MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b163fbf05c76b6ecf5065dbad14bc2079964dbfedeb76d6f3e9da339c0f33253. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b163fbf05c76b6ecf5065dbad14bc2079964dbfedeb76d6f3e9da339c0f33253
SHA3-384 hash: 8dfcb5afe845aa4054bd4cce18a7cc59999ae20c96a043deffb6056faead7a0e7abdaa4e7b865f7d34bee983b1e5f2ae
SHA1 hash: b75247c8e0fc9975f48812aa0aa5a018d6d0f4bf
MD5 hash: e199b9ef5ff968fa578f5ca96e71d29d
humanhash: oven-football-princess-johnny
File name:Zahlung001,jpg.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'251'328 bytes
First seen:2022-09-28 09:15:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:hIGp/pUt8fjVc/poJY3Th89r9Opbj+ubrBfoC:Hp/pa8YJjOF9OMCB
Threatray 19'963 similar samples on MalwareBazaar
TLSH T1E645E06E36957A8FC017D93989D4CDB1EB55AC22A71BC243A2C70D5FF40D9A6CF103A2
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Jazzo74911657
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314294/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.389.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63341098d089a0c15dd28b56/reports/bcf19557-b2ce-4d39-9fd5-5193915b0d76/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/63dba274-a823-419c-9f6a-1749c9604f24
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1079090
Signature
.NET source code contains very large array initializations
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b163fbf05c76b6ecf5065dbad14bc2079964dbfedeb76d6f3e9da339c0f33253/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-28 03:56:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wfr7x4c4o23oz5iglw5ncs6ca6mwjw76323w23z6twrttqhtgjjq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08db0f66ab8d81a0fcde9a0c032675458fb3b46d1599cc0a3d122de89dde5b82
AgentTesla
59cf1e86d967229dce88f3580f5a4e5332b49def248c055f43529cf808d169f1
AgentTesla
65f47b6044414100359d76cd579fe73fdea872525b9da1b4cc2e7b665d571d17
AgentTesla
7161a182643b322144e31fe19128eb7fdcac2a19333120e05c128b17a71d30a5
AgentTesla
ab91459253a14ca086ed1b79f0958b331fc09b7d611ef953ca85c045ff43024e
AgentTesla
c12780831455d11678c4f38afa6c20585685c2ba8ada4c0d806b774ea16f4301
AgentTesla
d1be2499de89be1f90b8fba3abbf20cfd30152c3ae10674152b2604ac86d76ac
AgentTesla
d5af77fbabd67255d4d1f3e31f0379496c8dd2401198f663e9dc25c64851d5e2
AgentTesla
ee37c95d10c93066599d6de775cc3b91503feff1509d12257fa5c83e7875e0f1
AgentTesla
+ 19'953 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220928-k7wvnafea6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4fb274bb-a816-43f1-9230-8b2ae7d8c9fe
Unpacked files
SH256 hash:
1fcd72ef9722f019e4dd152ae4a1388e4c1eeb2f290956c9f7647403c3836796
MD5 hash:
753d39c14115f55842367990d76be391
SHA1 hash:
e5769faf8af5b2da88641eebac1f7326e76b2918
Link:
https://www.unpac.me/results/7ae36808-125b-4abe-abbe-43354efaba2c/
SH256 hash:
9346724c569eda755d4390208466b6276ed055c5f7d47722e2a1501977de4349
MD5 hash:
46ca74828757f9af3e29f447260abf6b
SHA1 hash:
ab448ac8b80517f6d4a2ff7fbee6d4c8e0f74b99
Link:
https://www.unpac.me/results/7ae36808-125b-4abe-abbe-43354efaba2c/
SH256 hash:
2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af
MD5 hash:
c3a1924684ca30ed22234ce1d9111dfc
SHA1 hash:
7347706241422758c06440fd6044ae4e042b456b
Link:
https://www.unpac.me/results/7ae36808-125b-4abe-abbe-43354efaba2c/
SH256 hash:
c9d6a75e10df39a04d483fc05d9e39613ea274b8af938ebc76f957ca6ddea775
MD5 hash:
38268bc14f5fb674887ccb9b6ad6ad1a
SHA1 hash:
26a4740ef3e291d69e38c983981946b589101c33
Link:
https://www.unpac.me/results/7ae36808-125b-4abe-abbe-43354efaba2c/
SH256 hash:
edadc813f4440ada276da601d8f31780e5e138b8ee392e3f49a509322a1fb51e
MD5 hash:
574597554c69083c1af2b742a97a92b6
SHA1 hash:
043eea660b8650c5a0042f842fd8db3516d37a2c
Link:
https://www.unpac.me/results/7ae36808-125b-4abe-abbe-43354efaba2c/
SH256 hash:
b163fbf05c76b6ecf5065dbad14bc2079964dbfedeb76d6f3e9da339c0f33253
MD5 hash:
e199b9ef5ff968fa578f5ca96e71d29d
SHA1 hash:
b75247c8e0fc9975f48812aa0aa5a018d6d0f4bf
Link:
https://www.unpac.me/results/7ae36808-125b-4abe-abbe-43354efaba2c/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b163fbf05c76/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b163fbf05c76b6ecf5065dbad14bc2079964dbfedeb76d6f3e9da339c0f33253

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/314294/

Comments