MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73c64cc8fcfb9a95a1a7a4caf2f42c48727ab4a557d34d1fde2801761878a794. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73c64cc8fcfb9a95a1a7a4caf2f42c48727ab4a557d34d1fde2801761878a794
SHA3-384 hash: d39f92aa2900ac5679931b72c835fe09461a2b1c8521cc3385407d233e554d183d7048113703eaf0fcf0508090ebf75e
SHA1 hash: da5c8742498cad5fd118b0c3f48a76cbb1e6f784
MD5 hash: 2ed9e4b847d4798713e5c6f5e1efc6f7
humanhash: echo-artist-south-spring
File name:2ed9e4b847d4798713e5c6f5e1efc6f7
Download: download sample
Signature AgentTesla
Create hunting rule
File size:270'070 bytes
First seen:2022-04-12 12:29:33 UTC
Last seen:2022-04-12 13:59:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:8Qq+fuWK5qsgSyTVVErC+CLtY+hWr2CMMZMvCSPmCOci+:TGWK5ETVVpDkSCM0MvCSPBG+
Threatray 15'679 similar samples on MalwareBazaar
TLSH T16444225128C480AFE960AAB11BB243A7A7B7FF011761062B939D5FFF9E710C7D109746
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
316
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2ed9e4b847d4798713e5c6f5e1efc6f7
Verdict:
Malicious activity
Analysis date:
2022-04-13 03:44:01 UTC
Tags:
installer
Link:
https://app.any.run/tasks/751a1031-4556-4f45-9169-e57fafb2e26a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263056/
Detection(s):
PUA.Win.Packer.NspackDotnetNor-2
Create hunting rule

PUA.Win.Packer.NspackDotnetNor-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/625570d8ffe27d5119b56b0c/reports/a294b968-fef4-4fea-bd34-04d336a394d3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c9d04d8-76fd-4276-963e-413f9bdd5312
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/975573
Signature
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 608059 Sample: a2VYZ67AyU.exe Startdate: 12/04/2022 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 2 other signatures 2->50 7 a2VYZ67AyU.exe 18 2->7         started        10 nvdaoffmf.exe 2->10         started        13 nvdaoffmf.exe 2->13         started        process3 file4 28 C:\Users\user\AppData\Local\Temp\fxxtb.exe, PE32 7->28 dropped 15 fxxtb.exe 1 2 7->15         started        60 Multi AV Scanner detection for dropped file 10->60 19 WerFault.exe 23 9 10->19         started        21 WerFault.exe 2 9 13->21         started        signatures5 process6 dnsIp7 30 C:\Users\user\AppData\...\nvdaoffmf.exe, PE32 15->30 dropped 36 Multi AV Scanner detection for dropped file 15->36 38 Detected unpacking (creates a PE file in dynamic memory) 15->38 40 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->40 42 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->42 24 fxxtb.exe 2 15->24         started        32 192.168.2.1 unknown unknown 21->32 file8 signatures9 process10 dnsIp11 34 mail.privateemail.com 198.54.122.135, 49840, 587 NAMECHEAP-NETUS United States 24->34 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->52 54 Tries to steal Mail credentials (via file / registry access) 24->54 56 Tries to harvest and steal ftp login credentials 24->56 58 Tries to harvest and steal browser information (history, passwords, etc) 24->58 signatures12
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/73c64cc8fcfb9a95a1a7a4caf2f42c48727ab4a557d34d1fde2801761878a794/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-04-12 12:30:12 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=opdezsh47onjlinhutfpf5bmjbzhvnffk7ju2h66faaxmgdyu6ka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1109e9c4a8dceb63160c59807b81adc6d4e82c28529c80bd1ff80993dc906508
AgentTesla
28b2b5c3fae82a65479f962e52827cf99805c9e8fff86dd9d910d025b9ce273b
AgentTesla
5be120d6eeb8d2f79d7bee7ba9c6e122b8b505c0cfa7f7d8ca9026ed0b78155c
AgentTesla
82974999943578ea16bc86bc5e87c7a6122e24593a9adc2f069f81be85ed79cd
AgentTesla
8b345f73d84e6fc765d7907aaa33d844ef2c180024baeaa53ff895bab8e19356
AgentTesla
ce431d943b7df67690c0c89d1556a8d9ca222a78568d56c8c3aeaccc74f40fd4
AgentTesla
e2ef34d6833b50a6bb0c28e94c5f1f0c7454d13b41c14b5b5a8de2a84f8a8771
AgentTesla
ee8e9b7393b01e6f46b1540fde42f6faa87dee2b3104b5e809b3c0219f91a5c8
AgentTesla
+ 15'669 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220412-ppgegaeee6/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
dcfcb94e6d568122aca3e9dfbe495b7b84ee6ebf37ba97ff383158e0df16c7dd
MD5 hash:
ed7932907af8bdd20475a88bd4b9d95d
SHA1 hash:
aaeade999d7821c3ebea6387ea63ffc5abf858e0
Link:
https://www.unpac.me/results/3afa668d-0b6d-47c5-b889-d5bf9177848f/
SH256 hash:
08a1c198801894d61bbcfdd08c4ff870f37ce1bf1f80283160627ca0ec35ca98
MD5 hash:
1188dd8ddcdea0dd5c8ee3a4ee6d39bc
SHA1 hash:
8dd52ea7ea8bd4012035ad5837af4893aa8b9e9c
Link:
https://www.unpac.me/results/3afa668d-0b6d-47c5-b889-d5bf9177848f/
SH256 hash:
a3cfb0415561e8aa63319a3adccee6c9b6af36e9519dabcbd82cc0138ddd957d
MD5 hash:
7b4e27a64359dd034e68862bc9ce0baf
SHA1 hash:
fc6a7b362fe47be1f351dba9cb52175e2aa06ad0
Link:
https://www.unpac.me/results/3afa668d-0b6d-47c5-b889-d5bf9177848f/
SH256 hash:
f6bf3ba09cff3d652004f5075873ba6a634246262ce82cfa2676843c5f5d0da9
MD5 hash:
00336b5eede2f699c3bfe7a40f43c4d3
SHA1 hash:
29fc8281893dd2a1cc1792d94dabe97d58b00393
Link:
https://www.unpac.me/results/3afa668d-0b6d-47c5-b889-d5bf9177848f/
SH256 hash:
73c64cc8fcfb9a95a1a7a4caf2f42c48727ab4a557d34d1fde2801761878a794
MD5 hash:
2ed9e4b847d4798713e5c6f5e1efc6f7
SHA1 hash:
da5c8742498cad5fd118b0c3f48a76cbb1e6f784
Link:
https://www.unpac.me/results/3afa668d-0b6d-47c5-b889-d5bf9177848f/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/73c64cc8fcfb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/73c64cc8fcfb9a95a1a7a4caf2f42c48727ab4a557d34d1fde2801761878a794

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 73c64cc8fcfb9a95a1a7a4caf2f42c48727ab4a557d34d1fde2801761878a794

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2142570/
Cape
Cape
https://www.capesandbox.com/analysis/263056/

Comments


Avatar
zbet commented on 2022-04-12 12:29:38 UTC

url : hxxps://ilpem-ar.com/pworwz.exe