MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a157f236b925cda23175a9caeeb37842670ad730a0ad13dc9c526a81f02f7452. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a157f236b925cda23175a9caeeb37842670ad730a0ad13dc9c526a81f02f7452
SHA3-384 hash: 8dbd8c8cba3f037c953d0a979074cb721738c76164bfb599dbfd92e177b4899a98156de8f79a4be2c19470877966f536
SHA1 hash: 6f51df86758eab194ee3372f090a8af4e22e3678
MD5 hash: fbb2a462a32d18384fc2416fbbdda47b
humanhash: september-equal-fix-tennis
File name:SecuriteInfo.com.Win32.PWSX-gen.17591.24023
Download: download sample
Signature AgentTesla
Create hunting rule
File size:921'088 bytes
First seen:2022-10-05 12:27:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:yR/4veH0n0MfTn+oLkp1LcSNodzeF/ec8PLZjrA:o4veH0n0MT+oYX7ydyBYVjr
Threatray 20'269 similar samples on MalwareBazaar
TLSH T10315DF3206A6DA0BD5166334DDE3C3F1AFE85EA0A5B1C2478FE9FC6BF4470A6A601145
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316898/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.17591.24023.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/633d785449c58ce767c63964/reports/3aef67e4-6fc5-46b8-90cb-b4c66859cc52/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ccf9ed7b-5616-4e25-9fe1-30e3d60eba75
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1084099
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 716659 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 05/10/2022 Architecture: WINDOWS Score: 100 42 api.telegram.org 2->42 44 Snort IDS alert for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Sigma detected: Scheduled temp file as task from temp location 2->48 50 8 other signatures 2->50 8 SecuriteInfo.com.Win32.PWSX-gen.17591.24023.exe 7 2->8         started        12 farOaYlqX.exe 5 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\Roaming\farOaYlqX.exe, PE32 8->34 dropped 36 C:\Users\...\farOaYlqX.exe:Zone.Identifier, ASCII 8->36 dropped 38 C:\Users\user\AppData\Local\...\tmp2AC6.tmp, XML 8->38 dropped 40 SecuriteInfo.com.W...17591.24023.exe.log, ASCII 8->40 dropped 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->52 54 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->54 56 Uses schtasks.exe or at.exe to add and modify task schedules 8->56 58 Adds a directory exclusion to Windows Defender 8->58 14 powershell.exe 21 8->14         started        16 powershell.exe 21 8->16         started        18 schtasks.exe 1 8->18         started        20 SecuriteInfo.com.Win32.PWSX-gen.17591.24023.exe 2 8->20         started        60 Machine Learning detection for dropped file 12->60 62 Injects a PE file into a foreign processes 12->62 22 schtasks.exe 12->22         started        24 farOaYlqX.exe 12->24         started        signatures6 process7 process8 26 conhost.exe 14->26         started        28 conhost.exe 16->28         started        30 conhost.exe 18->30         started        32 conhost.exe 22->32         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a157f236b925cda23175a9caeeb37842670ad730a0ad13dc9c526a81f02f7452/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 12:28:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ufl7envzexg2emlvvhfo5m3yijtqvvzqucwrhxe4kjvid4bporja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3b84b73506255cc004a7d907f244a6c4394adea87102125d1d5d44ea4857008b
AgentTesla
3d4675990a22b7b649b90e569b987c1ea4324237add09703a6935725a82b4f78
AgentTesla
422c889c762982d5a1a035a72950eb671d388dc9da9dbcd4621e54c7b6e835d1
AgentTesla
64c61226adf3b067bc876db3a40f516e3f66f9de821525777921963463ff6cdb
AgentTesla
acc9bb38581081506db62caf5850f4b8819296a1be01202b47c44d3950e7ebb2
AgentTesla
aefa72ffc5e01d200d8807d687a43b7450af469fdb3ae8761393c231e7c7f498
AgentTesla
da0fec7d1d1432cefd0a6bbedd308073f8aaaab98f33235cb76e777c09e7dd18
AgentTesla
f6296973ab1f1e7ab66b2ff2e79a241471555235b4ad6f909163abcaa778f3ce
AgentTesla
+ 20'259 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221005-pnbgtseeek/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
AgentTesla payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendDocument
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cc1b5419-af7c-428b-933b-647f398bb619
Unpacked files
SH256 hash:
5fbdcb76c77563ed3d729fdca3396169c54443253001cf9b1b6b75a0f75cdcb4
MD5 hash:
629c31e71cfa6aab7a62bef45298816c
SHA1 hash:
932da9270d08d3b97ad1fb75e3d3180481f91096
Link:
https://www.unpac.me/results/a35fde17-4cf3-4472-a4fd-8633176fb551/
SH256 hash:
c78401563e8d5557050f906f12a71b10d5f0a6650d012ba6c8fbe99a11f80668
MD5 hash:
55b76ea1ac804d6fed4f499ba47a070c
SHA1 hash:
8aed16136be9eec31bc1d0c38513008acd286d9a
Link:
https://www.unpac.me/results/a35fde17-4cf3-4472-a4fd-8633176fb551/
Parent samples :
ee786b17c0debabc35aaa386da758c13cc9e0952b0d2d4e265756f493f82c2ed
9bf192a23eeb844b6e8b01c41d085d1c2bfb576653732d99d7468571f1a28fb5
53643684e723ff5fe2cfef8ab65cd8395120f618223e4fa44c2fad60e0b0e29a
9196273424391332296b033958a8271b9937e8688e3a3c36bd04d5dd62f164cc
SH256 hash:
b7ca97ca2b7b62422c232375d9c8a8c0758036e1b468e8c2d86a61aa120dbdee
MD5 hash:
5712e360f57a61ba6dd2044bd9fd8ef1
SHA1 hash:
6425b01e98ea3a2c112ba1ce32f62916ad1bcf8a
Link:
https://www.unpac.me/results/a35fde17-4cf3-4472-a4fd-8633176fb551/
SH256 hash:
8766e549a130653bc3560fb048e65ccaf6e3e6e9d89831dcb43eaf7017c87a58
MD5 hash:
4619a9bc6ea4286aece9240220622412
SHA1 hash:
0df0812e614f067535f278d569400f64ee524732
Link:
https://www.unpac.me/results/a35fde17-4cf3-4472-a4fd-8633176fb551/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/a35fde17-4cf3-4472-a4fd-8633176fb551/
SH256 hash:
a157f236b925cda23175a9caeeb37842670ad730a0ad13dc9c526a81f02f7452
MD5 hash:
fbb2a462a32d18384fc2416fbbdda47b
SHA1 hash:
6f51df86758eab194ee3372f090a8af4e22e3678
Link:
https://www.unpac.me/results/a35fde17-4cf3-4472-a4fd-8633176fb551/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a157f236b925/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a157f236b925cda23175a9caeeb37842670ad730a0ad13dc9c526a81f02f7452

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316898/

Comments