MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f92ace2b068ba158cb7f9668aa9e66c736d1c8540a9df59a7d4eed9f8696f63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f92ace2b068ba158cb7f9668aa9e66c736d1c8540a9df59a7d4eed9f8696f63
SHA3-384 hash: 92f41f6856ed78f3bb79065c01464e577bf870f1c90dc2c9c576e63164e29da928d6e4fbbf62b0878414748b7108e022
SHA1 hash: 34a4b7612d4308b7358df383db2416edfc432fc7
MD5 hash: 7e1b82c1e31faea9b03d6ee0750b1923
humanhash: mars-august-uranus-tango
File name:Tyrone.dll
Download: download sample
Signature AgentTesla
Create hunting rule
File size:507'904 bytes
First seen:2024-09-15 11:52:29 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 12288:LpVoXYcMJpzYQrgO8AytocnngJnMKQJfMipG2Qqu:LEIYQcngJtmBpG2
Threatray 4'161 similar samples on MalwareBazaar
TLSH T1CFB4AF19FA56DE1FCF9986F3C4D1585493A48423A10BFB1B214A91E57D0B3EBCB02AD3
TrID 87.2% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter NDA0E
Tags:AgentTesla dll geo GRC SWIFT unpacked

Intelligence

File Origin
# of uploads :
1
# of downloads :
390
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Win.Malware.Zusy-10009321-0
Create hunting rule

Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e6caa02ebf76853bd5ca80
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed vbnet
Link:
https://www.filescan.io/uploads/66e6ca9f800c7315e1c9d187/reports/bc7d6f96-1725-419f-8530-aae50ac350ad/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/2f92ace2b068ba158cb7f9668aa9e66c736d1c8540a9df59a7d4eed9f8696f63
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/64e83b14-6617-49a7-83b9-c647f07a4634
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1511440
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1511440 Sample: Tyrone.dll Startdate: 15/09/2024 Architecture: WINDOWS Score: 68 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 .NET source code contains potential unpacker 2->19 21 2 other signatures 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2f92ace2b068ba158cb7f9668aa9e66c736d1c8540a9df59a7d4eed9f8696f63
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f92ace2b068ba158cb7f9668aa9e66c736d1c8540a9df59a7d4eed9f8696f63/
Threat name:
Win32.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2024-09-15 11:53:11 UTC
File Type:
PE (.Net Dll)
Extracted files:
6
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f6jkzyvqnc5bldfx7ftivkpgnrzw2heficu56wnh2txnt6djn5rq._file
Verdict:
malicious
Similar samples:
2228ca29a78a9e1f0c43f739e7c3e219ad8523d9bc29ba1cdbfa176afb0a4034
AgentTesla
2f92ace2b068ba158cb7f9668aa9e66c736d1c8540a9df59a7d4eed9f8696f63
AgentTesla
3b465f2c31e84df350d06452c95962aa6d5b5696391fae6e46fe77382d97bf2a
AgentTesla
494c2e3f9d7b369ac1f7f471a170f31d421ee5027af82f1c5e32227860e00404
AgentTesla
8722d9be017fd945c9ace288f405051fd8ced8c141cadf680448d4e6cd5bf8ac
AgentTesla
+ 4'151 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/240915-n2axsatbjm/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
2f92ace2b068ba158cb7f9668aa9e66c736d1c8540a9df59a7d4eed9f8696f63
MD5 hash:
7e1b82c1e31faea9b03d6ee0750b1923
SHA1 hash:
34a4b7612d4308b7358df383db2416edfc432fc7
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/3b39de4e-f6bc-4b10-8cb1-c160de50675c/
Parent samples :
8722d9be017fd945c9ace288f405051fd8ced8c141cadf680448d4e6cd5bf8ac
2f92ace2b068ba158cb7f9668aa9e66c736d1c8540a9df59a7d4eed9f8696f63
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f92ace2b068ba158cb7f9668aa9e66c736d1c8540a9df59a7d4eed9f8696f63

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Word file doc 4db55b2df58083e75c9471d2b79e1f9edf9491f423313b4e125349fed3507227

AgentTesla

Executable exe 8722d9be017fd945c9ace288f405051fd8ced8c141cadf680448d4e6cd5bf8ac

AgentTesla

DLL dll 2f92ace2b068ba158cb7f9668aa9e66c736d1c8540a9df59a7d4eed9f8696f63

(this sample)

  
Dropped by
SHA256 8722d9be017fd945c9ace288f405051fd8ced8c141cadf680448d4e6cd5bf8ac
  
URLhaus
https://urlhaus.abuse.ch/url/3173934/
  
Delivery method
Distributed via web download
  
Dropped by
MD5 49a1b7551dcb6332880de16b36be8015

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments