MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bb773e136439075cac3a339b5699b0036a0896c1f2689162d816d673fa72d95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2bb773e136439075cac3a339b5699b0036a0896c1f2689162d816d673fa72d95
SHA3-384 hash: 8d0e21871a5e025b5f2947ca550ca680d0adfa1946a3bc4ab6891edfc49638739827771e1ca6a16bc6f5836a8fc9ee0a
SHA1 hash: 541656028161a5e9888784f823d024c63b331c1a
MD5 hash: 6ca0066116d680498536e8e74ba59fc1
humanhash: north-steak-stream-massachusetts
File name:6ca0066116d680498536e8e74ba59fc1.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:449'585 bytes
First seen:2023-10-05 09:22:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:JY0aDT2TABtH/2mU+EsOCjs2MxBwscmBz9q+A3QD:JYxyTABteL+ci7Mx9Tz9ZR
Threatray 243 similar samples on MalwareBazaar
TLSH T1C4A4120078548163ECA20F709932A8652996EE2928FD974F6345BF5C3B373636D1FB53
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6975a6ac8c163681 (4 x AgentTesla, 1 x Formbook)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ałtaj RFQ.pdf
Verdict:
No threats detected
Analysis date:
2023-10-01 16:14:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/62b2ccaa-19e5-4a8c-9fe2-6eb78066e822

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Loader.1550.26703.31871.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control lokibot lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/651e807dbe42b2ac8e5c1520/reports/67edc394-ac1a-44e8-8e34-5e0a0ec293b9/overview
Verdict:
Malicious
Labled as:
Trojan.Strab
Link:
https://www.hybrid-analysis.com/sample/2bb773e136439075cac3a339b5699b0036a0896c1f2689162d816d673fa72d95
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fd20cab9-64ba-48c3-b0cd-df5b9485e50d
Result
Threat name:
AgentTesla, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1320091
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Yara detected AgentTesla
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1320091 Sample: UEs3VfQ9Hk.exe Startdate: 05/10/2023 Architecture: WINDOWS Score: 100 20 Found malware configuration 2->20 22 Antivirus / Scanner detection for submitted sample 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 4 other signatures 2->26 8 UEs3VfQ9Hk.exe 18 2->8         started        process3 file4 18 C:\Users\user\AppData\Local\Temp\sfdnm.exe, PE32 8->18 dropped 11 sfdnm.exe 8->11         started        process5 signatures6 28 Antivirus detection for dropped file 11->28 30 Multi AV Scanner detection for dropped file 11->30 32 Machine Learning detection for dropped file 11->32 34 2 other signatures 11->34 14 sfdnm.exe 11->14         started        process7 process8 16 WerFault.exe 21 18 14->16         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2bb773e136439075cac3a339b5699b0036a0896c1f2689162d816d673fa72d95/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-09-20 13:23:00 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 38 (60.53%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fo3xhyjwioihlswdum43k2m3aa3kbclmd4tisfrnqfwwop5hfwkq._file
Verdict:
malicious
Similar samples:
02e565314622beca0b16e1c731549262b2b22e4bf3bef691d23991cebf94bfab
AgentTesla
0d05c9ec5cbccc7252bfa4f1fe3da5ac89c431fb9aba15fcbf28621cf2f2a48d
AgentTesla
18a48731b148e59ecffa75b392d72963d1a7e386201e9745eb1f06169cd37d00
AgentTesla
2a59d6f16ee8881b94e633cc53e0bc73054a8361c5aca22d17d4ca35488e1d58
AgentTesla
3be6612501472572fdc009d75567cb83d4f2f54a7628c2b95b48adb6bdc43b9b
AgentTesla
5a5405a59ac1371bf62ee9599b29bed6e7ee8e11f7319c6ff7d5900963900e3f
AgentTesla
609592caa987add8031fbe007b2901e0e02de60a8fda33ace07dbec8b2239205
AgentTesla
e1588fa2fbba71b436afb6df74166ffc100c422257b8c259debb07f3201bffeb
AgentTesla
ec50c4dbfaf63807aa7eab2af9c1bc46b66553bc1da16f1aede4dd8096b8bcd5
AgentTesla
+ 233 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231005-lcgmxsbh58/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
edd1bedcf2e71ba64bc66226405d03881ac11b4e92f8c70880d1a39a7f653a08
MD5 hash:
62fc84aef185e3b9fbf9cebc467c39db
SHA1 hash:
0de66791bd098f0b27ef71f8a0714a3ee22e97c0
Link:
https://www.unpac.me/results/1685a387-7907-49d8-b749-e180d25c60d1/
SH256 hash:
2bb773e136439075cac3a339b5699b0036a0896c1f2689162d816d673fa72d95
MD5 hash:
6ca0066116d680498536e8e74ba59fc1
SHA1 hash:
541656028161a5e9888784f823d024c63b331c1a
Link:
https://www.unpac.me/results/1685a387-7907-49d8-b749-e180d25c60d1/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2bb773e13643/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2bb773e136439075cac3a339b5699b0036a0896c1f2689162d816d673fa72d95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_bytecodes_sep_2023
Create hunting rule
Author:Matthew @embee_research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments