MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 947656f82f97b060b6e7ea3fa904ab81632c5034ddad177fd024c29b2e222933. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 4 File information Comments

SHA256 hash:	947656f82f97b060b6e7ea3fa904ab81632c5034ddad177fd024c29b2e222933
SHA3-384 hash:	ceb71c0164d696ef5fa9cc89c660a47404e6ddf0f3fb42a9f6312d3b60932d5d636ab3c692a02b01a6659c7d825ea018
SHA1 hash:	adda0472966a2aceabab721e150990aaa2a2c938
MD5 hash:	fcd22f8d7de9651138f589cdfe8de3db
humanhash:	ceiling-alaska-diet-robin
File name:	decode_2b7cf3a17e9659017e8aee42f4a9be35522b643b6ae4b5f7ed65a9d54422446e
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	243'200 bytes
First seen:	2023-08-30 14:16:19 UTC
Last seen:	2023-09-05 17:59:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	3072:BQuqHDK5m2OqRWeboaVeg+x3dHbss5g/di:vsqRWebj+x3dHp5g
Threatray	5'577 similar samples on MalwareBazaar
TLSH	T14334FF177E44EB11D2AC3D3B82DF6D2453F2A0C70673964BAF48AEA525812436D6E37C
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	jstrosch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

298

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

decode_2b7cf3a17e9659017e8aee42f4a9be35522b643b6ae4b5f7ed65a9d54422446e

Verdict:

Malicious activity

Analysis date:

2023-08-30 14:19:13 UTC

Tags:

stealer agenttesla

Link:

https://app.any.run/tasks/016d69e6-e371-4b1b-b367-ba3359e262d6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/445325/

Detection(s):

Win.Packed.Generic-10003641-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control greyware hacktool lolbin packed packed replace

Link:

https://www.filescan.io/uploads/64ef4f601d3a8c6c1217f241/reports/2b95a098-e1ca-4211-9ed2-7d32d6d1e9da/overview

Verdict:

Malicious

Labled as:

Trojan.MSIL.Basic.8

Link:

https://www.hybrid-analysis.com/sample/947656f82f97b060b6e7ea3fa904ab81632c5034ddad177fd024c29b2e222933

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c092354a-f329-419d-847c-2f063fe76ec3

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1300447

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/947656f82f97b060b6e7ea3fa904ab81632c5034ddad177fd024c29b2e222933/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-08-30 14:17:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sr3fn6bps6ygbnxh5i72sbflqfrsyubu3wwro76qetbjwlrcfezq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

5167b917426b8435d81522f885966f00cbf7f5b896e2a6b18696bb0f1194756c

AgentTesla

78589730c5ebfb1b95ff5a9351a22f312fcf5087523f4ef38b93be6fbfa64655

AgentTesla

99e76ca97c74ea9e8fe112a45a88f4fd6a684cda8d8666dfe20dc2eef4d61455

AgentTesla

d254597f97b77a7c2e13c980947c0b19a24f21cea9226826c2a9bd13d7a5e335

AgentTesla

df72be5f9ed3c15149f37c8fdb80683554f439257317837b0b6bb96dc4cac387

AgentTesla

+ 5'567 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230830-rlpb1sfa6v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

947656f82f97b060b6e7ea3fa904ab81632c5034ddad177fd024c29b2e222933

MD5 hash:

fcd22f8d7de9651138f589cdfe8de3db

SHA1 hash:

adda0472966a2aceabab721e150990aaa2a2c938

Detections:

AgentTesla

Link:

https://www.unpac.me/results/5a917734-93de-44db-8c03-e2a56c6897a4/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/947656f82f97/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/947656f82f97b060b6e7ea3fa904ab81632c5034ddad177fd024c29b2e222933

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/445325/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample