MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65297d5ef6acfa78d0ef28f4b7d6086bad8538ab34152887348fbb3cb1df79c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65297d5ef6acfa78d0ef28f4b7d6086bad8538ab34152887348fbb3cb1df79c4
SHA3-384 hash: 2f4861f5b6ff064f941bff580db9db5bf59854d0d4984b2755522949bc86ea67293112e722def570dc424eae02017354
SHA1 hash: 0f7d1bdd00df7e214edb5649802a696bbe85ec93
MD5 hash: ebd00dd1fc8b7b15abb8235522ebb61d
humanhash: quiet-triple-double-violet
File name:6225xxx2599_13xxxxx22_20230706_EkHesap,PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:634'368 bytes
First seen:2023-08-17 18:25:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:s0Dl+C42xjWGJI9YiN5iMiOUMeDbiyB1uGwRSnxiCpP22KiC3AwP3:lAMMiOUMoiUuc4C1/KiC3Aw
Threatray 1'156 similar samples on MalwareBazaar
TLSH T128D42212B265473AC50F83BC0CE6539A233A2664B973DF5E9A9D71DC5A33F901B50F22
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon aaaae8c8e8e8aaaa (15 x AgentTesla, 6 x Formbook, 1 x SnakeKeylogger)
Reporter abuse_ch
Tags:AgentTesla exe geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
6225xxx2599_13xxxxx22_20230706_EkHesap,PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-08-17 18:49:53 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/27791ef0-6b5b-4eda-bf20-3357234b4d37

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/443319/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/65297d5ef6acfa78d0ef28f4b7d6086bad8538ab34152887348fbb3cb1df79c4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d3a34a5-1b36-4a55-847e-919b4308c5b0
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1293068
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1293068 Sample: 6225xxx2599_13xxxxx22_20230... Startdate: 17/08/2023 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Sigma detected: Scheduled temp file as task from temp location 2->43 45 6 other signatures 2->45 7 6225xxx2599_13xxxxx22_20230706_EkHesap,PDF.exe 6 2->7         started        11 fpAlqCmjORU.exe 3 2->11         started        13 MmRKwR.exe 3 2->13         started        15 MmRKwR.exe 2 2->15         started        process3 file4 35 C:\Users\user\AppData\...\fpAlqCmjORU.exe, PE32 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp1052.tmp, XML 7->37 dropped 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->53 55 Uses schtasks.exe or at.exe to add and modify task schedules 7->55 57 Adds a directory exclusion to Windows Defender 7->57 59 Injects a PE file into a foreign processes 7->59 17 6225xxx2599_13xxxxx22_20230706_EkHesap,PDF.exe 2 5 7->17         started        21 powershell.exe 21 7->21         started        23 schtasks.exe 1 7->23         started        25 6225xxx2599_13xxxxx22_20230706_EkHesap,PDF.exe 7->25         started        61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 signatures5 process6 file7 31 C:\Users\user\AppData\Roaming\...\MmRKwR.exe, PE32 17->31 dropped 33 C:\Users\user\...\MmRKwR.exe:Zone.Identifier, ASCII 17->33 dropped 47 Tries to steal Mail credentials (via file / registry access) 17->47 49 Tries to harvest and steal browser information (history, passwords, etc) 17->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->51 27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65297d5ef6acfa78d0ef28f4b7d6086bad8538ab34152887348fbb3cb1df79c4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-08-16 13:36:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=muux2xxwvt5hruhpfd2lpvqinowykoflgqksrbzur65tzmo7phca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ba8b0616ca5557b8757e20eb42437aa439606de5ca3598c6a9bb7e48fddc915
AgentTesla
2226d275fd8186f1b0c51908cdc8c75a374339f9515d950c6c73aabbe9127108
AgentTesla
50671a5bf0d58b9a8aa7fd42a637c27d6db8f2e35a6a1faef249a7b6a779fcb1
AgentTesla
6f4954a23f51c48f450992f809848da3a8bb5c1d7c4bc262332fa2507f1a1cc9
AgentTesla
96df12776607bce40d6ca1c8b9e79ac9b8bc8057ddf91014599e5452896ef4e0
AgentTesla
a0fef35dfcd0a26bab66af912e02360f499d55297f9ce71c55abd9ef180305c8
AgentTesla
d827653375fc186bab05813fb21a26330cea1c4bf19a01c6f551a8098b8f3c0d
AgentTesla
dfba6d9c101eb1273aaf962047fd958424bfac70a1162c2a910640981a23d054
AgentTesla
f14adf8284d2d04072445b5744da50141332a86ec1f28fd7ca6e316b1a7e0b24
AgentTesla
f43fa3268bd5d31fd1dd0f34207786c10239b21868da3a8a9c3952c371330f80
AgentTesla
+ 1'146 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/230817-w27kradf5y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/eba3b3ee-5ca3-452c-b50a-7d9b53e6231a/
SH256 hash:
590acb2a1c6db7759a58d397c9df3cf9206bfd3aa98bdeadc5624acd202d8703
MD5 hash:
64d4d3299934148b61f522defe3c8ec6
SHA1 hash:
92fbf4f5fef6720fedc0a3975c587a8bead2f723
Link:
https://www.unpac.me/results/eba3b3ee-5ca3-452c-b50a-7d9b53e6231a/
SH256 hash:
fba4374163ba25c9dc572f1a5d7f3e46e09531ab964d808f3dde2a19c05a2ee5
MD5 hash:
621058391344f847666de966024701cc
SHA1 hash:
507871e3796e712853f137f11b3a392e05220448
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/eba3b3ee-5ca3-452c-b50a-7d9b53e6231a/
Parent samples :
65297d5ef6acfa78d0ef28f4b7d6086bad8538ab34152887348fbb3cb1df79c4
a5301092e1f1fc43f920e0901771c2fe86a781d1821349b4aedc98efd9fea546
93f9a92e6630c227a522031f2cfbc4b94d31bc1e922487055b64a726e28a00b5
532021fc0305c2e6744cccbb73a30f64f7e86584b838e64e537d26bd4ba9dc0c
e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be
c1d96cfe7d93d7c30dafa0e7a7539e93003c2d985ff44f77c823790b5f556f4f
011cb8c9a10fb6468b0e904cde1538c37c744e3ca3721b93c6840b64d2bc9659
1e9777b2c04baf8fbcbd1fe98dca2b251bef9c779b53380b6caeb8f8e958e3ff
458b7da8ea5e1449f8ddd8cd108b75b3bb1942eab74fc50abfcf657153b96d9e
277000b3f6718f6e2d5d368734092eb7eaa460bdf93de94de9b3873cafef4ae6
9ddfb66597aa9428c17d781da36b565bf630c145dc2196956d5bfeed29379e32
SH256 hash:
b26a7e88c2fc5a6dbf3e1f5d8ac59c4579b3b9047f462c5cb7ee79548fa18da9
MD5 hash:
06dc1333af7361fb9ebebe5c4dbe58e4
SHA1 hash:
1adadf881904c5370e96c0a566085cf3c83ca8d0
Link:
https://www.unpac.me/results/eba3b3ee-5ca3-452c-b50a-7d9b53e6231a/
SH256 hash:
65297d5ef6acfa78d0ef28f4b7d6086bad8538ab34152887348fbb3cb1df79c4
MD5 hash:
ebd00dd1fc8b7b15abb8235522ebb61d
SHA1 hash:
0f7d1bdd00df7e214edb5649802a696bbe85ec93
Link:
https://www.unpac.me/results/eba3b3ee-5ca3-452c-b50a-7d9b53e6231a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65297d5ef6acfa78d0ef28f4b7d6086bad8538ab34152887348fbb3cb1df79c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 65297d5ef6acfa78d0ef28f4b7d6086bad8538ab34152887348fbb3cb1df79c4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/443319/

Comments