MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d4da1e950099d18d8830d25a968ad522754012bd2d865fd2019abb2818f0bb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d4da1e950099d18d8830d25a968ad522754012bd2d865fd2019abb2818f0bb8
SHA3-384 hash: dd159bfdae579599bab1aa41673ee099c6c9ebb9255a1c19c5de9cbfcd1e5e3778ff5f8c27c751c860c8ec33a9a6ef6e
SHA1 hash: d0fa28f49b58bc7a7313df8631edbbe6f093d383
MD5 hash: 6e3692afb8825e3ee5640ea1efb235f2
humanhash: white-fourteen-snake-nitrogen
File name:TŞ_ İİ-2023-00888 üretim şartnamesi_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:629'760 bytes
First seen:2023-04-14 06:11:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:qkkNORGpLg6HpQZuZ6kK9jn7rbEe+dYruVnVfe:qkkNOMp0AQ57n+dYr6Vfe
Threatray 695 similar samples on MalwareBazaar
TLSH T110D41226B3574A21E278567B80D8404403B05787F973C68E6CC236DEA61FBA59FC1F9B
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000c4c4e4c47000 (17 x AgentTesla, 7 x SnakeKeylogger, 6 x Loki)
Reporter abuse_ch
Tags:AgentTesla exe geo Telegram TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TŞ_ İİ-2023-00888 üretim şartnamesi_PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-04-14 06:18:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/60c33b72-c3d4-43fa-838d-1c380b545123

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382185/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed
Link:
https://www.filescan.io/uploads/6438eebdb4ec50bace6021cc/reports/7c976f37-5236-4eef-8caa-147017f115c0/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/2d4da1e950099d18d8830d25a968ad522754012bd2d865fd2019abb2818f0bb8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/de61f07a-d5f9-4c53-b0ca-a1f640e31fd2
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213664
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 846591 Sample: T#U015e__#U0130#U0130-2023-... Startdate: 14/04/2023 Architecture: WINDOWS Score: 100 42 api.telegram.org 2->42 46 Snort IDS alert for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 10 other signatures 2->52 8 T#U015e__#U0130#U0130-2023-00888_#U00fcretim_#U015fartnamesi_PDF.exe 6 2->8         started        12 gTSUUqQBpeVVI.exe 5 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\gTSUUqQBpeVVI.exe, PE32 8->36 dropped 38 C:\...\gTSUUqQBpeVVI.exe:Zone.Identifier, ASCII 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp867E.tmp, XML 8->40 dropped 54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->54 56 Uses schtasks.exe or at.exe to add and modify task schedules 8->56 58 Adds a directory exclusion to Windows Defender 8->58 60 Injects a PE file into a foreign processes 8->60 14 T#U015e__#U0130#U0130-2023-00888_#U00fcretim_#U015fartnamesi_PDF.exe 15 2 8->14         started        18 powershell.exe 22 8->18         started        20 powershell.exe 21 8->20         started        22 schtasks.exe 1 8->22         started        62 Multi AV Scanner detection for dropped file 12->62 64 Machine Learning detection for dropped file 12->64 24 gTSUUqQBpeVVI.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 44 api.telegram.org 149.154.167.220, 443, 49700, 49701 TELEGRAMRU United Kingdom 14->44 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        66 Tries to steal Mail credentials (via file / registry access) 24->66 68 Tries to harvest and steal browser information (history, passwords, etc) 24->68 34 conhost.exe 26->34         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d4da1e950099d18d8830d25a968ad522754012bd2d865fd2019abb2818f0bb8/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-13 09:54:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fvg2d2kqbgorrwedbus2s2fnkitviajl2lmgl7jadgv3fampbo4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04a42e9d0b1c019989d91249331e0920703296490ab8a565bed15e1a0e1742fc
AgentTesla
2425598129b104c77948e02bdbfab451e7696de693d90f875d0cb0e3ffdb300c
AgentTesla
3adef7268e1bed2ac601b251a07c454d2c24997bfad1a45895b1b0676cd93294
AgentTesla
3af5c0843b016faa6129e40b696565d4117b48fd6750164ac4a0f307ef3d6a36
AgentTesla
5509e143021f95074f9cde2dac4d79960710adb794bb1cdf57582be08681c3bf
AgentTesla
5bfe34e8eb631772435358e76505165c19651fb9750c1817a602e6e27d12c3bb
AgentTesla
80c6293d18c38b686ea6ab60d134247f8d72553be2d20a305b94c78115227667
AgentTesla
bffea4bf5d2cda8c23b02e73e1a5cc9a43da3816c7193f23db798e4982916c66
AgentTesla
f762c98b251097d1cbc8bb09b9deb573132689d83996d6884984d3f334fd2f18
AgentTesla
f8d91c8bc33c75ab7794e0c0a8498110cf03403daed2caf77a47975402be2e48
AgentTesla
+ 685 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230414-gx786aaa6x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Unpacked files
SH256 hash:
a209d156256ea20fcf1359a9ad39df396218fb474acb4cbfc859eb524887e405
MD5 hash:
6cbe5f0daab8b3add38250a699deba23
SHA1 hash:
bf1153517e9de5522b2d45c3d4fcd40331e299aa
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/8c36dc02-2168-4098-ba71-20960ec17441/
Parent samples :
2d4da1e950099d18d8830d25a968ad522754012bd2d865fd2019abb2818f0bb8
8943593e7957a1ec506da8328e3b1fbe8447e6daf23992e007756ba79a13c095
47b95d512aad9b9fb931ad9f1937c88933fb6bd6e1dc3afe20f185d70d96795d
5c76a96da653327e6693cf7b0cd13af04dccdc8cab2692fdb707b293c197c2ee
32758fc5150d78fc2eb377d6a3468e199a6d2f3222070c2a7f72b90bfbd95759
139108c63c1c7cddfa8ab353bfd2c9540349be90d4e8ec1f4c21249ed57ec109
a8e0587c11c94b01dbfa35ab575d6ff9987aea21eeec5e1136445cbd4bf50c99
9f9ef502a14f6985947ff8aed129252f4db71d4ab29bb2cd11b533ce1fbf3102
e1a441bbf7f86c4a4ae14f1a62301dffeef1261a53e6829eaa9085d666e14bf1
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/8c36dc02-2168-4098-ba71-20960ec17441/
SH256 hash:
99fa2d79d020eee2053a11adaf506fb7440e0c7c86feb056ee6fdf59bfdd997d
MD5 hash:
25bf2203022f4708899d590c4900cce9
SHA1 hash:
93d141d68b9a556bc8b095052d2dbf4df1924428
Link:
https://www.unpac.me/results/8c36dc02-2168-4098-ba71-20960ec17441/
SH256 hash:
1a8f57c6b8b3c061e17d9bf1a2ebaec7c5552fa670e00217cd13fec17ec75cb5
MD5 hash:
51b2c2a820abeed5242bf979b2ef2c5a
SHA1 hash:
92026d74fc5ef3ae8fbd83a2aaffb379d0eacfcf
Link:
https://www.unpac.me/results/8c36dc02-2168-4098-ba71-20960ec17441/
SH256 hash:
f074b2c09142fa55caae482b5ec6ba350fda0ac62329bb825d61f21e2e7059a1
MD5 hash:
567bbf43aac601560b1def4a872d4089
SHA1 hash:
21dfc6e6ecf39c9c23927c114ca911559ca4593e
Link:
https://www.unpac.me/results/8c36dc02-2168-4098-ba71-20960ec17441/
SH256 hash:
2d4da1e950099d18d8830d25a968ad522754012bd2d865fd2019abb2818f0bb8
MD5 hash:
6e3692afb8825e3ee5640ea1efb235f2
SHA1 hash:
d0fa28f49b58bc7a7313df8631edbbe6f093d383
Link:
https://www.unpac.me/results/8c36dc02-2168-4098-ba71-20960ec17441/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2d4da1e95009/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 2d4da1e950099d18d8830d25a968ad522754012bd2d865fd2019abb2818f0bb8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382185/

Comments