/70fa268b-27d1-4f20-83e8-9e76da55e942/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2bad3cf2729badd3d5d317b0ca215ba211ebdf12fc903f504ad81cffa22a7b93
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9796e575-9f2f-4bbd-bd35-7e0125c8879d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1267370
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1267370 Sample: freight_forwarding.exe Startdate: 05/07/2023 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 3 other signatures 2->47 6 freight_forwarding.exe 3 2->6         started        10 Ycdwx.exe 2 2->10         started        12 Ycdwx.exe 1 2->12         started        process3 file4 23 C:\Users\user\...\freight_forwarding.exe.log, ASCII 6->23 dropped 49 Detected unpacking (changes PE section rights) 6->49 51 Detected unpacking (overwrites its own PE header) 6->51 53 Writes to foreign memory regions 6->53 55 Injects a PE file into a foreign processes 6->55 14 RegSvcs.exe 17 4 6->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        signatures5 process6 dnsIp7 27 mail.elec-qatar.com 50.87.139.143, 49713, 587 UNIFIEDLAYER-AS-1US United States 14->27 29 api4.ipify.org 173.231.16.76, 443, 49712 WEBNXUS United States 14->29 31 api.ipify.org 14->31 25 C:\Users\user\AppData\Roaming\...\Ycdwx.exe, PE32 14->25 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->35 37 May check the online IP address of the machine 14->37 39 3 other signatures 14->39 file8 signatures9
Gathering data
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-07-05 10:19:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fowtz4tstow5hvotc6ymuik3uii6xxys7sid6uck3aop7irkpojq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0725b0bb5b536502fd3a4593864bbf3b25dcacc3b3259162080909284c1348de
AgentTesla
17b85440e830fbef06c68240cf0024dad39a394409980195c360c0084c4be907
AgentTesla
a8d70bf9cc12fbfb715e24cd0591c6e42d4f7e11b67b004255d16bbb26e0b43a
AgentTesla
d385b93c9c93907ce2a86d7bd3a882b2f678cb524235b5fd06ca7b9e523adc70
AgentTesla
d7b0e7f292354e86e9d8e57d99eb0430db5ea3ade7ebdb31e7186b3092136fe1
AgentTesla
e0a9d1ee5f291098090a028934842e554f4bb482a0100077d909d3005430b2ee
AgentTesla
f32fa75689c2875fc313105007b2b9ca1080cb75de4da9b58f2e3ccdb178ac1d
AgentTesla
f4d6855474eaf9cf34a5f7b168b05bf88f174935f57104378d3bc5ac0db64430
AgentTesla
+ 327 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230705-rjdshaec8z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
168997a2fcb8a68b5b896330f90119d8767ae43243d0dcfbe7de63cdfb05c916
MD5 hash:
725f8f6c3892a642354bd32c9821b413
SHA1 hash:
effc426c4114662d3f8be57d26c39dc492766675
Link:
https://www.unpac.me/results/40c9bee3-0728-4e6f-ad29-f43ee55b01c7/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/40c9bee3-0728-4e6f-ad29-f43ee55b01c7/
SH256 hash:
fba60d5fdcdbeb9a77ce6b992572e3a229b126865b479069c772ab88b15687da
MD5 hash:
e15aee8b5216cb6bdf24a77387d7e7bc
SHA1 hash:
7ac49426ad0c94a7dc0aa7623ea7b950c405eb26
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/40c9bee3-0728-4e6f-ad29-f43ee55b01c7/
Parent samples :
17b85440e830fbef06c68240cf0024dad39a394409980195c360c0084c4be907
156c6d57b228e6b5a8920f268f26b70b5fb6ec53b255f102f2dc9f7fa21c9097
7cd2ed629dd0e67f352edcb542ed9ed089b0e474a97701a4036a4c9b08b8f980
a8d70bf9cc12fbfb715e24cd0591c6e42d4f7e11b67b004255d16bbb26e0b43a
2bad3cf2729badd3d5d317b0ca215ba211ebdf12fc903f504ad81cffa22a7b93
aa4d7c8a7bd3a5690b8b2dc1ed9fc3bfd40981671b3642625fa3c7589bf459ac
19e9e83de17d01983fe73b24b034831537e978652e6d6f0d70db6d48c72cb9c2
2313b3f23146c4475ec50d51bea33e49f6167c799e418c4c08620e7a720edb04
1c71de5816aed5c4f8d677703ee09567ef0b80fb2e50acb2cf1c1ed931660ef1
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/40c9bee3-0728-4e6f-ad29-f43ee55b01c7/
SH256 hash:
168997a2fcb8a68b5b896330f90119d8767ae43243d0dcfbe7de63cdfb05c916
MD5 hash:
725f8f6c3892a642354bd32c9821b413
SHA1 hash:
effc426c4114662d3f8be57d26c39dc492766675
Link:
https://www.unpac.me/results/40c9bee3-0728-4e6f-ad29-f43ee55b01c7/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/40c9bee3-0728-4e6f-ad29-f43ee55b01c7/
SH256 hash:
fba60d5fdcdbeb9a77ce6b992572e3a229b126865b479069c772ab88b15687da
MD5 hash:
e15aee8b5216cb6bdf24a77387d7e7bc
SHA1 hash:
7ac49426ad0c94a7dc0aa7623ea7b950c405eb26
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/40c9bee3-0728-4e6f-ad29-f43ee55b01c7/
Parent samples :
17b85440e830fbef06c68240cf0024dad39a394409980195c360c0084c4be907
156c6d57b228e6b5a8920f268f26b70b5fb6ec53b255f102f2dc9f7fa21c9097
7cd2ed629dd0e67f352edcb542ed9ed089b0e474a97701a4036a4c9b08b8f980
a8d70bf9cc12fbfb715e24cd0591c6e42d4f7e11b67b004255d16bbb26e0b43a
2bad3cf2729badd3d5d317b0ca215ba211ebdf12fc903f504ad81cffa22a7b93
aa4d7c8a7bd3a5690b8b2dc1ed9fc3bfd40981671b3642625fa3c7589bf459ac
19e9e83de17d01983fe73b24b034831537e978652e6d6f0d70db6d48c72cb9c2
2313b3f23146c4475ec50d51bea33e49f6167c799e418c4c08620e7a720edb04
1c71de5816aed5c4f8d677703ee09567ef0b80fb2e50acb2cf1c1ed931660ef1
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/40c9bee3-0728-4e6f-ad29-f43ee55b01c7/
SH256 hash:
168997a2fcb8a68b5b896330f90119d8767ae43243d0dcfbe7de63cdfb05c916
MD5 hash:
725f8f6c3892a642354bd32c9821b413
SHA1 hash:
effc426c4114662d3f8be57d26c39dc492766675
Link:
https://www.unpac.me/results/40c9bee3-0728-4e6f-ad29-f43ee55b01c7/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/40c9bee3-0728-4e6f-ad29-f43ee55b01c7/
SH256 hash:
fba60d5fdcdbeb9a77ce6b992572e3a229b126865b479069c772ab88b15687da
MD5 hash:
e15aee8b5216cb6bdf24a77387d7e7bc
SHA1 hash:
7ac49426ad0c94a7dc0aa7623ea7b950c405eb26
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/40c9bee3-0728-4e6f-ad29-f43ee55b01c7/
Parent samples :
17b85440e830fbef06c68240cf0024dad39a394409980195c360c0084c4be907
156c6d57b228e6b5a8920f268f26b70b5fb6ec53b255f102f2dc9f7fa21c9097
7cd2ed629dd0e67f352edcb542ed9ed089b0e474a97701a4036a4c9b08b8f980
a8d70bf9cc12fbfb715e24cd0591c6e42d4f7e11b67b004255d16bbb26e0b43a
2bad3cf2729badd3d5d317b0ca215ba211ebdf12fc903f504ad81cffa22a7b93
aa4d7c8a7bd3a5690b8b2dc1ed9fc3bfd40981671b3642625fa3c7589bf459ac
19e9e83de17d01983fe73b24b034831537e978652e6d6f0d70db6d48c72cb9c2
2313b3f23146c4475ec50d51bea33e49f6167c799e418c4c08620e7a720edb04
1c71de5816aed5c4f8d677703ee09567ef0b80fb2e50acb2cf1c1ed931660ef1
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/40c9bee3-0728-4e6f-ad29-f43ee55b01c7/
SH256 hash:
168997a2fcb8a68b5b896330f90119d8767ae43243d0dcfbe7de63cdfb05c916
MD5 hash:
725f8f6c3892a642354bd32c9821b413
SHA1 hash:
effc426c4114662d3f8be57d26c39dc492766675
Link:
https://www.unpac.me/results/40c9bee3-0728-4e6f-ad29-f43ee55b01c7/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/40c9bee3-0728-4e6f-ad29-f43ee55b01c7/
SH256 hash:
fba60d5fdcdbeb9a77ce6b992572e3a229b126865b479069c772ab88b15687da
MD5 hash:
e15aee8b5216cb6bdf24a77387d7e7bc
SHA1 hash:
7ac49426ad0c94a7dc0aa7623ea7b950c405eb26
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/40c9bee3-0728-4e6f-ad29-f43ee55b01c7/
Parent samples :
17b85440e830fbef06c68240cf0024dad39a394409980195c360c0084c4be907
156c6d57b228e6b5a8920f268f26b70b5fb6ec53b255f102f2dc9f7fa21c9097
7cd2ed629dd0e67f352edcb542ed9ed089b0e474a97701a4036a4c9b08b8f980
a8d70bf9cc12fbfb715e24cd0591c6e42d4f7e11b67b004255d16bbb26e0b43a
2bad3cf2729badd3d5d317b0ca215ba211ebdf12fc903f504ad81cffa22a7b93
aa4d7c8a7bd3a5690b8b2dc1ed9fc3bfd40981671b3642625fa3c7589bf459ac
19e9e83de17d01983fe73b24b034831537e978652e6d6f0d70db6d48c72cb9c2
2313b3f23146c4475ec50d51bea33e49f6167c799e418c4c08620e7a720edb04
1c71de5816aed5c4f8d677703ee09567ef0b80fb2e50acb2cf1c1ed931660ef1
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/40c9bee3-0728-4e6f-ad29-f43ee55b01c7/
SH256 hash:
2bad3cf2729badd3d5d317b0ca215ba211ebdf12fc903f504ad81cffa22a7b93
MD5 hash:
6e270eee0b1cc95ce1d2f8854307f280
SHA1 hash:
f1054d04e48047d050d5524d308cc94a26f02996
Link:
https://www.unpac.me/results/40c9bee3-0728-4e6f-ad29-f43ee55b01c7/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2bad3cf2729b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/2bad3cf2729badd3d5d317b0ca215ba211ebdf12fc903f504ad81cffa22a7b93

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip fb41ef5d118d07cf3214489b135e9e6039db499a6442f818af8c419063a59b49

AgentTesla

Executable exe 2bad3cf2729badd3d5d317b0ca215ba211ebdf12fc903f504ad81cffa22a7b93

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/407782/
  
Dropped by
SHA256 fb41ef5d118d07cf3214489b135e9e6039db499a6442f818af8c419063a59b49
  
Dropped by
MD5 ef82bd674ca8085781b2e3663f374125
  
Dropped by
SHA256 5c61d2a5fa3c8ca792b3f92718de1b6e21df1237c8fae6db4a2604cb30e26dc9
  
Dropped by
MD5 ac4a73027d59d729b5d27abdc457a9b3
  
Dropped by
SHA256 1aabc238b8a45e97b218758d81ab426ea4e5702ca07e1cf6b47e1fdce70f4d2d
  
Dropped by
MD5 b7c5cd913870250b323cf11e1d574847

Comments