MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d5d72d557920e6beef5c35e3cdd3ddd1339b2c4306e4b79e540058afede2063. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d5d72d557920e6beef5c35e3cdd3ddd1339b2c4306e4b79e540058afede2063
SHA3-384 hash: 9b1df4f4ba8a25cc613dabc94ee664e2ff0d2780d88109e45da2fc4d6ded4b7d64512e5dc8453d25f076bc26054d5f01
SHA1 hash: 66e87764ff09ebba04681cbc2c61a43cbfa595b5
MD5 hash: 7db0bc0c978bda0048ac2944b9b86245
humanhash: lemon-may-december-floor
File name:PO-23456543_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:366'872 bytes
First seen:2022-12-07 19:47:04 UTC
Last seen:2022-12-07 21:30:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ab6770b0a8635b9d92a5838920cfe770 (84 x Formbook, 30 x AgentTesla, 15 x Loki)
ssdeep 6144:LBnb2BEjQdYiIlpaaKRcMoBO5t9Dm/LhGTVwuIWqJllrmuDW5P/G2rb:FLbpxKuM5PqhGTZsJllmua5XG2rb
Threatray 11'609 similar samples on MalwareBazaar
TLSH T1C67412D7F0D1207FF4DB837BACEA1E36E2E1252505921A0293B02FE97E125C257C97A5
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d4923292e2ccb4c0 (13 x AgentTesla, 7 x Formbook, 3 x Loki)
Reporter TeamDreier
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
PO-23456543_pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-12-07 19:47:46 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/a0b8ac0a-22ad-4d29-8d74-a015f342fa3f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/344109/
Detection(s):
SecuriteInfo.com.FileRepMalware.10514.8559.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a window
Setting a keyboard event handler
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6390edf404e0e79bdf4159b2/reports/c2a64e0e-658c-4518-9388-317c6d6fe56a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b1bd8a2f-17f3-424f-a46b-8c2fe984ffc1
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1130286
Signature
.NET source code contains very large array initializations
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 763010 Sample: PO-23456543_pdf.exe Startdate: 07/12/2022 Architecture: WINDOWS Score: 100 27 Snort IDS alert for network traffic 2->27 29 Malicious sample detected (through community Yara rule) 2->29 31 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->31 33 5 other signatures 2->33 7 PO-23456543_pdf.exe 19 2->7         started        process3 file4 19 C:\Users\user\AppData\Local\...\flogjpnc.exe, PE32 7->19 dropped 10 flogjpnc.exe 1 7->10         started        process5 signatures6 35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->35 37 May check the online IP address of the machine 10->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->39 41 Maps a DLL or memory area into another process 10->41 13 flogjpnc.exe 17 4 10->13         started        17 conhost.exe 10->17         started        process7 dnsIp8 21 api.telegram.org 149.154.167.220, 443, 49719 TELEGRAMRU United Kingdom 13->21 23 api.ipify.org.herokudns.com 54.91.59.199, 443, 49718 AMAZON-AESUS United States 13->23 25 api.ipify.org 13->25 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->43 45 Tries to steal Mail credentials (via file / registry access) 13->45 47 Tries to harvest and steal ftp login credentials 13->47 49 2 other signatures 13->49 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d5d72d557920e6beef5c35e3cdd3ddd1339b2c4306e4b79e540058afede2063/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-12-07 19:48:11 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fvoxfvkxsihgx3xvynpdzxj53ujttmwegbxew6pfiacyv7w6ebrq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
037d18a0489c63d5d9ba87f8ea9652c511df0787eb9d8fe361cfab7f93e03582
AgentTesla
0d09e99b2a15cae89b2b6c61ae744d8437b2289615d909ee58ee52ac865b5872
AgentTesla
12a921f6abb929d4f8b28924868dcc468299e44745c37db3aa7e4ac9bfe38869
AgentTesla
3e8e2a2868f0e729a298541b51105ca23c60b0ffaa2c7b7c89e8a1edc0b2eab7
AgentTesla
6e8de74475e365bdd0f573a03266f447a13f30a76cc2c71d14c1fc5607e1ae5d
AgentTesla
6edf2090f396f8b0fe0846194add30c81ff740e21599fb660a5f6433474de8c7
AgentTesla
783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06
AgentTesla
8a8bd03d6e56297acd34652142a5cb999089c75e28decf038c43eeccc14158ba
AgentTesla
91b5a61f0615710ef9ca5fd015e1cbe36b908516c5882463e4bdc694133c0829
AgentTesla
a32619cd26fbb97072657ec6a481d4f4fd6c51b72ea5ea0837006d9a8dd24800
AgentTesla
+ 11'599 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221207-yh4e4aah7y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5801961827:AAHU2YhkfiXQwgVf7WnbO6mcJG_3zpTOec4/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f25081e3-6c57-4776-a6f0-0d084ea56f3d
Unpacked files
SH256 hash:
96dd947b749b62452d4e26af9e0b08c2ce7fe84b4c60d89c1d0708399d8d8066
MD5 hash:
d44b895b94cc980f9c849941e576cd78
SHA1 hash:
d97b674d6e0feb6b2bf2304744e0d772b9e6cb28
Link:
https://www.unpac.me/results/ef081df7-5701-48ba-8b96-4edc0f699993/
SH256 hash:
85a2cd0739a8386f33c0e76360908f5c32111991e705a68a914551eaf1b4eb59
MD5 hash:
6376674d9cb734641768158e12de22ac
SHA1 hash:
4c53bc87384e851f20d69f966dd78473831acb5f
Link:
https://www.unpac.me/results/ef081df7-5701-48ba-8b96-4edc0f699993/
SH256 hash:
2d5d72d557920e6beef5c35e3cdd3ddd1339b2c4306e4b79e540058afede2063
MD5 hash:
7db0bc0c978bda0048ac2944b9b86245
SHA1 hash:
66e87764ff09ebba04681cbc2c61a43cbfa595b5
Link:
https://www.unpac.me/results/ef081df7-5701-48ba-8b96-4edc0f699993/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2d5d72d55792/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/2d5d72d557920e6beef5c35e3cdd3ddd1339b2c4306e4b79e540058afede2063

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 2d5d72d557920e6beef5c35e3cdd3ddd1339b2c4306e4b79e540058afede2063

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/344109/

Comments