MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 656b4aca18598d0fc4b53fa2585745d48498ced7d027e115643c7e50a5d92b9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 656b4aca18598d0fc4b53fa2585745d48498ced7d027e115643c7e50a5d92b9d
SHA3-384 hash: 849e7596f79aef854bb858cb0fad4218977758781bc5325072e413a3b5f88fe517182419a4b1971beadfea23fd674690
SHA1 hash: b7f8e51419c9c0d1669bb5f447274697b4548c4c
MD5 hash: e2f700dd4f26b02938dabb237b0dbe46
humanhash: fourteen-king-apart-romeo
File name:bank TT slip.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:932'352 bytes
First seen:2023-01-23 14:42:42 UTC
Last seen:2023-01-29 07:52:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:nE/V28nss0h0Pj9ggKdG+PVogHOpi5L7P++FrdvhXuJl9PsMgGTmy9Ph0:nEN28e6JIdGxq7P+wBhOeyM
Threatray 20'911 similar samples on MalwareBazaar
TLSH T15D1502DD22E31F82DBB7DB3CD0E2562053B9E61692B3F319648401EC4E53695FA46EE0
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2d0e8b2968eb2b8 (8 x AgentTesla)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
bank TT slip.exe
Verdict:
Malicious activity
Analysis date:
2023-01-23 14:45:48 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/9f3886b7-fdbb-42a3-a048-b3f2ccae781e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355908/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Changing the hosts file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bladabindi clipbanker packed
Link:
https://www.filescan.io/uploads/63ce9cf61c9cbf7d6251ab42/reports/dc591c01-ec2b-43cc-ad38-189fa27d0fb0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0efb2176-ac7a-48cc-95c0-48f84ba8fa9f
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1157073
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 789806 Sample: bank TT slip.exe Startdate: 23/01/2023 Architecture: WINDOWS Score: 100 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 Sigma detected: Scheduled temp file as task from temp location 2->57 59 12 other signatures 2->59 7 bank TT slip.exe 6 2->7         started        11 OiDoZiiA.exe 2 2->11         started        14 yqWDN.exe 2 2->14         started        16 yqWDN.exe 2->16         started        process3 dnsIp4 39 C:\Users\user\AppData\Roaming\OiDoZiiA.exe, PE32 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmp24D3.tmp, XML 7->41 dropped 43 C:\Users\user\...\bank TT slip.exe.log, ASCII 7->43 dropped 69 Injects a PE file into a foreign processes 7->69 18 bank TT slip.exe 2 5 7->18         started        23 schtasks.exe 1 7->23         started        51 127.0.0.1 unknown unknown 11->51 71 Antivirus detection for dropped file 11->71 73 Multi AV Scanner detection for dropped file 11->73 75 Machine Learning detection for dropped file 11->75 25 WerFault.exe 10 11->25         started        27 WerFault.exe 10 14->27         started        29 WerFault.exe 16->29         started        file5 signatures6 process7 dnsIp8 45 mail.qualitysolutions.co.in 18->45 47 qualitysolutions.co.in 162.241.148.128, 49701, 587 UNIFIEDLAYER-AS-1US United States 18->47 33 C:\Users\user\AppData\Roaming\...\yqWDN.exe, PE32 18->33 dropped 35 C:\Windows\System32\drivers\etc\hosts, ASCII 18->35 dropped 37 C:\Users\user\...\yqWDN.exe:Zone.Identifier, ASCII 18->37 dropped 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->61 63 Tries to steal Mail credentials (via file / registry access) 18->63 65 Tries to harvest and steal ftp login credentials 18->65 67 3 other signatures 18->67 31 conhost.exe 23->31         started        49 192.168.2.1 unknown unknown 29->49 file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/656b4aca18598d0fc4b53fa2585745d48498ced7d027e115643c7e50a5d92b9d/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2023-01-23 04:51:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mvvuvsqylggq7rfvh6rfqv2f2scjrtwx2at6cflehr7fbjozfooq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
