MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e3b5e32da47c76886cb7a09f18d2143cee83e766e846c136ced459a5f9fa0a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e3b5e32da47c76886cb7a09f18d2143cee83e766e846c136ced459a5f9fa0a8
SHA3-384 hash: 9e377fe245b045dd19e63af01eb0a1267f133c6a4cdcbddcfcf4ea725581cfbc71e5ddb8a25889b1ed1eb4e76aaacbaa
SHA1 hash: b7522b691e900c5142946d40735ff7e335817cb5
MD5 hash: f9d7e7336fec4b19db22175f55a5144c
humanhash: football-cardinal-xray-music
File name:Mensaje Swift MT103 - 06202022.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:503'296 bytes
First seen:2022-06-20 20:00:19 UTC
Last seen:2022-06-20 20:38:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:4itNn/95sfqs3mUlkphdel/RzB7FXt40UaIIStgm:N95sf8lleTz5F9405Hm
Threatray 18'016 similar samples on MalwareBazaar
TLSH T160B401437AB95B0BD6BAD3F69776204447B4396DA221F1184DCA70EE2872F044EA0F73
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
322
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/281739/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.10451.21655.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62b0d20346804683cbb7c062/reports/3f3688e5-69db-406d-8aee-dbbd095c9870/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1534518e-e4d6-41b3-91bf-618d46502c2d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1016670
Signature
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2e3b5e32da47c76886cb7a09f18d2143cee83e766e846c136ced459a5f9fa0a8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-20 18:24:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fy5v4mw2i7dwrbwlpie7ddjbiphoqptwn2cgye3m5vczux47ucua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1cfd60d4d7ce4e4dfdc8f467c735c33d0aefd83281cf62a38f36b0946c88ff91
AgentTesla
387a765e811e6e32560ac2664259463d0a59284b34dbc43bdaf3bfcca250bd4d
AgentTesla
40fd7a4fd13cf4057de10b3eb1d89a596786f403bde6e79f3539fedd51af68de
AgentTesla
4e66e70ef947e8c220665cd4a18464d76aa7f80082cf202632749d5217cba611
AgentTesla
61d404fca3e77c9da77c817cf0e35541e15ea11350f6068d22e33a03a28a5e35
AgentTesla
6eec3ed20cf01fe2ae28df3add8d04b987e52d1299c0ee9ff72a677f36a5a8a2
AgentTesla
78e1fbae10c16b140343e4b74ce4a005518c2811869aa37e38cb8c3e5d4b1d16
AgentTesla
f63be70bc011d2549aad48b9ad4fea0784922d36ef4bc3b22590210dbb28fe7f
AgentTesla
+ 18'006 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220620-yrhvradba2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
c002d1a4075dcd5d6651067b3c10944bb7daf0c49604c968405250ffd2356488
MD5 hash:
41859ad1bafcaac9d0647a302a7b9016
SHA1 hash:
f5d266f0c16d880f582c3e45f01696b62ccc200d
Link:
https://www.unpac.me/results/b721c5c2-3a2c-4729-9efb-37192ae89059/
SH256 hash:
f6c807f21c9453e4fef7497fc06dfb7a9486479201ebd71b93a57a32abfbeae7
MD5 hash:
16e1e443f688d94a63f331d6d837e852
SHA1 hash:
5ef9fea7a069e3c9de4278cfc98937ffdadf1ac7
Link:
https://www.unpac.me/results/b721c5c2-3a2c-4729-9efb-37192ae89059/
SH256 hash:
556af0fdaf8507f8e1045dbf2c94a1efd4f05361ec9cf3e653c9d2773c7f9aaf
MD5 hash:
68a8b28a281db5df8cf349633ab95636
SHA1 hash:
f0d8ee1b10250f7a502d4552f8b4c98a1505df2c
Link:
https://www.unpac.me/results/b721c5c2-3a2c-4729-9efb-37192ae89059/
SH256 hash:
6de8bc7d4844efdb55328126b632a374bee9aaf3073cf9ca5fe5fdf303106f8e
MD5 hash:
7ce2d10bd0f02667bc0e1343d9ffc1c1
SHA1 hash:
c3a5b4e5721085022eb7bf0008b7e449f9369fcf
Link:
https://www.unpac.me/results/b721c5c2-3a2c-4729-9efb-37192ae89059/
SH256 hash:
2e3b5e32da47c76886cb7a09f18d2143cee83e766e846c136ced459a5f9fa0a8
MD5 hash:
f9d7e7336fec4b19db22175f55a5144c
SHA1 hash:
b7522b691e900c5142946d40735ff7e335817cb5
Link:
https://www.unpac.me/results/b721c5c2-3a2c-4729-9efb-37192ae89059/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e3b5e32da47c76886cb7a09f18d2143cee83e766e846c136ced459a5f9fa0a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/281739/

Comments