MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92fd046d9037a844e44c13dd287042186f7351f9a78779408bf71004e64dbbd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92fd046d9037a844e44c13dd287042186f7351f9a78779408bf71004e64dbbd3
SHA3-384 hash: 4c15c2d5e4f7beae13d9ed8cd83f9afe88041732d04db16b9af279ceb695e1d6bfeb3b3af0fc8e5cde634a357162476a
SHA1 hash: 937c3210cf4afc9f48a81b55c5d715f41bf6cfe6
MD5 hash: 9ce8e1a2f2f63a30c739ae2161a180ec
humanhash: fourteen-indigo-pasta-papa
File name:Factura.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:536'576 bytes
First seen:2021-12-03 17:16:56 UTC
Last seen:2021-12-05 07:11:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:N2iNxtIO7wBkzSVu2cvkTTfh27jI7hOtmHyDsKOw08VPgktD00:N1vtIO7sUSVu2cvATfh27E7asFw08LC0
Threatray 13'268 similar samples on MalwareBazaar
TLSH T10EB4128676D4CBDDC5222B709D72C0B21370766E1986CE2BBED671CA1B397053112EBB
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Factura.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-03 17:19:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4591e6ff-98c9-4ec7-903d-6e5b70f6530e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211103/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61aa511147ed217c01301908/reports/7f132fc1-10cf-4fc3-853b-b7d7f520556f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2ae6effc-4162-4ad3-9951-5e5eda392dcf
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901068
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92fd046d9037a844e44c13dd287042186f7351f9a78779408bf71004e64dbbd3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-03 17:17:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sl6qi3mqg6uejzcmcposq4ccdbxxgupzu6dxsqel64iajzsnxpjq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2cf586182f56dcc1131459031b5dca2b6c3037f5c8bc39b70ab226972b5d3d9d
AgentTesla
388edd3ce26d9cc673521915d3289a230f3ea8d1967b504104286c71c9231123
AgentTesla
432c5e67b5daa62ae24aff8a5f246ceceb40380f07fc04031f0a43b774a7fc2d
AgentTesla
46ba0e00b6abee03a811b12102ba2bd05923d6d5b07bc85303c73d5a0557aec8
AgentTesla
57cbd2793862e2d8a08b4c52dd37f0e03f42f7814a61bc546bdd3bb1db4f59e0
AgentTesla
d34b4cfc530b91d44ba82a15cdb948e4424e30ee57245f4792c8303d202df173
AgentTesla
f77c38aa6e165d296f2da40f47122148c400223fde809e38a9980dfd4b21aa6f
AgentTesla
+ 13'258 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211203-vtp53ahahn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
7902f1fc8078d6bd486b76255554820ea4fae240efa918c98213c46ec84eb929
MD5 hash:
2a6f15fbd0336966a1bfec8134a1e0a7
SHA1 hash:
74e0f31788afb1b039382fc2d26af4c9383d69e8
Link:
https://www.unpac.me/results/347a4b4b-7b93-40f6-b409-32cba3ec8fa8/
SH256 hash:
1eba3e6e55f4aa87ee88dad11183f808f00870bf6277e3ae19fb31400a1dbe5b
MD5 hash:
00b620728472aef2af115e0455930cf8
SHA1 hash:
649a4ad0f13a3176ea36b855c1b36fbce246446a
Link:
https://www.unpac.me/results/347a4b4b-7b93-40f6-b409-32cba3ec8fa8/
SH256 hash:
92fd046d9037a844e44c13dd287042186f7351f9a78779408bf71004e64dbbd3
MD5 hash:
9ce8e1a2f2f63a30c739ae2161a180ec
SHA1 hash:
937c3210cf4afc9f48a81b55c5d715f41bf6cfe6
Link:
https://www.unpac.me/results/347a4b4b-7b93-40f6-b409-32cba3ec8fa8/
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/92fd046d9037/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/92fd046d9037a844e44c13dd287042186f7351f9a78779408bf71004e64dbbd3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 92fd046d9037a844e44c13dd287042186f7351f9a78779408bf71004e64dbbd3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/211103/

Comments