020b7a8bc9672971337dabfbbd1950c8f03848b6188ad81509b1fbe968d5976e
AgentTesla
0a768c8f7c5766a03e0de50b789c83cc41b905398a20510846ab670550a66c1e
AgentTesla
56293306a9df17a9d74d13e7a57e632068ae6fc7c52df2dedb5b0cf331de9b9d
AgentTesla
6ba05012dc42370e27fe763cafdd4b4a09b0b198083199090dd1ff1856756d61
AgentTesla
85d8c7505d9e7309fc517a754d9aada7d30f2e164183863247e998527b113961
AgentTesla
8604f1c98675e3c0d417eb8c93fa89d12780b3d16e7bc3110ef3c8d3596db103
AgentTesla
d1d07d3a85bdacc41a20c1380030da1f39b8b22667a04158e0b177f3acb40de6
AgentTesla
d8bc28c6a7d6ae161559b95369d0e50226295913f78f3fc48bdfadb61ee753a5
AgentTesla
f3c22af4dadc884ac3182ba7c79013082e9a835c19d23d7654aa493f56eb3852
AgentTesla
+ 20'901 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230123-r3kedsfc8w/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
ead63b1d26df91c4ebb39ff9c0d013fdb29040a0fd4b8d5cc6beca80664f9aef
MD5 hash:
4449963df490eac778da024d1b56c68b
SHA1 hash:
eae307e4b11182ce5d2e0fa7822ad924eb3b9680
Link:
https://www.unpac.me/results/5661fd8a-1808-44a6-9f24-f91da712250a/
SH256 hash:
8f153b19de48138fc18c356309c0d4c21542fa40462acaa37b67dac513d74f6d
MD5 hash:
5de72aab3eeee5ccbfaa794e32ef1492
SHA1 hash:
765df98455621b7eec1ec36de1ddcbb48d894e4e
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/5661fd8a-1808-44a6-9f24-f91da712250a/
Parent samples :
6ba05012dc42370e27fe763cafdd4b4a09b0b198083199090dd1ff1856756d61
656b4aca18598d0fc4b53fa2585745d48498ced7d027e115643c7e50a5d92b9d
SH256 hash:
94c2ba257a21a0eb4527346753abdedc7bb2fe3aa72d20642546994626602129
MD5 hash:
874dcc6be499121b1425bfdff1f8ad46
SHA1 hash:
66f83bedc73876b77e152c604b8214bde86d965e
Link:
https://www.unpac.me/results/5661fd8a-1808-44a6-9f24-f91da712250a/
SH256 hash:
2d8657c7781c029e4143293b1f33f5c2a807c1b3ed7160f1ff77b99de148a8e8
MD5 hash:
c0c51b49b3d640e8242bfbb343d0c920
SHA1 hash:
131f521a0114719d4a93e4b097c3d3038748fc76
Link:
https://www.unpac.me/results/5661fd8a-1808-44a6-9f24-f91da712250a/
SH256 hash:
656b4aca18598d0fc4b53fa2585745d48498ced7d027e115643c7e50a5d92b9d
MD5 hash:
e2f700dd4f26b02938dabb237b0dbe46
SHA1 hash:
b7f8e51419c9c0d1669bb5f447274697b4548c4c
Link:
https://www.unpac.me/results/5661fd8a-1808-44a6-9f24-f91da712250a/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/656b4aca1859/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/656b4aca18598d0fc4b53fa2585745d48498ced7d027e115643c7e50a5d92b9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar c92bb3d1f961d92bb891332e877488def6c2f7b1e851120e31ecf1da20a3a9f6

AgentTesla

Executable exe 656b4aca18598d0fc4b53fa2585745d48498ced7d027e115643c7e50a5d92b9d

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/355908/
  
Dropped by
SHA256 c92bb3d1f961d92bb891332e877488def6c2f7b1e851120e31ecf1da20a3a9f6
  
Dropped by
MD5 7dd1b5a1b65050a0a687b7916000f9b4
  
Dropped by
SHA256 6e602f01bd5d31d60a14af0af025b2186b27689c8399ce425a56ca543a7ed673
  
Dropped by
MD5 09bbed78b0b803ec792ae05d93f5b6ea

Comments