MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f7226f97fc49d8e893e80ff5e3e1127d0ae76650045dbf30c36ddd0535c0af1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f7226f97fc49d8e893e80ff5e3e1127d0ae76650045dbf30c36ddd0535c0af1
SHA3-384 hash: f4d15807d15dbfd6320d5701b7a35b19faeeb0da5f3feabb8de73fce75e8d250f44be8d98711014f62c4219d38e15663
SHA1 hash: f42bfd900ed81b153c25c8b3d97ba9cd854b9c33
MD5 hash: d489480f7f1c5a788840dba27d8d3624
humanhash: colorado-north-ack-seventeen
File name:INTERGIS TBN1 VLS's Particulars.docx.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'107'968 bytes
First seen:2025-02-14 04:06:33 UTC
Last seen:2025-02-14 04:26:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:0PaHUIjmf/LF5XJV2c7XaAp+pPRMrBVVzim0CY8iMo6bt:oaHUIjmfzDXz2c+TPRug8iMJ
TLSH T1D735DFE4F793E302CF1B1678953DEDB213641DE8B080B5A71ED63F877958B202809B69
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
File icon (PE):PE icon
dhash icon 78b97864b0b97852 (5 x SnakeKeylogger, 4 x AgentTesla, 4 x Formbook)
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
535
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
INTERGIS TBN1 VLS's Particulars.docx.scr
Verdict:
Malicious activity
Analysis date:
2025-02-14 04:10:39 UTC
Tags:
evasion stealer ftp agenttesla exfiltration
Link:
https://app.any.run/tasks/2c47d81c-685d-41a7-bd66-e4dbec74586f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.10681.14027.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67aec17228ab76d43a5ae02f
Tags:
underscore lien
Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67aec171c24a487ec9d1beb0/reports/44552b64-3c8c-41c4-bdbb-34ae66cc1c6c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2f7226f97fc49d8e893e80ff5e3e1127d0ae76650045dbf30c36ddd0535c0af1
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e7f3a9e0-2d09-4694-8648-09b9a969df37
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1614791
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1614791 Sample: INTERGIS TBN1 VLS's Particu... Startdate: 14/02/2025 Architecture: WINDOWS Score: 100 46 beirutrest.com 2->46 48 api.ipify.org 2->48 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 13 other signatures 2->60 8 INTERGIS TBN1 VLS's Particulars.docx.scr.exe 7 2->8         started        12 VUlRwJFC.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\VUlRwJFC.exe, PE32 8->38 dropped 40 C:\Users\...\VUlRwJFC.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmpA549.tmp, XML 8->42 dropped 44 INTERGIS TBN1 VLS'...rs.docx.scr.exe.log, ASCII 8->44 dropped 62 Adds a directory exclusion to Windows Defender 8->62 64 Injects a PE file into a foreign processes 8->64 14 INTERGIS TBN1 VLS's Particulars.docx.scr.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 7 8->20         started        26 2 other processes 8->26 66 Antivirus detection for dropped file 12->66 68 Multi AV Scanner detection for dropped file 12->68 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->70 22 VUlRwJFC.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 50 beirutrest.com 50.87.144.157, 21, 42906, 49708 UNIFIEDLAYER-AS-1US United States 14->50 52 api.ipify.org 172.67.74.152, 443, 49707, 49711 CLOUDFLARENETUS United States 14->52 72 Loading BitLocker PowerShell Module 18->72 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->74 76 Tries to steal Mail credentials (via file / registry access) 22->76 78 Tries to harvest and steal ftp login credentials 22->78 80 Tries to harvest and steal browser information (history, passwords, etc) 22->80 34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2f7226f97fc49d8e893e80ff5e3e1127d0ae76650045dbf30c36ddd0535c0af1
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2f7226f97fc49d8e893e80ff5e3e1127d0ae76650045dbf30c36ddd0535c0af1/
Threat name:
Win32.Exploit.Generic
Create hunting rule
Status:
Malicious
First seen:
2025-02-14 03:37:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
35
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f5zcn6l7ysoy5cj6qd7v4pqre7ik45tfabc5x4ymg3o5au24blyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
error
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250214-epnhnsslc1/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/7b23efd9-0c97-4525-8059-e19b12480cd1
Unpacked files
SH256 hash:
2f7226f97fc49d8e893e80ff5e3e1127d0ae76650045dbf30c36ddd0535c0af1
MD5 hash:
d489480f7f1c5a788840dba27d8d3624
SHA1 hash:
f42bfd900ed81b153c25c8b3d97ba9cd854b9c33
Link:
https://www.unpac.me/results/43b228da-f4a4-4fd0-9c89-2fcfcda1326e/
SH256 hash:
7b20da2df7723467f33026394d5f5198c7e5dc96e5400d5e7e5686e8d408d942
MD5 hash:
009233ed35ae9f2966e226c4f04a59f2
SHA1 hash:
44e4cf3a28a6b3642a4913a953c826967ca91c57
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/43b228da-f4a4-4fd0-9c89-2fcfcda1326e/
SH256 hash:
2bfde305793352cc0da1adb8ed99447ad59f25f03c67d5756905cce802618749
MD5 hash:
90cebe77febe3d68f79fb7e03876149d
SHA1 hash:
a665a04102d72778358e1b045fe3dd46996d2fca
Detections:
win_agent_tesla_g2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
MALWARE_Win_AgentTeslaV2
Create hunting rule
Agenttesla_type2
Create hunting rule
Link:
https://www.unpac.me/results/43b228da-f4a4-4fd0-9c89-2fcfcda1326e/
Parent samples :
bbe3fb7e0f0ddf898c7f5055707dcd5847cf14801f02563f384b75ffd06ece4b
8647436d5b5e93de1fbaf9571e584ceaee4a620cd39b60472da87e694239c317
c09cba9da1f8a6c8fbda87ce1c29455118eb13876286388a7d768ba98585aa78
d9af97e029e98b7502110beee9913df5132c5e1ad620e6b8124bd395c72131d9
fcb4c6602aeea8229338eab9ed2deb97c27e07601791ef19c7e43a830079e416
053c940f835b1c6624b6b0421b680da5c984b056734db107a7d6c8dfbe1837fd
8e3db35284b6e1ea560c14a69ea4dfd6ef8e27fe9974a609116d00f2d764bfeb
c9f0c595e62ee31b17e1b62cc7be551a1cd46c3395a282fead293a5033674328
793683a76efa38f5ad0608e7a7419af3802b4a7cd5d3d428f2f1a7e6f0e6ad0e
db20bf3295f1aae23ce386ffb850622a77a474a8a1ddaf240965082ee03055bf
faf287257529efa93234ce96fd47d0d43a4884deb7ec54e337bb8ba49b1d12d8
90bca1aee1c83d0c4efc1d89a1c57b991be078a6fcff421495fb9cdbed974c70
b3339675855dc36ef85d78208f43924b6eb62a978caa41971115b13a8c9cd951
03438d007dd69f9021f8c37eb21cd9f817189c99f86e94136b0f6223e07a7366
20aa510e22a6e0abf81a9cdb4491977cc7035ef0f62bf4e97e880688594707a8
ff487e2ea6195cc78c6c3f1d9d23aae0902eec37964143cf85cd425252a0072b
eec4404be651d77865707efa282ec7899a97550ad25351a70a926679f6b34bdf
430ca931fb30ead2352f1f6cc4c832d5e83d0586818e47febd3d9d2dd83950de
e0e7d67763efac156e039e3b9b8e4cf0e269109164788c4901f338f1399699ee
a2e0b264504e6338c455b6227e85273903c8f1f901809eeaaaec9e917ffb09dc
5565d238feb8a0e52f4185f696eac6e4d817d878ca99aab4ab16a341b3c828ed
7a52724e8dd312054edb1fe92f4661be8a4696efe209edfec3f43b7fb8fac3c8
97a1e4bfc76eeec8faa59bd7de85088d2e42cf9562ea66c2305d0309080712ac
68f8a928d8c7b9b1da3ed341ad581da0fadd5bdddf781e0d8831c94553d8d5b3
10eed1464345d7548cbbe6e76ece440f249d9daf5bf13f973f68136d986c7fe5
99e2fcc17330e0e1d8e31c814d659c4a00110a6da389102e22a25eedae3933b2
cb9c62c96c1409b6151ec4cdcda1b0750a13dd61352ca9ed91382a978cc8bba0
7f7219150a44e397a72f82fe9c4232887e991f0b3f0469c29d5cd2b8e3f3d0a7
1f73dccfdf8ee9cb8fb841e40c88a7b124cd28c0b06688eaf2bb81ef4f4ac0aa
c75134c43e97b75bca4ced11b721253c5774cb0a78184acdc5c55580aa07df85
ad3517d5640b93e40bc1e839f6616222801d06dd83ed5887462a71f3858f5b40
941559a78b6e1caf39212048e7f62723e5f283d1942858cc07a339d6d6b24362
59e8919a70ecf74746e7bac52469b520a8a4fa929e8fa8171e22342d8dc4e1d6
b3c12cee79f27bba7b9d58c690083d38170fac66c70ab18dd5897bf0268fc114
e9be7f50bd810d3b8a459a54c2310b567dd7065cb52803306cc5e6132eb9e12f
2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d
20b88c89c50d71a77a0f2e1007a39cdb0b78f44c8507d3b492e8875a44861279
25cc6ca776e3d36b9aa29c331b522f23f1b309398372089d51297ff179a51bb6
853b91e9b020663d17ecc679445126b293adf51dab2791e846c31adf4fbb232a
2f7226f97fc49d8e893e80ff5e3e1127d0ae76650045dbf30c36ddd0535c0af1
8c511dab54355d76edfda60811e62b832f7593919b5c8f683b53bf6690bc808b
2ed7941c78a8b93373502b3b638392b1981785718e31bbbcca4f251d6b21f535
fb98e235d9cd58d96ab4d3389fdacfff82beda19357f313fabd95729bc984ee1
2fc60266d45774d861a84e932cb572f683a5c140406a6709adb10a08e5391b9b
2843e5be520970bc04d4c2d1d64749c730cd115037cd11b10a5c4073f001ad7a
ea245dfb5adebf5c9635d41f7e92c9194f6a20f900d9bcb14b8931501f0bd411
4da351698b0432b56b06b8bdd26fb7103b973a7c70bf666cc1a26e13fd2585bb
29d5ec780d5e5c02484ba41f291e35d29910e0ea2221c48f2ba19c9be746b8a7
602c89f6771cab55f5ec65aeaff614585d4cde2ff38f5751ca52fd062e871d19
0e52d5414536fce593aada88c26086af95af6b44d700b70315f4fdd9feb0b093
b21d51c3a5519c6e41de9ef4e4bbdb821f2d76f6cc1e2b01d0a0fae37723f25b
f687ef7cfbf2fefbfb85644f57319e28c04f9feed590a317056fef8c130c092f
d16be68a77facd56c4553aff3be893308c986f726619cd0785b5cf8cd5993f88
2c94e0937726b8c53f46350c17b50abb816f720708055e92a097c796a9970f01
265047bb3b17c31db8680e5dc97255cfc147e02f730db48a6852cf403033ea69
933e3e0bf29c5545bb4ea400f0ad62be69b957475e82a6bc8ce3c2a44622d4b0
71e061da69a80307913e97800c500938e1aa6eadde0fd25758b9b394ed1532e9
ff67a4429b3cd257a8ef58dbbc90450eda82271ef4256ba1dc5fa6eb215fedec
2f0ae3872ddb72b9c17060aa7608559a5cd92d376dfc88441ff8c54e6f1a65dc
9bb11533ca7287474f25da8cd5ad24afacc6b66175798298c6924035b9b3f92d
ee0176357d58650cedb8212e95249b9ac0e17145587e398a344c03ad95334618
4c17a091bd4bc5abea728c7245ec9c15fb98693e661bc6ec20239b91db33faa8
8024fb977a8ce280bd9bbe8984c2a1eb02a39c82222940de7b8951fc1493cd80
8b83d463c4ddfc873ac4954f326d473cd6aa3443617fdba8860680188500def6
69b4c8361199937a0cb7e28c689e3dfa2967af5dc5ed0c1fccd770273cc3c71a
0f22c8a761d26fc6db2f20b2c3070269bf8248eebc03743250da0805ee9a8511
183c72638416f3649f30da841ff7a88d29f6cf22f393db7a96407e939b9c6647
SH256 hash:
c94d846e2cdb1be9a54740b587959ab5c741ae3c40e30b4b2a10b49f3279f48c
MD5 hash:
3fe0a01522dd677ea56f0a69b4872a04
SHA1 hash:
d4cbc9272c9ea6d3ef9a2c73144c9ebdcc8189d3
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/43b228da-f4a4-4fd0-9c89-2fcfcda1326e/
Parent samples :
e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474
30af910477a154c4b07fa1cbb928f78bc7d714329f725b2a1f2cf7f3139ce351
2d5f57ef41272fafdd56ac619de62e86bf57938c96032cfa90eaa3c48930f012
6cfb80b408d5a7e58fb2fa1f7740cd0a185f59232f80da8dbb66baeebf7a0c71
baa5f55f0f4e35aa775f2237b524a7d06b366675fb9b63e02d4e822f2f422405
0313c7a5d73a613b775f28f1aaa5186b1f526b773e05e14f7fbcad1103d9f0c0
3aa419398e4918fa5f922f5d5ea8c2572c40c1b24c702ec4ff946eeb390f80c6
b1537055d6bd55685c9ecc0812c796b6668b3bb37dd6700b231e374d35ff6731
3aa746d45a8db14fb49d2fddd2141a8c41919fd262ef07140f2bb73e77e53147
beebda020556f8d3ea18fe84bb7ea68301fb9f821cf5a7fdc8c5e66b6e8a5c28
f4655548728c3901356c8b6c1cecb9f5531872b1cadd914c057d26136a45d5fe
bc6414a8917a46de783adaeb422fe1a90df4f608d16531c555529c9104c342de
43c802763ad10188bf10a16b5bbf7840447d46ec04d1bfc2ef60c58dab38d951
92f6167d4a5a568418c7439917b262922745f536b091f9b6d059ca7b4475d6cd
5e95fb52da2144a06a66a593a6f12877108ebcdeb69f8f60ad010831d4fce1eb
142d4fe66ef8acb376f52ae33ec869d8782a4e63f9c92a6a20011dc9cd8f215f
b1d51bc9c016f36486682366f537633a12b95e16e68d7fc184f7a9bf9a48a811
5b40169c958b75d6080cc8e7fabcf81ac3d87ea0a3254d6ad2c95c158fa91aa2
06f5012aaf05a5d9aefec7a060851cf3d7ddce0220cc09b30cd87d10d69ba554
db1ac4c87efc64076e9cf93ec1581f73feea43ce6fdb7113101cf287a5968e80
bad55ab8c4ce39ff171bdbc3c86987d0b3b118aacf2ffcc38af811c739c64716
e9a1f5e4de3dfdf6cbd66863a6fa6a638cce8fa9555991756820b5af48682c79
c76072f42ba97861b01655026250c0920a3856a191144601e061318346e75e1b
76a9a68e8da599c81f44d2a43fb4fe5e5e4d2e6c5881ccf775ecd665c16939d8
78320f7a37d22d4c8c4c6be7c24e8cc3ae65775fdf5e4727fd2d72f5235c11bd
cb628a93ce3d454a17ac6653105550a7bd4af78195293640d270977ddd6a855d
6d230a2ab81a77b630dfd88b41120f44f02a96a2de01b155e25e90a09cf3cd7a
47af16cc5a248cf055155a57d1eb07844113a00c7a84802588ef7dc5f007880d
9116e489568656d24b28ddc5150f55f3010c3516515254b06cd8151437bdc6a3
f206c3a093c6174558ea0646b12e262d8549bee2255418d8968d3e0bb7218330
5a673c2139bee9e5deec79e98e0baf1026af44a5a02487d474de76d16b7eddc8
97d2ac9df49a698cbe55f68068a93604206580f9696c8bf319d55c2e637c9727
1fa0169ab531ace73ff03fd6b6ebb8ee750a56e11b8244cacfa98f1161a9d739
682ea9386cf6916b93cd4d71b6e9a56766178c8479e9a5121ca42672d4680754
81479585d4d134cc2bdfbbf5a3200a9ec5ca2d142020b53ea3302239c595b37a
49038158ec5cfaad3a3e8afefb2103cf06da101cc0fc2f2a198a955c074a061d
5b34f76345fe3155d491e7362fbed7f9c7463499a90e5d7c3e2bc4e8924021f0
a58b12ce627c7234261b7561b7f1e2bb82bdfa745a20db1259443a99e6f8c6fb
a726c5a24472b6e81e1dce922e3d462a1abda9da5bdb28c0f3893850560b1fbd
af76b424c87632143ea89a16454dacf86eed65cd53cf866fdce8f3d850ebcd9f
d2a87b1b1a1106b874e949e49a55e7e68202eaa84062c270bbf62481bb769a45
276430cda6a885ecfb17858522287a43de317bd9e1b82a8ef1f5781aa24954fb
6b9f9c57c5f95587bf894a439c808a0769b52a08d8fc8890d6a96fd6eeab7ff4
3cb79b389e24d9c7cb87e631b41e0cf3a83b18d7205c7808266d9221928294c2
b57ff0328f7e2810454bd361fe4fcfa076335b72a906a5f671e72496b490d5ef
6b9f0f95c3f9c5d2619566c75b1c165b923a6ad6941ddcfb820089535c94b9a2
1b3f1ad1eeb6d8308f9df4c3b7c6dc2d6d37776048450b8667e63a5e4008379d
cd48d8a932004dc1eaa16ce32f98aa927758df295197a759e2717d41bb66071f
1ad36be5741291c602054a8c1dca25c2fe1a48d4834722993d8190303321a585
f90e011acd738452ec9514f5c197e18175e7506d502d85ff85583772691aa4dd
6042e232fb52a8ddef6d8107806b2eb734cf4a703941e4639e5d3aa8a27d2023
089b32cad49a1917e0e5bfec67d556bbfde5f1230dbffd35d5e15e6b5ed4b1d7
98d822362f112bdb88a5f473dbf4b9773e3f58df35a45dbd6633e44d85f904a6
c6b7c7784ebcff9da356fe18cdeb164d121d9def409bfe81f445e5c77cfea314
