MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 752362021953d0160db0daf44f7266489e5f97d0c0893b074f4315dbdb9636b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 752362021953d0160db0daf44f7266489e5f97d0c0893b074f4315dbdb9636b2
SHA3-384 hash: a6ba4736ef94dd7cf6513af40afc35ac02d4dfb412a8a000a3756e68507a3da5274ad8ca1d1aaa8d664da7c0378f905d
SHA1 hash: e57f2fd79379929c5445d2b33f3553e4a0971248
MD5 hash: 37a2892bad5d99ee10da3a9b1bcf8688
humanhash: robert-magnesium-whiskey-asparagus
File name:PRE ALERT NOTICE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:485'987 bytes
First seen:2022-11-22 20:24:03 UTC
Last seen:2022-11-24 00:57:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep 6144:jEa0iWrOZ9rPx0dyARJQwj0OhlEKGQAavr3lwcFDHnI161gIaEwuXk:HaOZ9rPx0Wu0WGavL35IIpLw4k
Threatray 21'653 similar samples on MalwareBazaar
TLSH T14FA4AC322C739405FEFDC239BCD1B39442253ABFACC91F92E6047ADA75A32D552705A2
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 66c29abaaaaaaa86 (20 x AgentTesla, 10 x Formbook, 7 x SnakeKeylogger)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
PRE ALERT NOTICE.exe
Verdict:
Malicious activity
Analysis date:
2022-11-22 20:25:13 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/b3e4f267-2864-479b-8eb4-bd4e43a0896a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337348/
Detection(s):
SecuriteInfo.com.FileRepMalware.21740.21599.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Creating a window
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/637d301f559d07a06f46e11d/reports/c1f70b26-95e3-4437-99be-75a3650defaf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/194ae5cb-37e2-4527-b974-259cd57253a5
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1119201
Signature
.NET source code contains very large array initializations
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/752362021953d0160db0daf44f7266489e5f97d0c0893b074f4315dbdb9636b2/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-11-22 16:51:15 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ourweaqzkpibmdnq3l2e64tgjcpf7f6qycetwb2pimk5xw4wg2za._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
42cb095fcf7bce147419fe87bffc91a1c0c189f731daaa819b17d371594b868f
AgentTesla
4422661ccc0d1ca90ea0427fbe9eacc398d819ef1f557c163a686fa127444c3a
AgentTesla
458875e02d96fcc736bd56465bc36cc480dc57698db5396d091bd82a6070758d
AgentTesla
6a3eefaea40a73ea60754b671815a5c34603738acbe2905cf47b73cf3644266b
AgentTesla
6c0fa98c3efe2e344205ce8ebf89e440100294b7a1d4624f7484c2dadc644b0b
AgentTesla
d7bd6a1d419ffb47c95217fc6b1133d6d1bba50af95717087f11c2a704972f75
AgentTesla
ecb00bb8fd9f9fb3de654096a3590e73ac39793e1c8dd3e30d8e859b91c257d8
AgentTesla
+ 21'643 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221122-y69xsafh89/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/
Unpacked files
SH256 hash:
bc859705280afa12ea7f793245b7d36c388824d1fb63f19fba78075d8335c59c
MD5 hash:
3e96a95ba3e98fe45413ddd8f376ad1a
SHA1 hash:
5d6763cdccb0f91a6988226eecf92fb57eb9250d
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/6f7b1d50-3050-4b24-be8e-0f333bc51085/
Parent samples :
752362021953d0160db0daf44f7266489e5f97d0c0893b074f4315dbdb9636b2
2f3c179b97541b711d8926cf95673e1bcdbd2ce6ed22980abf88ba689ab2f21d
523827d0143781d5e1124ddcc75eaed873f190f255497217ef2f61a5714fedb8
65c9b0f0953bfb1534836f0077fc7b14edf3c2d06649931cf39c26c7ec9d8f19
SH256 hash:
adb86c4ec3417e7174cca60e66194ddd1c7710a812ca5d419377ae03f444a8c2
MD5 hash:
4dc5fafa4e0dd1f71eecb9715c84e759
SHA1 hash:
0b259b2237e17fa9d88a45ec327c5c235617ab37
Link:
https://www.unpac.me/results/6f7b1d50-3050-4b24-be8e-0f333bc51085/
SH256 hash:
94e1d6a97bf4e452c4c8ed6758280523a928fa6049daaea26e02c9be2acf3baa
MD5 hash:
1c62872ab5c6285edc871a8a39ba1264
SHA1 hash:
500e09f112dfcc6fc40420d6b4eefeeba1385d1e
Link:
https://www.unpac.me/results/6f7b1d50-3050-4b24-be8e-0f333bc51085/
SH256 hash:
752362021953d0160db0daf44f7266489e5f97d0c0893b074f4315dbdb9636b2
MD5 hash:
37a2892bad5d99ee10da3a9b1bcf8688
SHA1 hash:
e57f2fd79379929c5445d2b33f3553e4a0971248
Link:
https://www.unpac.me/results/6f7b1d50-3050-4b24-be8e-0f333bc51085/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/752362021953/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/752362021953d0160db0daf44f7266489e5f97d0c0893b074f4315dbdb9636b2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/337348/

Comments