MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b226a85b8821593522c97ef77d924a2a2fd57fafdf2b251e19fd603853b835f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b226a85b8821593522c97ef77d924a2a2fd57fafdf2b251e19fd603853b835f9
SHA3-384 hash: 5fe229be2efaa268c86330302f2202bcdb6478d5bd2280c783d940c95a0532e9b23b92cde956e5c1ae3e18afa3e9be13
SHA1 hash: f1ba60b6bcbdf157b1679aea1b90921fef3cc7c1
MD5 hash: 841324388d9a01a451aaf6d30f60f7e4
humanhash: ohio-victor-uncle-nine
File name:PLT20230402-0332.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:651'776 bytes
First seen:2023-07-25 14:46:30 UTC
Last seen:2023-07-26 04:51:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:JM20Jh5Eix9yYQTmasmilD39o//1BDalzPjVe5svqvttg5J6YcS1D:IJXX9yPilu/dBGFV6O6e5Aa
Threatray 607 similar samples on MalwareBazaar
TLSH T103D413FE72A8BD17C1AA89B94042514C37F1F293313AF7899DAC54F29A5B3B16240663
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 2d6dbd754d4d71b2 (8 x AgentTesla, 6 x Formbook, 1 x SnakeKeylogger)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
270
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
PLT20230402-0332.exe
Verdict:
Malicious activity
Analysis date:
2023-07-25 14:47:29 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/423cea2a-ebbc-4e79-bf3b-a1712c931ee1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/432355/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.13291.9617.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/b226a85b8821593522c97ef77d924a2a2fd57fafdf2b251e19fd603853b835f9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e4311c2-2436-416a-8dcc-6f0304481b8d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1279266
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1279266 Sample: PLT20230402-0332.exe Startdate: 25/07/2023 Architecture: WINDOWS Score: 100 74 Found malware configuration 2->74 76 Sigma detected: Scheduled temp file as task from temp location 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 4 other signatures 2->80 7 PLT20230402-0332.exe 7 2->7         started        11 EXZfxCfWU.exe 5 2->11         started        13 ljwWqDx.exe 2->13         started        15 ljwWqDx.exe 2->15         started        process3 file4 52 C:\Users\user\AppData\RoamingXZfxCfWU.exe, PE32 7->52 dropped 54 C:\Users\...XZfxCfWU.exe:Zone.Identifier, ASCII 7->54 dropped 56 C:\Users\user\AppData\Local\...\tmpD5E6.tmp, XML 7->56 dropped 58 C:\Users\user\...\PLT20230402-0332.exe.log, ASCII 7->58 dropped 90 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->90 92 May check the online IP address of the machine 7->92 94 Uses schtasks.exe or at.exe to add and modify task schedules 7->94 96 Adds a directory exclusion to Windows Defender 7->96 17 PLT20230402-0332.exe 17 5 7->17         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        98 Multi AV Scanner detection for dropped file 11->98 100 Machine Learning detection for dropped file 11->100 26 EXZfxCfWU.exe 14 4 11->26         started        28 schtasks.exe 1 11->28         started        102 Injects a PE file into a foreign processes 13->102 30 ljwWqDx.exe 13->30         started        32 schtasks.exe 13->32         started        34 ljwWqDx.exe 15->34         started        36 schtasks.exe 15->36         started        signatures5 process6 dnsIp7 60 mail.sindbadclub.com 91.121.255.161, 49701, 49703, 49705 OVHFR France 17->60 62 api4.ipify.org 104.237.62.211, 443, 49700, 49702 WEBNXUS United States 17->62 64 api.ipify.org 17->64 48 C:\Users\user\AppData\Roaming\...\ljwWqDx.exe, PE32 17->48 dropped 50 C:\Users\user\...