MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f639103b3a2a16f0eacad22c7df0a037c3a45d74cfe09ce96f86e13fe74a1b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f639103b3a2a16f0eacad22c7df0a037c3a45d74cfe09ce96f86e13fe74a1b8
SHA3-384 hash: 022202b7beade903bfe80c6132d9fd26749274421e72714d7b36b6148b73ba23f68e5e64ce3533cad72bef961bba55ce
SHA1 hash: a003c960669f5a64ae182dcfc9d7185750a84f0d
MD5 hash: fb06ed245f080393bbfe1ae577053085
humanhash: alabama-eighteen-october-magnesium
File name:P44898408970-1.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:915'968 bytes
First seen:2021-07-22 05:30:43 UTC
Last seen:2023-06-08 13:50:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:YCiAT/vfFJSOdJpyog7hJLobe+2F2uUd9iCm34olKf2CSMPQipP5q:TiA7rSMJpgz9+2iPCipQ
Threatray 7'886 similar samples on MalwareBazaar
TLSH T114159E524DCF866FC2690DB69731AC5682314DAA2949F3132EC134EDD93F3ED899F602
dhash icon f8dcbeffbffecee8 (13 x AgentTesla, 7 x Formbook, 5 x Loki)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
14
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
P44898408970-1.exe
Verdict:
Malicious activity
Analysis date:
2021-07-22 05:35:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a0169561-2242-431c-bdce-18d430f02d8e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173217/
Detection(s):
SecuriteInfo.com.Trojan.Win32.runner.ali1000123.16658.6185.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41c37cbc-d15b-4a50-8755-4a66b24489a8
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819931
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2f639103b3a2a16f0eacad22c7df0a037c3a45d74cfe09ce96f86e13fe74a1b8/
Threat name:
ByteCode-MSIL.Infostealer.DarkStealer
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 05:14:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f5rzca5tukqw6dvmvurmpxykan6duroxjt7attuw7bxbh7tuug4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2de8befd5512337e4e9c723289d086b229345708d167936e1212bcf8641f193a
AgentTesla
2f639103b3a2a16f0eacad22c7df0a037c3a45d74cfe09ce96f86e13fe74a1b8
AgentTesla
58bee6329b0740ddeb2191717620b272f3f088d5e9cfa105c2cd52a282aa5092
AgentTesla
5d341e97346284948f292b2acef3b6a2b48f2e1b106732aeac5046723d5ec39e
AgentTesla
a22a93aa201096c6ae9d68aa245093f3b922b90e31a529ce94bcdbd2c0507e86
AgentTesla
c05e310c646407fa733712a98c822a5416ca1124322429d8d2a90966e909a6b5
AgentTesla
c185f1b12000aef63c347017f36ab8b9e67a08fcc22e5ed83695c1cc4f168f23
AgentTesla
d73bc4626e96397d7f14b9a698eb5ee7c2a3b461941d3d415baea2d598dd9ed1
AgentTesla
dd2262c470cbff3cef7f965e0c457de414eb71bb0ad94ffc2d64aef577462d14
AgentTesla
f39980b6f513345fde2aad18cb790595c8cb64139cb0aa1686d6c4e7c8b24e2b
AgentTesla
+ 7'876 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210722-6n31yfh9ax/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/d4b6559a-a9bd-4d28-824d-f3ed704cc95c/
SH256 hash:
aedc5257c6635eb9b02c6e6820b8f3fda81d6a5f808b1ab2b1ae3c842cbff07b
MD5 hash:
98f7770c1e528ab3d6879c2453f10686
SHA1 hash:
e5195b58a74b910f11c5d052e51ba5dbaadcf0a3
Link:
https://www.unpac.me/results/d4b6559a-a9bd-4d28-824d-f3ed704cc95c/
SH256 hash:
a2c6b6252ee3a8cb4eea78d1e9ec51c9b30e65d7b6f7cb8e484986104695fbdc
MD5 hash:
bb9e3711a6e89b077c96b0043d11c4a2
SHA1 hash:
a0cbca44e13a6cb895169f911ba6cf523c02a8d5
Link:
https://www.unpac.me/results/d4b6559a-a9bd-4d28-824d-f3ed704cc95c/
SH256 hash:
2f639103b3a2a16f0eacad22c7df0a037c3a45d74cfe09ce96f86e13fe74a1b8
MD5 hash:
fb06ed245f080393bbfe1ae577053085
SHA1 hash:
a003c960669f5a64ae182dcfc9d7185750a84f0d
Link:
https://www.unpac.me/results/d4b6559a-a9bd-4d28-824d-f3ed704cc95c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.73
Link:
https://yomi.yoroi.company/submissions/2f639103b3a2a16f0eacad22c7df0a037c3a45d74cfe09ce96f86e13fe74a1b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 4a919c78e17213d98f10f49a921bf41164e6206e63bc3cbe487092b078189a0a

AgentTesla

Executable exe 2f639103b3a2a16f0eacad22c7df0a037c3a45d74cfe09ce96f86e13fe74a1b8

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 4a919c78e17213d98f10f49a921bf41164e6206e63bc3cbe487092b078189a0a
  
Dropped by
SHA256 fe9a3933128b2954090c969682e654f1349ed093f45d4bd2e8546beff5497654
Cape
Cape
https://www.capesandbox.com/analysis/173217/

Comments