979cecac7761f1c8cf74b514b38b637c15407b9def72c96814bec589a1d4618d
570c0fbf80fba23ae65c80ceede951848ce522b9a767fae92812d4d3efb725cf
d80fa06e8d5cd185b7d34a1007a02144a21be64e31277f6fba94f497c37b0e9e
e724651fc42f3a926cbe09e79250de98f75da2ee22e55208ec506ecab7a9a18c
62bacfd17d10d4dae8dd039b5b2c577b382e1aa21357e68d4e49505b2b05b7aa
abd0798df773037732e34f3a268722a239ea2072b49e3a62bd028e56dc7ff87b
825e01addcbe463f65b398e93d3536a9dfa01bb7924c369ef5f3d5538d7c19ab
564c051102c81d441815759ce075755af3dbc66b0a0ac6dc31d43d87a0372fe1
472bbd27a17cd8121eb418b2d81d723ac0bafe8d4cd2d39d728cb8ec2991df05
851c91c41a429bb8d553a9918ae52b98905c845bed658c09b3978acf8f578945
a4aced5979808f369f5d41d0d2e8f0a16a6c1adbe00c751dfac858fe706a2f3f
972faafbe19f1bad0659c02d3480845254ac3fd8565668988d14c3c68164a953
a30ac8c321e2bb265f9e2d3f2cfb43549a8fa6171e68d7f4fceefd6db4faacac
b06c40802695123acaef9a4d74fa336c0d60779031678ba78368673ce6b00e2a
49a5a535b2f589a41ce1e579501e1f63c8f924bf36913e07409d805861595647
fd12f6777111b76365ba8df917957861400b2e0dac2e5f3cbe345d5b8bc63d81
9fbd289d00e29700adbef12d16b2612180a5d612bd66c2596541e5e005fcf63e
9bb7cc9096119efca0507d25fbe9f033bd9bed6b14eaef1da532648c2b5ea106
d672848afdf3f3a32d6de454a3408acd1d9cc0c338e65461e63330e9d26128ab
2c2ab475e2a419c64a72c777151bce185ab19aa14a8dc9124305c6bcaf3e4d46
145f6076604900c379d5a82d6a95e6c56df274b34d77158056dccb5834516461
7b6dbf313708726318645aa72ecabe962572e8008214dffab03c151012c2df68
895d51134ff58b23a2a81460e002598505dffc3fba80ee0e7df38508b87858bf
004d0b8aa2bc2236e124fceddc2ef21c091678fc622d6bce5ed02292b0b971e4
da2fc91a8833fbc7b55879d5596e20dd17346c9cb0f30429428d7d13eca262cb
a478e93349ce5a52ef85715758a4a42d698b8163f0f57ac8382afc59c5ada256
4275d29e9c1666fd0e34ef87cb0719162bd3ae3fdf76ae2d15b55916ed39c0c8
3efe9f9182cbdb755dc49bac25113a012be3ee51815ed8923ed1693ebb259685
44a303310f4e41f9a959b1219369ff984d664b65c668e605b20950ffef93762a
078087eb0c405c3c7ad7058695cd17b271fa9f4da6271c85ff868083377b8667
260832f7830afc5e87d0e512270ff69572c64268ee3e8f9b63bcafa5a7ba2fbd
ce108a4c76c010d33b950d3dc8d4bf3c381ebd94a2d725f473065b47abd43a0c
fb05aa2de5592ca3e33b658b17f32cbd7ab5dd676cddfd3677c87a704d2fba4c
0acb6194575f0349812f6d5b0153708d2da2a5a598aa16b345f6b8627aa01f5c
3429b3aecb0389737bbb2c3a5bfc0d4f4fb51f4c6b1d83522441bc2a5011c8b1
76e018370b6dbc4a5ff9700539116e740232db4e0f5cd355dc2949eb4a301574
441d4e2afda5dd4114f7ff1cde9d4c4722a187ebb2166a1047b9c1403bacf5a4
b52af535314ad644199d9804d08e7f8eea3cdbca51c06281241a3ac58365835a
cac687693f854a3b0f08331bba5865f58babbbead6a582a2a3f7b599092c65fd
72c54730956921bbe2e5d9013b3dfdc738a98a2868ace2b85d7becc16ae6e55a
abd32c39e276956fd1c91bb346763590209bd066f157f9e9fae6449b44653c3d
