MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b05548e7921f293f59a8fa99b2eba03957daa2ae01275e48d94a75a3ca941288. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b05548e7921f293f59a8fa99b2eba03957daa2ae01275e48d94a75a3ca941288
SHA3-384 hash: 1cc0039a36c2acc08c625d60951843c6af13872a7e541810d6cfa9012b4489715dc600a0a8ab917f3bb07e50aa978057
SHA1 hash: 5646d9f445085065a36020dd77c44da3112948ce
MD5 hash: aaa5a54c4e42d32d2e17f5bea435173b
humanhash: speaker-gee-pluto-maine
File name:Maerskline New Shipment-SOL10123127.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:931'328 bytes
First seen:2023-03-28 07:03:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:f8VZ9NZCKaWtUuKVcHSc/oCrlKScFcYw:A3PCQWuKASc/oEPcux
Threatray 2'002 similar samples on MalwareBazaar
TLSH T14115D0ACF640B59FCB17CD7699541C60EA2C64E7431BD603A01722AF9DEC69ACF131E2
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:AgentTesla exe Maersk

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Maerskline New Shipment-SOL10123127.exe
Verdict:
Malicious activity
Analysis date:
2023-03-28 07:05:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/98b4524c-0d5b-415e-8081-c94b7a947283

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/378094/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook packed remcos
Link:
https://www.filescan.io/uploads/64229165a6b4db3649e8f24e/reports/b1f42956-83d7-4a1b-bb26-230becb495bc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b05548e7921f293f59a8fa99b2eba03957daa2ae01275e48d94a75a3ca941288
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f40a8279-6563-4528-89bb-773bf654697c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1203203
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b05548e7921f293f59a8fa99b2eba03957daa2ae01275e48d94a75a3ca941288/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-28 02:26:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wbkurz4sd4ut6wni7km3f25ahfl5vivoaetv4sgzjj22hsuuckea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
14dc4992e993f0b0b7b176ee8dd0314ab77e1512e6319f0369b6f9fe45369297
AgentTesla
2c5117280800871fbceb13a571a8d602c17f3c08247c8ccf546bb9dc8adda73e
AgentTesla
2e88105d979bfbe65b2ed9322114fc21ef9e1fdb324a63d6198defd1e976d36e
AgentTesla
462b121f72bc42fcefcfc67174e4de53083b977458c7ed3d4009eec6bddd3f1b
AgentTesla
493781dc1d845e09f96742dfdc2edaef673ac5d4b2139875929166f2627dc161
AgentTesla
918057f4d236bf49e9efaceb3c4aaab580baf9960ac45d2fe8d97c5d98111f73
AgentTesla
c0cbab8b9504e2575456d0f902b264123362665031999a3f780c2a5c2f0b9512
AgentTesla
e31e0251690d0da33289eff6d43dafb913314b28637667b2017bae3d99e95119
AgentTesla
f3341ea77e5c8f5e57ee22b1842656ff8225d0fef647bef19d0b0fcc6b87200d
AgentTesla
+ 1'992 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230328-hvysdahe48/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla
Unpacked files
SH256 hash:
b4b190818a658f0b64f5aa6d39e901e9d731bf1f58fa072b4c73120a96489bdb
MD5 hash:
3c6f8b2e78f5ebf58c4f170b30c04607
SHA1 hash:
c0ee09a1a9d1c673ad7eadabab7de44ebe0ff765
Link:
https://www.unpac.me/results/0f4246ce-09c0-46cc-8e7c-265a715f7f22/
SH256 hash:
0f3faa2f6bfada02764e62ee83de0a3b03d47b5bca274b8d8a02e61f9e586dd3
MD5 hash:
9a19a2fa07f942f98ca2a5bd82b205f8
SHA1 hash:
a04880a42b6bb838ef8c3a1da3d2e7fbd9537c01
Link:
https://www.unpac.me/results/0f4246ce-09c0-46cc-8e7c-265a715f7f22/
SH256 hash:
72058181e69109dc500d537e066936af0c82bed462a22a71b68ac016b270deea
MD5 hash:
4b058879a00a5dbbb2904f0d78da9e03
SHA1 hash:
20fce43ded52aeae212b2114c58949ff5769a2b9
Link:
https://www.unpac.me/results/0f4246ce-09c0-46cc-8e7c-265a715f7f22/
SH256 hash:
e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29
MD5 hash:
d170ab8c03b9c37d5be449454db131d2
SHA1 hash:
2031b6754a65d21b47dd11a34fee86f048d6048d
Link:
https://www.unpac.me/results/0f4246ce-09c0-46cc-8e7c-265a715f7f22/
SH256 hash:
30a9bb0a262628e883cb6ef8a59e4f4bc66cad1b54278439515a5026b12fe32f
MD5 hash:
48b9d08202a6e3c871d33f24cb86ee4d
SHA1 hash:
1a74da84bb3062baf0681c0b1d103e9e4d0154fe
Link:
https://www.unpac.me/results/0f4246ce-09c0-46cc-8e7c-265a715f7f22/
SH256 hash:
b05548e7921f293f59a8fa99b2eba03957daa2ae01275e48d94a75a3ca941288
MD5 hash:
aaa5a54c4e42d32d2e17f5bea435173b
SHA1 hash:
5646d9f445085065a36020dd77c44da3112948ce
Link:
https://www.unpac.me/results/0f4246ce-09c0-46cc-8e7c-265a715f7f22/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b05548e7921f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b05548e7921f293f59a8fa99b2eba03957daa2ae01275e48d94a75a3ca941288

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe b05548e7921f293f59a8fa99b2eba03957daa2ae01275e48d94a75a3ca941288

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/378094/

Comments