MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 514f3fe23fa17edb72fbaa01fe6fd28577001dca492c28119d88c0e0182075e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 514f3fe23fa17edb72fbaa01fe6fd28577001dca492c28119d88c0e0182075e3
SHA3-384 hash: 28a00a5cae5314728154284dd5c761e1fd5406d97207b39af8cc315c43a90fe842e9279f4d1df7cff197b8d7c00445e7
SHA1 hash: 66faf542ae88de2c9a97b680f9ea65eac8f65783
MD5 hash: d4cd01621f4536347fdfb57264d0c3d4
humanhash: wisconsin-two-yankee-nine
File name:Rechnung EX46240092.bat
Download: download sample
Signature AgentTesla
Create hunting rule
File size:840 bytes
First seen:2024-01-15 14:06:54 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 12:wicLsnrtGxGmFsVMd55n2imam0Zpf2u9iljjkOWyFFaVVFquKIf9GgB9y5HAl9S:wicu+iieE2uSjjiyarFKIfMgBcJ8S
Threatray 24 similar samples on MalwareBazaar
TLSH T118012F32D44EC45A6097A26321874309F1EAAF4241C0F8899364C925F09BBB8C77C2C1
Reporter TeamDreier
Tags:AgentTesla bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
mail deutsche post.eml
Verdict:
Malicious activity
Analysis date:
2024-01-15 07:44:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/746cff7d-b2ba-4158-aa87-902ed886f52d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/470928/
Detection(s):
SecuriteInfo.com.Other.Malware-gen.28630.31207.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/65a53c0efd5068bbc3d62bc9/reports/b766b173-dc2d-414d-a422-aa2a4aef1a9c/overview
Verdict:
Suspicious
Labled as:
BAT/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/514f3fe23fa17edb72fbaa01fe6fd28577001dca492c28119d88c0e0182075e3
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1374780
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected MSILLoadEncryptedAssembly
Behaviour
Behavior Graph:
Download SVG
Score:
3%
Verdict:
Benign
File Type:
ASCII
Link:
https://malprob.io/report/514f3fe23fa17edb72fbaa01fe6fd28577001dca492c28119d88c0e0182075e3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/514f3fe23fa17edb72fbaa01fe6fd28577001dca492c28119d88c0e0182075e3/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-01-15 06:45:19 UTC
File Type:
Text (Batch)
AV detection:
1 of 38 (2.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kfht7yr7uf7nw4x3via7436sqv3qahokjewcqem5rdaoagbaoxrq._file
Verdict:
unknown
Similar samples:
2fe5f7997c9111800c88d2383cd3b62cb0c72eeb2bec3c5d72b5c1ac62d9145c
AgentTesla
3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545
AgentTesla
5415bcc4bffa5191a1fac3ce3b11c46335d19f053f5d9d51a10f4ed77393ed82
AgentTesla
591862d94a476dc02982ee1d8e59eae169e10b51ab7bc13779e91218de49f414
AgentTesla
7480bd6a54b0197851bc35b0e4b7a330336348c0ecaa4f2f0c67f28c16a7488c
AgentTesla
8bf51ccb2646d38af6778a0712c78415e113b1393509afdc16c97a0bfb91eb55
AgentTesla
a290ce75c6c6b37af077b72dc9c2c347a2eede4fafa6551387fa8469539409c7
AgentTesla
b0409e5acf0d927f046c33befc48b2653ad0ee098e2d4a5764eb9af8126e539f
AgentTesla
dc2666c86b512a0b4455943b1275a628e2d4f64a45f20ff8ad3fc58f4ceda057
AgentTesla
f8ffc252796874ef35f1da7be7a7eb081905f81863cda673513aa422fde9b8d7
AgentTesla
+ 14 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240115-rezjeaaah6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Blocklisted process makes network request
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/514f3fe23fa17edb72fbaa01fe6fd28577001dca492c28119d88c0e0182075e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Batch (bat) bat 514f3fe23fa17edb72fbaa01fe6fd28577001dca492c28119d88c0e0182075e3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/470928/

Comments