MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fed75fb1b7aebeb5399686b962604e4db24a8f2a0ab33e2c2f3d4d98711a44e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fed75fb1b7aebeb5399686b962604e4db24a8f2a0ab33e2c2f3d4d98711a44e
SHA3-384 hash: f901011b04dc8d1cc81216b09cf3e0e8de4fad0d06802c83709ba20fedda4430086b96eae039282c576881940c9e25e6
SHA1 hash: 86d4b0f603a869ae6980957dfa4c8720126851c0
MD5 hash: 809e678154131e24dc8ed0e05fe367a0
humanhash: crazy-network-magazine-equal
File name:809e678154131e24dc8ed0e05fe367a0
Download: download sample
Signature AgentTesla
Create hunting rule
File size:599'040 bytes
First seen:2023-08-02 11:32:43 UTC
Last seen:2023-08-25 17:29:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:ug7JzQOXWGnfFrpWdsppJg9uGTmGaxiK8UDV1OqXGYL0Q0GPVrWL6lk:ug7+gWGnNrpWdKfg9uGTmGDK8A/XGuPS
Threatray 5'661 similar samples on MalwareBazaar
TLSH T197D40255A7E0917FF47BB372AC70518206B27DBE31A1C7EF598170DEE066B010AA16B3
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
286
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
809e678154131e24dc8ed0e05fe367a0
Verdict:
Suspicious activity
Analysis date:
2023-08-02 11:34:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f4ad40d8-bc14-4636-af59-82c6f0ae00cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/439838/
Detection(s):
SecuriteInfo.com.Trojan.DownLoaderNET.666.13697.31759.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64ca3ef058785b2ae2186f30/reports/d582dceb-664f-4966-8577-018c839c87af/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/2fed75fb1b7aebeb5399686b962604e4db24a8f2a0ab33e2c2f3d4d98711a44e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cef2e6e2-d570-4764-ad30-52c008345de1
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1284375
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2fed75fb1b7aebeb5399686b962604e4db24a8f2a0ab33e2c2f3d4d98711a44e/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-08-02 11:33:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f7wxl6y3plv6wu4znbvzmjqe4tnsjkhsucvthywc6pkntbyrurha._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ace5259a5f3de5bfd71221aac959b8054bc31018aac425aa440aa4fe451ebb8
AgentTesla
0b30ef2d36a2b3017821cbd3e6ae4d141be417c0fc72d8289deb79dfedbea4b9
AgentTesla
27c66e4fca745ecd962769fd00218d7a645f338a6e20b25cce8b88d784a89a0a
AgentTesla
449947dedfa89870f0f4d5dc86edc66c4656a6f94504167bbe4f803cd5c16076
AgentTesla
604604dc265f5866cfdae29e7ad4dc304a18a23feaf3c69ee3154461d62dbaf7
AgentTesla
6a3bc2efcecdd25c5257e19e630b5785dc9e8ebb259773d40d2fc4c19e377285
AgentTesla
eb4b358d784a43733f3b307b562f7d3282cc07d94be7526cd8600bf8a4bee530
AgentTesla
+ 5'651 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230802-nnv1ssed77/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/ac820c7f-b2b0-4188-b12e-bc826621fe3e/
SH256 hash:
e128d44b86f1d9bf972e9ff80cb4077042441558ae1e62d1f58e5695a8008b41
MD5 hash:
daaf173767c50f3df8e2d382d2ae6b0a
SHA1 hash:
88d4706dc95406d66926be607e5b23b9ca843e88
Link:
https://www.unpac.me/results/ac820c7f-b2b0-4188-b12e-bc826621fe3e/
SH256 hash:
0ace5259a5f3de5bfd71221aac959b8054bc31018aac425aa440aa4fe451ebb8
MD5 hash:
fde1998a4f91b01722de069c5496560b
SHA1 hash:
1cb01d36f19e0317843ffa8936e4aced4c63d61d
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/ac820c7f-b2b0-4188-b12e-bc826621fe3e/
Parent samples :
0ace5259a5f3de5bfd71221aac959b8054bc31018aac425aa440aa4fe451ebb8
2fed75fb1b7aebeb5399686b962604e4db24a8f2a0ab33e2c2f3d4d98711a44e
9d3b52ca879885a78c6877c9ef71c18fd7584ab7f1aa94e6154edf5fb1d553f9
SH256 hash:
40821038dd9a8a0c85f1c5898dcdd8fac1499e0b569ddfbadffe1c6ceb0aa03b
MD5 hash:
71ff3a9613b8d58debedc2742c43def3
SHA1 hash:
17cc80f177b9baa3f97024e6c7606961aaf36e37
Link:
https://www.unpac.me/results/ac820c7f-b2b0-4188-b12e-bc826621fe3e/
SH256 hash:
2fed75fb1b7aebeb5399686b962604e4db24a8f2a0ab33e2c2f3d4d98711a44e
MD5 hash:
809e678154131e24dc8ed0e05fe367a0
SHA1 hash:
86d4b0f603a869ae6980957dfa4c8720126851c0
Link:
https://www.unpac.me/results/ac820c7f-b2b0-4188-b12e-bc826621fe3e/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2fed75fb1b7a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2fed75fb1b7aebeb5399686b962604e4db24a8f2a0ab33e2c2f3d4d98711a44e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV4
Create hunting rule
Author:Rony (r0ny_123)
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 2fed75fb1b7aebeb5399686b962604e4db24a8f2a0ab33e2c2f3d4d98711a44e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2695945/
Cape
Cape
https://www.capesandbox.com/analysis/439838/

Comments


Avatar
zbet commented on 2023-08-02 11:32:44 UTC

url : hxxp://195.178.120.24/centsop.exe