MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2dfe662fdf9cdb98f44cb0307188837be6b3e8aacace0b1725b95def11519dc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2dfe662fdf9cdb98f44cb0307188837be6b3e8aacace0b1725b95def11519dc0
SHA3-384 hash: 295f1ff07e2a3a31cc8f01d3f42981c01ff28fd13a355952788a020bd037154a9708492e5d94bac552485d7dc507bf8c
SHA1 hash: cfc3b9d144916a24f89219487abaf3fe33c6eb11
MD5 hash: eaf2b6671ec5dded98f2a7fe6aa603c7
humanhash: nevada-echo-avocado-diet
File name:docjhny20230925.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'355'776 bytes
First seen:2023-09-26 13:52:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'654 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:dA86BOzKx1EfrvUYZCVZTui+e0+rEITX0BZMnjYtpISZOnzwp:dioWvEYVVZTSB+rEITEBZMnjYjZc
Threatray 5'673 similar samples on MalwareBazaar
TLSH T1EC559DD96693EA1FE3BBC6365BDA4430657DE42FD07AD285361026769C329C22F3012F
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e2e2b2ccf0b27ee3 (9 x AgentTesla, 1 x SnakeKeylogger)
Reporter JAMESWT_WT
Tags:AgentTesla exe payorderreceipt-info

