MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fb6bc99ffadcb8e65b4db0e7df125ea0ffd455c6ff4aae04e775e87a4b51d8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fb6bc99ffadcb8e65b4db0e7df125ea0ffd455c6ff4aae04e775e87a4b51d8d
SHA3-384 hash: 9d95f86c5274a5505eb1bb2d68f3b86b34f44a00dcc7e4f28d6e082a18a6394c3659e8d779d88528a0677cdc6ca842e4
SHA1 hash: 8c793a3060b5bc8fd7c2ddd6b7bf9db52a05b0fd
MD5 hash: cf1b1278beb043e688ffa8440d0a4c3a
humanhash: papa-five-edward-idaho
File name:ORDER 03949.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:731'648 bytes
First seen:2023-08-24 09:38:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:NdfSRtv2lq3PaTySO87/h34IpGjYK7DuqCOqehJB0YxdZNw2sKAA3P:Na2lq3yTySr7/B4yvrWB5hK2vAA
Threatray 313 similar samples on MalwareBazaar
TLSH T15FF40113BA17AFBBC13A87F63C2451020B66EC6FA550E3244D8B71F59D36702456AE2F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER 03949.exe
Verdict:
Malicious activity
Analysis date:
2023-08-24 09:43:52 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/e691fbc0-0477-4b18-b083-fda449dbfa2e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444432/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Restart of the analyzed sample
Moving of the original file
Gathering data
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/2fb6bc99ffadcb8e65b4db0e7df125ea0ffd455c6ff4aae04e775e87a4b51d8d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c6be3f93-4c5f-46b1-84f4-f56a6182fcd4
Result
Threat name:
AgentTesla, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1296524
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Beds Obfuscator
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2fb6bc99ffadcb8e65b4db0e7df125ea0ffd455c6ff4aae04e775e87a4b51d8d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-08-23 19:16:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f63lzgp7vxfy4znu3mhh34jf5ih72rk4n72kvycoo5pipjfvdwgq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
234aff0ca0de7675a5bcd4b0925d85bcb9c6df06948159893fdb990274a5164c
AgentTesla
3f233f8f681ef73f9455a624846383a9623da1b960999cdc6ab0a6178c90b6f9
AgentTesla
65991091fbb81c3961dd91240296ae03aec2a94ef682dd194134e8cfdf69f8a4
AgentTesla
832d1e7aff9cc3600ec1c6deb39c571184e02cb5aea81538d91b4e9a805ea58f
AgentTesla
845bd19a89db0310a363f915e1e92d5e1d2943bd4cb0f9422368d563de2d850d
AgentTesla
88c206de26374622c698d34b7b2e96626ad2c9d06d8441b7122e8c0865209fc2
AgentTesla
9744a5d517cee9bb8b6a1816d17ef0a9a16ade3fcaa2cd4880020e3de274b8d3
AgentTesla
b3a5d73b31d152222ab912e63ee126814f3c5c3fdcbdc50ad6772bc6bc867c7c
AgentTesla
d2693e99349474de1c4b0d216b0bef9f5c034d2d0b003fe52c89bf57ac38847a
AgentTesla
edf6c2e805b1b232065ff74c1c2b8c8da24147c9ef17175547ec5fb905005cf1
AgentTesla
+ 303 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230824-lml1dsda3z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/99259d80-d152-45ce-b097-1e5af43f1222/
SH256 hash:
0f93fd33eb74e6e2c31c96c0f440a4fd10e8a9cf6a63d7e615c490e167ccd754
MD5 hash:
78463d843fadc2d3ea902f5d9aaf71df
SHA1 hash:
98b75e49c07967659be283d4c0116262df50b727
Link:
https://www.unpac.me/results/99259d80-d152-45ce-b097-1e5af43f1222/
SH256 hash:
6b959869f767cbed167d5169ef0f2375ea56e202a0a8ac8dbb8f05cd1eae661e
MD5 hash:
e845de7a4cd00244a0f9446be285469b
SHA1 hash:
9749766f00920445091f6b27306bf09be01c0ae5
Link:
https://www.unpac.me/results/99259d80-d152-45ce-b097-1e5af43f1222/
SH256 hash:
06ce547fdddda3b2e0d1f9b4a5afc78e5d759ba7d6c0faba983db68dbb7dde89
MD5 hash:
9836115ab1236581b9deac60ac063dd7
SHA1 hash:
8d32892c84d2e7b89e3ff59d777a97f1bf8c1a9c
Link:
https://www.unpac.me/results/99259d80-d152-45ce-b097-1e5af43f1222/
SH256 hash:
2fb6bc99ffadcb8e65b4db0e7df125ea0ffd455c6ff4aae04e775e87a4b51d8d
MD5 hash:
cf1b1278beb043e688ffa8440d0a4c3a
SHA1 hash:
8c793a3060b5bc8fd7c2ddd6b7bf9db52a05b0fd
Link:
https://www.unpac.me/results/99259d80-d152-45ce-b097-1e5af43f1222/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2fb6bc99ffad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2fb6bc99ffadcb8e65b4db0e7df125ea0ffd455c6ff4aae04e775e87a4b51d8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/444432/

Comments