e6726560f11758a5ef619319f8c23174271e78d7ee083f1bf37a5bd45e966a3d
2a1b2e65014eff8d6898cb69bdbfd860aa7a71092b87c744dffb4c0620865a51
c27531e9608480a9890b88a18f5a99d230bf1dd60a3d0c80166c4db5a5707a98
b758560d291f4483bf7071fa3ff4017e1f421681a264cd8df1d72440a7020ce8
7fef88169bcdcb30ca4d56c7233082a64dd7b972d8684785211b30750d8e6db5
7a4a48270e007cfe195b3cbd18e16c77bac607a6f6c28ad76b6ea7b6aa28750b
6a48b22bd969313fc663ff3517d4d95c316623f099b68a0b5499cb0bb7f68f0b
82bf5f4e4901a995c6218cead424b929e53113cdb0e56c556fe28a7d692b96d3
85d43b46ad06b32280ce6c581e8790e7535887834d2e950059acd803d3642b34
ffe6d376f480727369e4fa7d6a17b2b2ed8069fa34e5332dbfa99a89c68459d0
342e04edadb5210656305e1a685e5522dce4abce4479a9f9f222310ff13dd3f9
25cc6ca776e3d36b9aa29c331b522f23f1b309398372089d51297ff179a51bb6
acdeac4a1cab9a2cd3c47b8007c81a04655bcb27defac1ec5676817d9f9ac134
853b91e9b020663d17ecc679445126b293adf51dab2791e846c31adf4fbb232a
baccebd3888e8622e858e7a771d985e3eeaf05b6b73d0b67df5bdb710ec65ba5
e943c5137000037827058d4fe5bd756651b2694475a67eae0133e48c0c3b681b
db6d68befa3050c4dc21ab5fefc0372416f90743170c4f2becc8642b02323649
b6ecc427d6063c9dea04d7c1430b5f3765a159df978b1885088b8e5c854f430f
7f014e3676f77bd509ae639d5140af5cee6a3df85a4e7874b6c12a3919770617
3381a1e8b1a7c8a1de20f09202ed545d3e3c055fd364cb10ce49713e9eb6d087
848cae5f1a0c17014efd9da7cd95bac99f6ea7d1c2cba5dd3383a4e68e96dd48
fcb20640b912b0513c2c1e7b5dfdca2f42a23e11aecbf0a82c4da76f8aed568e
b8df5ca9ec2fbb02bebddb499f4c1a966bf9da4581e68eeca99a195dbd94f4fb
9f05db230894256a6be6bf1b5b523894e621cf0b43632c0465c76717058d3ebb
0a51fa0ed0a7366f1b102b14a7e0eaf60085a4bc4b39fe997195fade34ea9b07
3ec5faa6aec2047d9e190157b3361a593ea590f14a80b42d22f4492ef68e48e7
aa23282f21a7d640fe80b4911b633ab1e5c42258a3369b9c0286ff84dccec9d8
52e613978faf4b534d0864a6125d73767b06319e9adaf7d42075527e2b52b3fe
d313827b50a344b6f5a1adb8392a5be95d65e07d0c58b2e3b91524b33caf5139
334f13d0f4a955f6791b01c716247155b1d7bc48d88d172d2dc8ecb22e50c56a
8d55fa3d01f0734c4e26c030f8abef3f5c45c34068d979edaa5e1ce669a7879a
2226cd28958b39a1020812943f39bdb8fa996d83191b539ed55e34c32396e8de
1c015ce771fcaf5114418dda8f33c9d357e64de65c2ad89ba2088883a67af9b6
b87da989bc58c277f819b39884a1a5097c6e55cc522cd482f1db530f10c38ed2
ae8d6d60a7a7056e4807da4304a9515621d1621d8f49f7e9eed76709f9db6746
2f7226f97fc49d8e893e80ff5e3e1127d0ae76650045dbf30c36ddd0535c0af1
8c511dab54355d76edfda60811e62b832f7593919b5c8f683b53bf6690bc808b
6659952ec8d1a38ab1ad872d5d1c56b725c90073584858729f6a6332d83b5564
b8224738e42c6dfc5b169c544cf98d4d2fff3fc1e0fba7220b85378a8ccf9395
dc9b1005fe4366eacbafdad4a8c7da5c899af7c738fb869f9ad4779625a00efd
f74aa66c0a64b0bc95576d70551981e1d0e65de9662885cb4dde19e81bce76e2
