MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74a11cea013de11b64fe3bd8a207d14d1cf0d918d3156c418c0d6be1af2bc0c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74a11cea013de11b64fe3bd8a207d14d1cf0d918d3156c418c0d6be1af2bc0c6
SHA3-384 hash: 82330b91ff1a7d65bebdfab5b1f8e0dabfcba41596b1c0b886c210ec402bc37c14948eb8bd6e29930f0f30aca5a257c8
SHA1 hash: 82f95e715782374490442a1fffa82ce2af11606b
MD5 hash: 9ca5c9d62b000607f84e2a7eb64d0730
humanhash: uncle-equal-single-michigan
File name:hesaphareketi-01.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:739'840 bytes
First seen:2022-05-25 08:01:53 UTC
Last seen:2022-05-25 10:23:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:UVyGZFFluy3/L89x4NcIdqB4rwX/s16mhB0iyiuXRawKTDHjg7nPTIJUZ0aLcACY:Ux5iqqB40PRS0yuXRhk47bPZ0QdKFq
Threatray 18'790 similar samples on MalwareBazaar
TLSH T16AF4F1DC365072EFC867C93799A82C64BA717977970BC24B901305AD991EAA7CF102F3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:AgentTesla exe geo TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
285
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
hesaphareketi-01.pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-05-25 10:17:37 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/5590dcd1-6eba-418c-af35-f81eaa1a96e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274404/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/628de27e054dcf0ecaebacb0/reports/de74aa23-71a8-4963-82af-aa6c6778abfa/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f72b0ef4-4946-42d2-9eca-f8ccd3c6506e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1001359
Signature
.NET source code contains very large array initializations
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/74a11cea013de11b64fe3bd8a207d14d1cf0d918d3156c418c0d6be1af2bc0c6/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-25 07:21:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
21 of 41 (51.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=osqrz2qbhxqrwzh6hpmkeb6rjuopbwiy2mkwyqmmbvv6dlzlydda._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2aa8f6347e3d331950c557528790162d59d5607fadbb111e1cefad5a34ba6cd9
AgentTesla
505030a791a0085c41151e5c8c959beb07636b239ae83bdc67f117d11bcfcb41
AgentTesla
64d0928cdd1fdc4a62e1744aca6b98be5fbc83bef9ed2aae4fef673270d15aa9
AgentTesla
91013ab0b0999686672e5c2de12b75f5610afdda98649456c89ce1f47c9c2d6f
AgentTesla
b8c5f7418d9d98a90fc966c8796c54238f5de69a7e04eb19bdeec52457152c41
AgentTesla
ec1a1f01cac9874499e10498d596a85202bf1cc0d51531211a0f658ca1778508
AgentTesla
ee62dc596e4b4fe76f8e015ac250d696a483f656ebb02d02815520b3fd560e30
AgentTesla
+ 18'780 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220525-jw5gzshcd3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
9e24efe0952980419959cdeb042685bfa47b3ab72f28aadeeae5b0744b072f55
MD5 hash:
266ae269ba90df0ea09d70dc4dd62739
SHA1 hash:
eecad40416c69c96b2aba2a83d074c3fabb41fbd
Link:
https://www.unpac.me/results/518716b1-a359-4d0b-8e17-d4e366b019c4/
SH256 hash:
96d978f04821f58b7b06513e0cb082795c38fbc2a8163faedba313d48f93f20b
MD5 hash:
057ec2d485a32209150d1f701ac86064
SHA1 hash:
c691a85efab0bb0594eb99cded7520953954b6a3
Link:
https://www.unpac.me/results/518716b1-a359-4d0b-8e17-d4e366b019c4/
SH256 hash:
0283941f1f7ae72f88bb3044addc3f4274549c3fd771612ec3df95c80b708c9e
MD5 hash:
abcf7824b477074db7ac154a80d1e329
SHA1 hash:
9c6982829bff318776560846de7bcc39d3c16f7f
Link:
https://www.unpac.me/results/518716b1-a359-4d0b-8e17-d4e366b019c4/
SH256 hash:
c720d8d87e5744ef459c160ae3ae85984519c5cee89d4acd3d4156f929ebcca2
MD5 hash:
86f922d84e1b89f646bc23cb3d878a9c
SHA1 hash:
b61f4401c1a144d704988cf4e55dd9a71f8d8263
Link:
https://www.unpac.me/results/518716b1-a359-4d0b-8e17-d4e366b019c4/
SH256 hash:
3fc2555a5ce978f4d21c783dcb7e93a3b7ef584615c8e6dec87f3f8379243cd9
MD5 hash:
199f0f37aa74e7c772268b9a5e2e6827
SHA1 hash:
122b8b43def92c9e8f258738362f46799e8cf18c
Link:
https://www.unpac.me/results/518716b1-a359-4d0b-8e17-d4e366b019c4/
SH256 hash:
74a11cea013de11b64fe3bd8a207d14d1cf0d918d3156c418c0d6be1af2bc0c6
MD5 hash:
9ca5c9d62b000607f84e2a7eb64d0730
SHA1 hash:
82f95e715782374490442a1fffa82ce2af11606b
Link:
https://www.unpac.me/results/518716b1-a359-4d0b-8e17-d4e366b019c4/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/74a11cea013d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/74a11cea013de11b64fe3bd8a207d14d1cf0d918d3156c418c0d6be1af2bc0c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 74a11cea013de11b64fe3bd8a207d14d1cf0d918d3156c418c0d6be1af2bc0c6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/274404/

Comments