MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f1f66a7d7f0058db7f854e5ed21829fcbc075a6a94590b16a1509267a477511. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f1f66a7d7f0058db7f854e5ed21829fcbc075a6a94590b16a1509267a477511
SHA3-384 hash: 3e8c476b61449bf932a7fd0c877aa354c548b1b943eeec56fa950f0bcad133d8475a3087bf53373623b74f4fd1e296d1
SHA1 hash: c93cbf9c74fd166d5a3168223c81871005bf9bf6
MD5 hash: db50938cd1051c811bc28e79500cda0b
humanhash: hot-dakota-beryllium-arkansas
File name:ROYAUMAN PO.PIF
Download: download sample
Signature AgentTesla
Create hunting rule
File size:202'240 bytes
First seen:2020-11-13 09:46:39 UTC
Last seen:2024-07-24 12:44:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:evy4eFqGw9YHsASx66rKcwiKsyCXWW8H+P8Ox257prEAmjc+j98Y:4HNbFHYEAmg+h8
Threatray 66 similar samples on MalwareBazaar
TLSH 5714483D6D8459A3D137A272A4B90282FAB56D8A72794C0F11C73A093D7BF023D9774E
Reporter cocaman
Tags:AgentTesla pif

Intelligence

File Origin
# of uploads :
5
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Generic.mg.db50938cd1051c81.14429.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/533723
Signature
.NET source code contains very large strings
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f1f66a7d7f0058db7f854e5ed21829fcbc075a6a94590b16a1509267a477511/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-13 08:13:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f4pwnj6x6acy3n7ykts62imct7f4a5ngvfczbmlkcuesm6shouiq._file
Verdict:
malicious
Similar samples:
290452bb8eb4dfcc3cfb1590c8fb1b44427a3c9f0439ad5855e35bc39537a3a3
AgentTesla
4747e3d90198171f10ab973d32e0cbf1f679148832d1d10a6ec99a340b0a307f
AgentTesla
562dc6b24ea581f4f285a016cab0f8243d80dfae6fb484d38533ba29972cf644
AgentTesla
656e99ec9ba18c70b338604ef390ce523a35339c8bc556ff2963ca2ce87baec7
AgentTesla
813f91b6601d46e7f9f3d4dce52c725c7c3f17733277fc7bf88ae1597fa23a2e
AgentTesla
9300260a0aa311aa5e53e3c015ba7c63bb52ccb40c9841d4f566a6019143257d
AgentTesla
a52c72aa195562b2f469e6dbc1e2e7534aec440d4674cedb788f3800286ecbbf
AgentTesla
c08b6cb15ec45d44bde739241acb6403f92bffc565a006c11cbfb4f9c10806e1
AgentTesla
ce9820f87744f7cd5f16e60470ec525cf1852762d5914278815b01737d4adacd
AgentTesla
e39c2e98071d4440d02e6d1aa86111536d6d01554489bd71f890455c05e424d3
AgentTesla
+ 56 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201113-k3tn6gppv6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Legitimate hosting services abused for malware hosting/C2
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
2f1f66a7d7f0058db7f854e5ed21829fcbc075a6a94590b16a1509267a477511
MD5 hash:
db50938cd1051c811bc28e79500cda0b
SHA1 hash:
c93cbf9c74fd166d5a3168223c81871005bf9bf6
Link:
https://www.unpac.me/results/de666f8a-1350-4c69-9391-990333113b39/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img e31b9aa7e444e46077257bf9c82eda3355124a4a769fcb2e2d9627fbb129cb36

AgentTesla

Executable exe 2f1f66a7d7f0058db7f854e5ed21829fcbc075a6a94590b16a1509267a477511

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 e31b9aa7e444e46077257bf9c82eda3355124a4a769fcb2e2d9627fbb129cb36

Comments