MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65b329e466d4e90c97d6d4d2732a531547db9ee7bb3a6c344c420260d14764c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65b329e466d4e90c97d6d4d2732a531547db9ee7bb3a6c344c420260d14764c3
SHA3-384 hash: 00ce5a1035ad6b5f719d365f0b3a1d3503bf2bd8722d2b2828d75955892d4cf5f9560d9b959897706c531e9b03a5fb32
SHA1 hash: 1303052ce9d090d394264d7dd49694e4a8c08fdd
MD5 hash: 49683020c3800d51c6974148f15e3955
humanhash: four-hamper-eighteen-high
File name:PO Copy for Dahej & Ambernath Plant.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:678'400 bytes
First seen:2022-05-13 10:02:26 UTC
Last seen:2022-05-13 10:49:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:PisA4ZpbEn5+lLo46/r9qy9rNsuTygNCrTss0iLGG5c8HKlATCfi/6eA8RL4:qqpbE5+36T19rNeggvsXiLNdKTfodHRE
Threatray 18'006 similar samples on MalwareBazaar
TLSH T102E4F17EF1EBCE22C32522B2C4DA190003764A5A9223F79B1F4650D95E12BDB4D95BCF
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
317
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/270392/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/627e2cd97804b2efc492e7b4/reports/8b93f55c-cea0-4388-918f-f327ca00ee14/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2281ab14-c494-4087-92d8-b836a1a23f97
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/993491
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/65b329e466d4e90c97d6d4d2732a531547db9ee7bb3a6c344c420260d14764c3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-13 10:03:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mwzstzdg2tuqzf6w2tjhgkstcvd5xhxhxm5gyncmiibgbukhmtbq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2062091ea3279a8954439ab8e4ea0433b5ba01247554bd02943958645cc6275c
AgentTesla
6ab30070b29a4095465e89dbc1a4b0788625565aa7608973b274aadd715b5db1
AgentTesla
8bf77994fb5759f8be8d739cd651531fda75de8888c7f579ccafbbadb3b3decb
AgentTesla
973cdd2632a42ff8596a6c4f6c84e4fa5a8483cd7afbd55f36a529df419a3739
AgentTesla
c2cc26cf1ca74f4fc3417d33bf12e4715e9b031d20b7208664bdec373bd528c4
AgentTesla
d0c6ca3de3ef4d363fd459c2dcd529b8bd7dc3c1b6196e1a913314d89209bd7a
AgentTesla
ef85f9069eb8f860d143a599a3fe891ddff4341b3f6da959c69e6b6b22d3f53e
AgentTesla
+ 17'996 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer suricata trojan
Link:
https://tria.ge/reports/220513-l3b55aedh3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
suricata: ET MALWARE AgentTesla Exfil Via SMTP
Unpacked files
SH256 hash:
c206122a7336385be557580c114ac0923192f61bc8f77aa58c898135438399f9
MD5 hash:
6c9e813248a01432890c476813d210b8
SHA1 hash:
fd54aa3af58fc3a88cb3fd6753d773cd6c51b7f8
Link:
https://www.unpac.me/results/86c331fc-04a9-4e29-bb59-eb5e90838595/
SH256 hash:
35393ba9238254a4a56dffd2f5070e4b42e0c2ffb3d9fd209d3f1e0d3d46d946
MD5 hash:
062ac82f7d6bf4ad308ec1d66ac4c8f5
SHA1 hash:
f19c9ded10cba9a88be35d022f827fa3d2feef0a
Link:
https://www.unpac.me/results/86c331fc-04a9-4e29-bb59-eb5e90838595/
SH256 hash:
b5fbba8f1c503c9126c257dfa2eb725c2b268a339ad2817537cf62c524d0d28a
MD5 hash:
e93fea53361a37023d7c1c27d9ff170d
SHA1 hash:
ed4e3a360001c324f953f3cc1adb3dafb580b7d4
Link:
https://www.unpac.me/results/86c331fc-04a9-4e29-bb59-eb5e90838595/
SH256 hash:
d628db2adc822c25145ed8d1155c199686f8dcad506a93cfb19809a018c80c3f
MD5 hash:
4e35f7a4fb2bbfd3025c9555abba6043
SHA1 hash:
48e6b6341772819d27d5cd715cfde34528075ae5
Link:
https://www.unpac.me/results/86c331fc-04a9-4e29-bb59-eb5e90838595/
SH256 hash:
65b329e466d4e90c97d6d4d2732a531547db9ee7bb3a6c344c420260d14764c3
MD5 hash:
49683020c3800d51c6974148f15e3955
SHA1 hash:
1303052ce9d090d394264d7dd49694e4a8c08fdd
Link:
https://www.unpac.me/results/86c331fc-04a9-4e29-bb59-eb5e90838595/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/65b329e466d4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65b329e466d4e90c97d6d4d2732a531547db9ee7bb3a6c344c420260d14764c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

ace b0267ba8d08152127735770549df81b4b95f72ce70bef52fd062c49c6ab7c5b1

AgentTesla

Executable exe 65b329e466d4e90c97d6d4d2732a531547db9ee7bb3a6c344c420260d14764c3

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 b0267ba8d08152127735770549df81b4b95f72ce70bef52fd062c49c6ab7c5b1
Cape
Cape
https://www.capesandbox.com/analysis/270392/
  
Dropped by
MD5 c75b85d0c2270062916f867905586fc6

Comments