MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81f5eecb34f22bd640cee738295303153d9afda2a35e365d061d058fbbfed498. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81f5eecb34f22bd640cee738295303153d9afda2a35e365d061d058fbbfed498
SHA3-384 hash: 9472b8f5de25f9f22cea1f29948130ff3655b14064bb6c07a822305cee1f9337dc461c70840a5abab0855e53009ee70a
SHA1 hash: 06622045c5f36ddbb7e78a856e713781e6a71aca
MD5 hash: 28cb97f71b423eb54c7382aba89d92d5
humanhash: jig-eleven-jupiter-neptune
File name:pGmFza4Vv0hJG57.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:780'288 bytes
First seen:2022-11-19 22:53:00 UTC
Last seen:2022-11-20 00:51:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:W7DcYEDdzVJoH6xv7iZDyfwW3l57fIplGQ7zkwBnM33302IgFJN0V3foYcjZnbCx:0L8d/U6J0WV9fIz57BBnG30YCoBjZnbI
Threatray 22'390 similar samples on MalwareBazaar
TLSH T108F45AE9A893796EE5B8B25E15F1A840CAF388724EC0AE2441783DC55D339D3B161DFC
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13097/50/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
pGmFza4Vv0hJG57.exe
Verdict:
Malicious activity
Analysis date:
2022-11-19 22:55:15 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/1a9ea057-9707-480f-acf7-8ab088e130c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/336225/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.44627.7526.18712.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63795e4fa0efd596b82eec58/reports/2ae1dd5a-e6f5-488a-ac05-cf2d584562c0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b6ad56eb-2e6a-4b0d-907c-f8e19b9e021f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1117365
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81f5eecb34f22bd640cee738295303153d9afda2a35e365d061d058fbbfed498/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-11-18 07:47:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
29 of 40 (72.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qh265szu6iv5mqgo444csuydcu6zv7ncunpdmxigducy7o762sma._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
050f3d23f59375261c93f01e73d08cf2afb9d84363aac0289525dbb17049d7ba
AgentTesla
18759f7353b70785a05372f45cf7c6092ca649a67b7f139883143cc4a0f01387
AgentTesla
35140f02473700708c1cbcfbab0ef30664254e2e39600feccbe5221370702d8b
AgentTesla
4060ca25ee645493d07079398edda938c6d2765348874fe5359f6a2b556f6799
AgentTesla
b9b2f17e7d4822929319c5915bcd61dacdae448d66bb85c992a84c3468e8c701
AgentTesla
de21a9c1a04520a1d28a1d7a75e50c6520541ca94b7e64b4da62e35bea64fc2a
AgentTesla
f8509c0b6d1fe32ab501e4341dfec640067f9c9967e48f4e154223dd3d1e4bf2
AgentTesla
+ 22'380 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221119-2tywjaed73/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/beb9f68b-2254-4c46-9741-a95d748b4fa7
Unpacked files
SH256 hash:
7a85899d1c8a25437502fe7294b00751853fe84120d248738c4bd34ce4a70f53
MD5 hash:
ea7331e04c8e2f5b802868493caebc01
SHA1 hash:
dd687afb9a59171b9823be2f3f90131a4a931ab0
Link:
https://www.unpac.me/results/4e21eb79-05f2-4813-8600-2173a5fa7905/
SH256 hash:
c1ec67150d9449b9875157ea000d9093ccd4fd05d1ff4c5c0a615007e706adc6
MD5 hash:
6e8d94f6e8b2a073138f1aaf1f847c95
SHA1 hash:
a6b4643797ea709b8047a69b35628d8235db390e
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/4e21eb79-05f2-4813-8600-2173a5fa7905/
Parent samples :
81f5eecb34f22bd640cee738295303153d9afda2a35e365d061d058fbbfed498
fe106c74f3eeef6d52fd27e83aea992b37896aaceb6ac5b969a9cfaf096c9d54
3b980a607bf3bf7e57c2f0745195b2040ea0aafd0a9bea23d0985bff045c72db
SH256 hash:
8df658493f2f4ce4cf734d40709cc08639a4dca879146d66ab149b6487812d57
MD5 hash:
cf16b7407761cf55738ec570f41b9c30
SHA1 hash:
9ef7296ebb32e88fa7b669da463721c4f6189215
Link:
https://www.unpac.me/results/4e21eb79-05f2-4813-8600-2173a5fa7905/
SH256 hash:
f42f0ba1299d50ee9674f474bd1b53639e6dd6babe372ed79cb33a48f2f9f416
MD5 hash:
725e66c718a266820142d9d970460805
SHA1 hash:
8d07b5a46c0dc345119ebbfbc70ed77c40f6d817
Link:
https://www.unpac.me/results/4e21eb79-05f2-4813-8600-2173a5fa7905/
SH256 hash:
7f272c4db499b1501a5ea1711d23de0e6a0c07faf16275e9b01722dae889c7c9
MD5 hash:
dd8b9511dda8eb7c84e1621046828883
SHA1 hash:
7f715270ffcadcba5c3148d2a0cecfaaf6c2e805
Link:
https://www.unpac.me/results/4e21eb79-05f2-4813-8600-2173a5fa7905/
SH256 hash:
81f5eecb34f22bd640cee738295303153d9afda2a35e365d061d058fbbfed498
MD5 hash:
28cb97f71b423eb54c7382aba89d92d5
SHA1 hash:
06622045c5f36ddbb7e78a856e713781e6a71aca
Link:
https://www.unpac.me/results/4e21eb79-05f2-4813-8600-2173a5fa7905/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 81f5eecb34f22bd640cee738295303153d9afda2a35e365d061d058fbbfed498

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/336225/

Comments