39d75551da5fe22de373ed7ac38f66be936fbf93a9124e5f519f49a241aed84d
851ba063e10c27e13f6ac12a86eecff1ec8e003911d758cfbb5f95b8ed985dd6
e640afdf9c7df0c233c559cb4ec688a7ea57d0b0803868229704bf5b5ed4bec5
19e7128bade3246917b6367e9ffb3dc01d8674cddabbf7db9a591eaf9e5314c2
e623d866b94e97d10d1bf96252a838ed9dcbf4b4aefce4f3f30599d49ab3b774
06b5af906a2a610798b5c99dc0bd5786bcb7a9abf4c3721dbaf86dbedcc3b81a
afbf51cbceee0bb274325a6bbdeb87bcaadf086f26b97a4715a0345d2d20252e
d252032918f92158cab050e67069c51851bf1e89e7889bc81ec6348bdb916cb3
6e3ba173c53740a0d1407dc29b7c3632b53e0213bfab4c6ff466cd77995606b9
584641f56519c5e21afd3a1e3aae649d185b648a382e1491b1f698e046cdb7d0
c07269f55d74289f36f6260586c9c0b32a88cdb43c6fda914170a585b37745e8
9328b16d02a62e535e62c57d581de1acf734d91f7b7f0e848047953a8567f9d4
c7d74ae26564e2f86c6c7f5369e2ba02f5a09d70a30630c2e67e5376ed7f4fb6
e654880ee3c416a237988b239e29a282457ca35f05fde6a3268e6cb3fce3a2a3
45e055a26edbd0721d1e26f89e65406b16f4786a288ca065ad0fcff26174ad59
fc6bf2babfb2487a702dfeb041870fa997ca3223eb54f05e2aabeffbbe14094f
9a29e3c73087476b7ca24c4d244c6dbebcf0918171793eb8100a5fb7f8713276
616f692b5adbb3cd0beb80a87f9ca3baf91f44d4c979ef27d4ea1e909de8125a
127e04d32bdfb06cb7a7a1106c2a5c661ea1141216f0049292d8346e7e6786e4
c2e9dc2928bccea6c828a536c81c0fc283761f0d0c98aa30c637ae2ac2889883
9d5d52ce9a834e1db4af530c93139f0119ab4abeb0418241a6dfaa58e9a42d31
44a234e2ebc159b044afa154f48b85f0a9634751638a7ca1f1a6817c5e3ffee1
2720aa12889bbf6c3f0b8f3fa4f17e003a07f20a3089743d4bf530cfe02f0a04
f668a40ba30c3360b506cd8bab8be44d245c843fe0e7754091acb60d6f55b953
7360456ec87f544e6a9eb05a88bf81e0ce693fb4b04f6a4f6a71d05ce524abdf
76e96e27e37385083c72099dff75860bc2f6b5dfe30008ea6594955a6158019c
ed5d0573850a7b710c7ee2250d0b1849bcbac27652482f302d9632b8cdab76df
94213c6a04939eca937ffffb3f938a7dfc297cc20cd7d02d5a8a06b69d56dc79
faa9fee2bec12a0b25d42223d3171fb74343937b0d4f3b15a02135e1f60367de
304cb6ee1b7c472e7779be689bae38156a157b10eb20f490026e1465154afdaa
241a8414a8cd502eedff5360d582a8b71e0e96c188299052ff9f75a153f325b6
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2f7226f97fc4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f7226f97fc49d8e893e80ff5e3e1127d0ae76650045dbf30c36ddd0535c0af1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV2
Create hunting rule
Author:ditekshen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:MALWARE_Win_AgentTeslaV2
Create hunting rule
Author:ditekSHen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_808f680e
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 2f7226f97fc49d8e893e80ff5e3e1127d0ae76650045dbf30c36ddd0535c0af1

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments