MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d74a1235dbedaaf7476cd9c173d5c6b055b1618c2150625db9ce0dcabd1c828. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d74a1235dbedaaf7476cd9c173d5c6b055b1618c2150625db9ce0dcabd1c828
SHA3-384 hash: c1b0467721632c2fde0e1a1b8fcfcd39411be0142f12fe8026fbefff98ca38811815b33d43d4993fecb232f9a0f95c81
SHA1 hash: 2d7bac2edf480cd1455a83c76c234d003a73fedb
MD5 hash: 26dd152bf9b096262cbc17ece3f5faa7
humanhash: fourteen-foxtrot-one-triple
File name:26dd152bf9b096262cbc17ece3f5faa7
Download: download sample
Signature AgentTesla
Create hunting rule
File size:758'784 bytes
First seen:2023-02-24 13:42:53 UTC
Last seen:2023-08-24 16:38:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:je1jDprXXcJi0konq7PUWSFUqsitWQqXorHNvEWaqYziZq1/ax2vKZ:jepj0DnINIfs2Z9NUqhcG
Threatray 876 similar samples on MalwareBazaar
TLSH T19DF4224963F4A712E9BE47FB1879104003F6BA652653D34D1EC822D67F36FD0A921BA3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 3271e8e8f0cccc92 (1 x AgentTesla, 1 x Formbook)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
26dd152bf9b096262cbc17ece3f5faa7
Verdict:
Malicious activity
Analysis date:
2023-02-24 13:57:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c5a494f2-595f-43aa-8142-863a974d1899

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/369476/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63f8beee81c7f31327f9dde4/reports/eea898f2-6a6e-4577-b009-dbcb6f5bd240/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2d74a1235dbedaaf7476cd9c173d5c6b055b1618c2150625db9ce0dcabd1c828
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5bfbee8a-61a2-4a82-a0b7-177b424b360d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1181907
Signature
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 814739 Sample: QgRD99sTzd.exe Startdate: 24/02/2023 Architecture: WINDOWS Score: 100 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected AgentTesla 2->56 58 Machine Learning detection for sample 2->58 7 QgRD99sTzd.exe 4 2->7         started        11 GsHLJkZ.exe 3 2->11         started        13 GsHLJkZ.exe 2->13         started        process3 file4 34 C:\Users\user\AppData\...\QgRD99sTzd.exe.log, CSV 7->34 dropped 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->60 62 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->62 64 Adds a directory exclusion to Windows Defender 7->64 15 QgRD99sTzd.exe 2 5 7->15         started        20 powershell.exe 21 7->20         started        66 Multi AV Scanner detection for dropped file 11->66 68 Machine Learning detection for dropped file 11->68 22 GsHLJkZ.exe 2 11->22         started        70 Injects a PE file into a foreign processes 13->70 24 GsHLJkZ.exe 13->24         started        26 GsHLJkZ.exe 13->26         started        signatures5 process6 dnsIp7 36 smtp.yandex.ru 77.88.21.158, 49695, 49696, 49697 YANDEXRU Russian Federation 15->36 38 smtp.yandex.com 15->38 30 C:\Users\user\AppData\Roaming\...behaviorgraphsHLJkZ.exe, PE32 15->30 dropped 32 C:\Users\user\...behaviorgraphsHLJkZ.exe:Zone.Identifier, ASCII 15->32 dropped 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->46 48 Tries to steal Mail credentials (via file / registry access) 15->48 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->50 28 conhost.exe 20->28         started        40 192.168.2.1 unknown unknown 22->40 42 smtp.yandex.com 22->42 44 smtp.yandex.com 24->44 52 Tries to harvest and steal browser information (history, passwords, etc) 24->52 file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2d74a1235dbedaaf7476cd9c173d5c6b055b1618c2150625db9ce0dcabd1c828/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-02-24 13:43:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fv2kci25x3nk65dwzwobopk4nmcvwfqyyikqmjo3ttqnzk6rzaua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2bbff6d93b38a6ffc24b7f707edf5686e0cf5e92889c0a467ff37ab74198bd1d
AgentTesla
4705340cecbc474ffcb41a8ae7968093fa35084b3c197d4cf1a1862be648828d
AgentTesla
658302b0e9abc6927e43c18d0fc323e601df5d484429785d894b15db50278d5c
AgentTesla
82e607dcbff70954bf2ce4ce6b437321e7104e857a6569c9c0f955ae967ab8ba
AgentTesla
8f81fd0cd66548518e82ab4238cf83a55989de7b1ab9099ef43892d0272b41e5
AgentTesla
9a7f1462051ff7afb4f0221178371fd54e0d0f92e7dfc65adf3dbd40b87e9ec2
AgentTesla
b7edcf412d229e488db5a92975a1b2398f4bc4e7dc0317f9e226b706140994f2
AgentTesla
f372f32242ba5521234305f8d8cb0f314b89be5417f875e9f2789348fab3d3c1
AgentTesla
+ 866 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230224-qz9dnsbe56/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
1d56c1d5129a59e86707a1e810e528230a519cf145ee1394f8faafd0cef26e48
MD5 hash:
599a9fa2ca77f8deb7af47c4eb975c34
SHA1 hash:
b0e4c48db7ea5ff2e8f81d2061507e1095ccb63d
Link:
https://www.unpac.me/results/1441cfe6-dba3-4f7d-895f-049de0eb2d03/
SH256 hash:
ce4aa0f4a0c8c7771cebdb9e4927730510ff1d45fb9db56c1f7741609c38aaa6
MD5 hash:
123846499353f33f685d7932fc272b37
SHA1 hash:
76715892332b4eb818251abb1446bc83b1c399bf
Link:
https://www.unpac.me/results/1441cfe6-dba3-4f7d-895f-049de0eb2d03/
SH256 hash:
d3613ea7de1668576914fe0d70f73afc13d7116627bd2950591fbe4cb2cd8aac
MD5 hash:
58d207c8f382082887c18e20a04386d7
SHA1 hash:
64fcb07e7516ac2201da25324332a4343b247b13
Link:
https://www.unpac.me/results/1441cfe6-dba3-4f7d-895f-049de0eb2d03/
SH256 hash:
e1a1fda33a8a30983aca304290b5c318ea5f7ad1dc3144b02aedeb9ed28f71c0
MD5 hash:
317c15e0916ced8cc132572ed854ad72
SHA1 hash:
0e4b7d33c7ca693cb1601c3ba5293dffc697bc1e
Link:
https://www.unpac.me/results/1441cfe6-dba3-4f7d-895f-049de0eb2d03/
SH256 hash:
2d74a1235dbedaaf7476cd9c173d5c6b055b1618c2150625db9ce0dcabd1c828
MD5 hash:
26dd152bf9b096262cbc17ece3f5faa7
SHA1 hash:
2d7bac2edf480cd1455a83c76c234d003a73fedb
Link:
https://www.unpac.me/results/1441cfe6-dba3-4f7d-895f-049de0eb2d03/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2d74a1235dbe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d74a1235dbedaaf7476cd9c173d5c6b055b1618c2150625db9ce0dcabd1c828

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip d12ca833ba98d43bd8d3ea7f406d03efd109867c45a2b1f70226d8373b9439f5

AgentTesla

Executable exe 2d74a1235dbedaaf7476cd9c173d5c6b055b1618c2150625db9ce0dcabd1c828

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/369476/
  
Dropped by
SHA256 d12ca833ba98d43bd8d3ea7f406d03efd109867c45a2b1f70226d8373b9439f5
  
Dropped by
MD5 f553747f51f12b1cc1dc8fb8bf6cb51d

Comments


Avatar
zbet commented on 2023-02-24 13:43:00 UTC

url : hxxps://maristascruzdelsur.org/cache/page/swiftstatement.exe