MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a229b01fd4888c399c9310fdb53edbee125121f96cb7f6c710adcd616a4c3677. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a229b01fd4888c399c9310fdb53edbee125121f96cb7f6c710adcd616a4c3677
SHA3-384 hash: 2d9034d26537c087bffba25e75c97b828d941dc3586fd80f7f3cc37b429ea2994a317a6325e6110d1ebf0870a6a5648b
SHA1 hash: e7d98a430775ac191aa084b5f320b8de10686bfd
MD5 hash: c7b6c4db5687fa811a197be43f49b065
humanhash: sodium-helium-kilo-lamp
File name:8Bdwzkseq1DI4PR.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:710'656 bytes
First seen:2023-06-05 14:50:29 UTC
Last seen:2023-06-05 14:55:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:W2N8jiZ4zypIPs0tPplTY6RhKu99HJvxRCagU6Je2YtmVWYWmo+HWA2/o0PXHFxI:W2N8jiZ4zypIPs0JTDEC7gbccWmddyXY
Threatray 3'094 similar samples on MalwareBazaar
TLSH T1D0E4029512BAAB46D8BB93F4045452B8033F9C5B7533E3079EE7F0CA5968B044B46F2B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter cocaman
Tags:AgentTesla exe payment

Intelligence

File Origin
# of uploads :
2
# of downloads :
307
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8Bdwzkseq1DI4PR.exe
Verdict:
Malicious activity
Analysis date:
2023-06-05 14:52:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fb49d39a-ff97-442c-8a66-9c128b20fa2f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/395863/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67201596.6060.16557.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/647df6592fa8c4ab97550023/reports/243d2b44-968e-441b-a2d4-6c6db1cca23e/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a229b01fd4888c399c9310fdb53edbee125121f96cb7f6c710adcd616a4c3677
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3bc7da79-44f0-4321-9dbb-7ff79a374b3a
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1248866
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a229b01fd4888c399c9310fdb53edbee125121f96cb7f6c710adcd616a4c3677/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-24 08:31:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uiu3ah6urcgdthetcd63kpw35yjfcipzns37nryqvxgwc2smgz3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
19d89eb7dffdde1f430586fd0fbcb87e5e6b7bfc3ccb9ee1a80dfcf92c30c94b
AgentTesla
4f83fcc39abe5edc0e1ff4abdfb7fb49b01ee918c3c0ab6f0378551450349271
AgentTesla
52f7df04cb306719eead0d602947612f3b909ef4fba8029af064891882ff4048
AgentTesla
83311d05b5263b0c8cb8f264584d823d1eb95175322c7dcc13877ae13351775a
AgentTesla
9f615d71befab152d5d48bca4568fd8a85b2ef53966c2c054fa703a1a8f89420
AgentTesla
aa32e78de8afd5fb932a8d887fa1e4d5412f6433659e5cc53a39019107ff5130
AgentTesla
c0d2175379d5613de7a562df8a96a3aa3a9c1b740380aa4a43026a534fc39ef9
AgentTesla
c67f1aa3ba774093756918e8dc2a2064e1d8e39a91f09c01d55ad38e73ef5a3e
AgentTesla
e0b0867a1134a009f72806ea563e4e6597152fd73206bdbabea5a7e716cf99b4
AgentTesla
f9d49ba395212bc46444ac00546a04c8da9b251ce103adf52d9c80be61f6348c
AgentTesla
+ 3'084 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230605-r75wwshg61/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5473903116:AAH0COryXTO6kCeNjQRiy6Z66WJsa9yts6c/
Unpacked files
SH256 hash:
5b57d4627bffd41a75cf601f689e8be2dc4d65ae3be2dc0fd40614ec8abd2d66
MD5 hash:
93420ed10f4b18fcf098ad56f52822d3
SHA1 hash:
f6671894aa739658f0a9c0bb0ae65c1c128ca47c
Link:
https://www.unpac.me/results/3e56a2d0-3b8f-41f4-b073-eb18e37cd686/
SH256 hash:
61f433521d6804c91116d5a817b290e15d00d91818279f8cfbf9b2da61a39bae
MD5 hash:
cfd9f99a6954570a6bec1562b16abb94
SHA1 hash:
ee76260ff8d89b1aa55c3772fd9c87c619133224
Link:
https://www.unpac.me/results/3e56a2d0-3b8f-41f4-b073-eb18e37cd686/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/3e56a2d0-3b8f-41f4-b073-eb18e37cd686/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
a518e0fddabae1e59f933566cb54e592331404d5362976f3ef81a1432dac4ffb
MD5 hash:
de906fce89f615f303ddfb80c1b37b35
SHA1 hash:
3568e3f9f0731da9a3294f4f8de61f95dc3eec31
Link:
https://www.unpac.me/results/3e56a2d0-3b8f-41f4-b073-eb18e37cd686/
SH256 hash:
af951d655441882242ceafc33ccf660785fa31d64a429863d508c71dfeb94801
MD5 hash:
fefe8f5df3f39806d06010352b83f908
SHA1 hash:
1bddf68497747d90faa900fba68dc46508a12910
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/3e56a2d0-3b8f-41f4-b073-eb18e37cd686/
Parent samples :
f9d49ba395212bc46444ac00546a04c8da9b251ce103adf52d9c80be61f6348c
e0b0867a1134a009f72806ea563e4e6597152fd73206bdbabea5a7e716cf99b4
a229b01fd4888c399c9310fdb53edbee125121f96cb7f6c710adcd616a4c3677
5058d993163b6a49d2fa6b102c03da4217787bbb50026e84d111f85cf0241219
SH256 hash:
a229b01fd4888c399c9310fdb53edbee125121f96cb7f6c710adcd616a4c3677
MD5 hash:
c7b6c4db5687fa811a197be43f49b065
SHA1 hash:
e7d98a430775ac191aa084b5f320b8de10686bfd
Link:
https://www.unpac.me/results/3e56a2d0-3b8f-41f4-b073-eb18e37cd686/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/a229b01fd4888c399c9310fdb53edbee125121f96cb7f6c710adcd616a4c3677

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_d3ac2b2f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 f0bc874f7ad8f7be9d4bf7627c49d72ec39148ab29a2803c2667dea45475028f

AgentTesla

Executable exe a229b01fd4888c399c9310fdb53edbee125121f96cb7f6c710adcd616a4c3677

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 f0bc874f7ad8f7be9d4bf7627c49d72ec39148ab29a2803c2667dea45475028f
Cape
Cape
https://www.capesandbox.com/analysis/395863/
  
Dropped by
MD5 1d4d072f8acab45b2df2a002c6fba4c6

Comments