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
docjhny20230925.exe
Verdict:
Malicious activity
Analysis date:
2023-09-26 13:54:10 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/942be933-8d45-4c25-aa47-d6fba3d7f9c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/451290/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.27390.20940.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Restart of the analyzed sample
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Launching a process
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/6512e240f1b40cb0d622b6f9/reports/e32be0d9-eba9-4dfa-96d4-331721f0e32d/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/2dfe662fdf9cdb98f44cb0307188837be6b3e8aacace0b1725b95def11519dc0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e2d7a316-9759-4871-bb41-dad83a44061d
Result
Threat name:
AgentTesla, Redline Clipper, Snake Keylo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1314570
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Contains VNC / remote desktop functionality (version string found)
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Schedule system process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected Redline Clipper
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1314570 Sample: docjhny20230925.exe Startdate: 26/09/2023 Architecture: WINDOWS Score: 100 97 softwarez.online 2->97 99 royalcheckout.store 2->99 101 3 other IPs or domains 2->101 107 Found malware configuration 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 Antivirus detection for URL or domain 2->111 113 13 other signatures 2->113 11 docjhny20230925.exe 4 2->11         started        15 svchost.exe 2->15         started        17 avast.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 file5 93 C:\Users\user\AppData\Local\...\svchost.exe, PE32 11->93 dropped 133 Drops PE files with benign system names 11->133 135 Injects a PE file into a foreign processes 11->135 21 docjhny20230925.exe 2 11->21         started        24 svchost.exe 2 11->24         started        27 cmd.exe 2 11->27         started        33 2 other processes 11->33 137 Antivirus detection for dropped file 15->137 139 Multi AV Scanner detection for dropped file 15->139 141 Machine Learning detection for dropped file 15->141 29 cmd.exe 15->29         started        35 3 other processes 15->35 31 cmd.exe 17->31         started        37 3 other processes 17->37 39 12 other processes 19->39 signatures6 process7 file8 89 C:\Users\user\AppData\...\johnny10121.exe, PE32 21->89 dropped 41 johnny10121.exe 15 3 21->41         started        115 Multi AV Scanner detection for dropped file 24->115 117 Machine Learning detection for dropped file 24->117 119 Injects a PE file into a foreign processes 24->119 47 4 other processes 24->47 121 Uses schtasks.exe or at.exe to add and modify task schedules 27->121 123 Drops PE files with benign system names 27->123 45 conhost.exe 27->45         started        50 2 other processes 29->50 52 2 other processes 31->52 91 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 33->91 dropped 54 3 other processes 33->54 56 2 other processes 35->56 58 2 other processes 37->58 60 11 other processes 39->60 signatures9 process10 dnsIp11 103 royalcheckout.store 179.43.183.46, 49758, 49759, 49773 PLI-ASCH Panama 41->103 105 api4.ipify.org 64.185.227.156, 443, 49757 WEBNXUS United States 41->105 125 Antivirus detection for dropped file 41->125 127 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 41->127 129 Tries to steal Mail credentials (via file / registry access) 41->129 131 4 other signatures 41->131 62 svchost.exe 41->62         started        95 C:\Users\user\AppData\Roaming\...\avast.exe, PE32 47->95 dropped 65 conhost.exe 47->65         started        67 conhost.exe 47->67         started        69 conhost.exe 47->69         started        71 schtasks.exe 47->71         started        file12 signatures13 process14 signatures15 143 Injects a PE file into a foreign processes 62->143 73 cmd.exe 62->73         started        75 cmd.exe 62->75         started        77 cmd.exe 62->77         started        79 svchost.exe 62->79         started        process16 process17 81 conhost.exe 73->81         started        83 schtasks.exe 73->83         started        85 conhost.exe 75->85         started        87 conhost.exe 77->87         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2dfe662fdf9cdb98f44cb0307188837be6b3e8aacace0b1725b95def11519dc0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-26 03:05:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fx7gml67ttnzr5cmwayhdcedpptlh2fkzlhawfzfxfo66ekrtxaa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
26e4c2040af6ee16a1794c86220f5249743ec9c9ceee933645331c1e54ebcca6
AgentTesla
323f7a2c28d21f7098817977c3854be91f379cb2791fbc5504d6c3342fb163ac
AgentTesla
3f8a355ce6dd6d2703dcb44bad8134df383496f1f5db5c7c5b4c613cdb32aa0b
AgentTesla
478d51fa24c69ccaa66567cbcdf3105f7c302bbba2b88db7cfee19fe84acf64f
AgentTesla
53c7d0ae5376a439f008355cdcdd56b12dcad13dab5887b91cfa3bf4236299e4
AgentTesla
77fc980c2c8f9412e843d83cb4b808e7dfc9b459aaa7f1936b7d93bc7357bfbb
AgentTesla
7d31211e88bbc31cd128c1b5a3ae9e1dbbb823b449f807e3d3a6669047810dc1
AgentTesla
8d9a8f9de34a75aeba8164f658881f4c142690b58c8cf30486f18574a8e14185
AgentTesla
a5511e15b015d02f9475da2875c37dcdacdda81793f2324fe5d61d487187aa8c
AgentTesla
dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6
AgentTesla
+ 5'663 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:snakekeylogger collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230926-q6y7aahg3x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
8c21274f725299022fbf415925210da65702198913c4713dfe5dda09ceb2d38a
MD5 hash:
6741d00c206f685140fd9cd0957aaaa8
SHA1 hash:
8e2da1453a6001aef807661db6940b1703846890
Link:
https://www.unpac.me/results/ebe8d1a0-33d1-4662-ab6d-81843da1fff7/
SH256 hash:
169b55a90537d6120bfb08a1ea69bbbf633ac44ac9e01a0e4f05076e1078c5da
MD5 hash:
5eae9e50b8291459a38dceb9540cf79a
SHA1 hash:
459c2a147b3e82ddae352252a461c331057d68be
Link:
https://www.unpac.me/results/ebe8d1a0-33d1-4662-ab6d-81843da1fff7/
SH256 hash:
f2daa3a71bb6410daf5a02fb0a41a71d45352dc5c2ebff42a048f2a37325b53c
MD5 hash:
5356e9f438d30c6806dfae6849362804
SHA1 hash:
d910a9b801386fff62e65b3eb0e94487211bcdaf
Detections:
snake_keylogger
Create hunting rule
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/ebe8d1a0-33d1-4662-ab6d-81843da1fff7/
SH256 hash:
701898d92c23d00fd9911e7e63c4b8c6ab9009304e189ff8b30603063c908af2
MD5 hash:
57130659d8e013ff29d209463a6db444
SHA1 hash:
1d83d5a93d9f5562c4a76584ae99b56060a665e6
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/ebe8d1a0-33d1-4662-ab6d-81843da1fff7/
SH256 hash:
e4c18b7cb5ea6a06a387efb548eb97c3f15b3ff30d703556264aed2e28024541
MD5 hash:
1e4d101b1cb4d263078caa98caf15c14
SHA1 hash:
15f553be4a6aec619d74f755ee36d200de32bea3
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/ebe8d1a0-33d1-4662-ab6d-81843da1fff7/
SH256 hash:
2dfe662fdf9cdb98f44cb0307188837be6b3e8aacace0b1725b95def11519dc0
MD5 hash:
eaf2b6671ec5dded98f2a7fe6aa603c7
SHA1 hash:
cfc3b9d144916a24f89219487abaf3fe33c6eb11
Link:
https://www.unpac.me/results/ebe8d1a0-33d1-4662-ab6d-81843da1fff7/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2dfe662fdf9c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2dfe662fdf9cdb98f44cb0307188837be6b3e8aacace0b1725b95def11519dc0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 2dfe662fdf9cdb98f44cb0307188837be6b3e8aacace0b1725b95def11519dc0

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/451290/
  
URLhaus
https://urlhaus.abuse.ch/url/2714261/
  
Delivery method
Distributed via web download

Comments