\ljwWqDx.exe:Zone.Identifier, ASCII 17->50 dropped 82 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->82 84 Tries to steal Mail credentials (via file / registry access) 17->84 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->86 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        72 2 other IPs or domains 26->72 42 conhost.exe 28->42         started        66 api.ipify.org 30->66 44 conhost.exe 32->44         started        68 64.185.227.156, 443, 49706 WEBNXUS United States 34->68 70 api.ipify.org 34->70 88 Tries to harvest and steal browser information (history, passwords, etc) 34->88 46 conhost.exe 36->46         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b226a85b8821593522c97ef77d924a2a2fd57fafdf2b251e19fd603853b835f9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-25 14:47:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=witkqw4iefmtkiwjp33x3eskfix5k75p34vskhqz7vqdqu5ygx4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
069c1a556943461282bfbf8411afc6213a359df9ce4894a80881e45a2ba9bc84
AgentTesla
0d03f0e57bfc9a9b4e583404b127ae9adff260762252e77d11c95bc6181188ce
AgentTesla
143a0fddc3af51f26980672385b2f8102d1b8cc473c285cc5ec40dc6c642c4a2
AgentTesla
2313b3f23146c4475ec50d51bea33e49f6167c799e418c4c08620e7a720edb04
AgentTesla
4be8d6d10fa0a2dfef52fe82adbacc99758e31d7c489d311d2f8fbd1c1672b25
AgentTesla
539c8b42e4c670a527dc2e3aa0154b7959c3c4a058f90582dd5e9284a27c43f8
AgentTesla
9f08469a0b761c0d950446b84a2cdba032bc93c0f92abbd63352ec399506248d
AgentTesla
b9795e3dcb1336ffd749e26b4bf2fc0f0b33f963cfbcd32c45d33498a037dc3c
AgentTesla
cfcc1000b4f9705f95ba899a1aad91361497a18071396842986d1d40a03d5c6f
AgentTesla
+ 597 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection persistence spyware stealer
Link:
https://tria.ge/reports/230725-r5vyxadb73/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
bf3e09a922fe201b9a89bc7eb51e68484d34df5eb1814ef367ed7fe33168f4d7
MD5 hash:
86b0f7019da436553da6d3025bb9e5c2
SHA1 hash:
fdd09de13a13cede11745c52015e4ae02a7098f6
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/73a75120-a9ca-43e2-87c8-e4b2be2d827c/
Parent samples :
b226a85b8821593522c97ef77d924a2a2fd57fafdf2b251e19fd603853b835f9
cf5b1fe7a9600b5f132475ef3586dccd40e8559e9637d3f9b20e73f55d77961d
9ed469c0100e0d6435a740bf4eed345bc7803a5e7c957473277acd5c782179c0
81f212a2fc589aaec29e362c17af8209bb0ebfc4e92b1c8b0a2da3a3e62c65a9
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/73a75120-a9ca-43e2-87c8-e4b2be2d827c/
SH256 hash:
12f424722a1cab2604c6bc56bc032ef8b11e9950421a67be4338bbbc6c0f25f4
MD5 hash:
0faec129c4361d3de0f2347466c1929f
SHA1 hash:
398a524098741efda105b91323526249fd833d0b
Link:
https://www.unpac.me/results/73a75120-a9ca-43e2-87c8-e4b2be2d827c/
SH256 hash:
b9a20d6a037273d22acfef040a5ee5eaf300f8ed3cfa174ef8a7c400b3753105
MD5 hash:
f2ddeb90f1d02f7f07a7d4784907f037
SHA1 hash:
03ecca6a926462f1559c29e0d59dd99ed62b60fa
Link:
https://www.unpac.me/results/73a75120-a9ca-43e2-87c8-e4b2be2d827c/
SH256 hash:
b226a85b8821593522c97ef77d924a2a2fd57fafdf2b251e19fd603853b835f9
MD5 hash:
841324388d9a01a451aaf6d30f60f7e4
SHA1 hash:
f1ba60b6bcbdf157b1679aea1b90921fef3cc7c1
Link:
https://www.unpac.me/results/73a75120-a9ca-43e2-87c8-e4b2be2d827c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b226a85b8821/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b226a85b8821593522c97ef77d924a2a2fd57fafdf2b251e19fd603853b835f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip d63f001d996d530575f01103662b84d1daf8fecd37cc36fc5990458b2954b567

AgentTesla

Executable exe b226a85b8821593522c97ef77d924a2a2fd57fafdf2b251e19fd603853b835f9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/432355/
  
Dropped by
SHA256 d63f001d996d530575f01103662b84d1daf8fecd37cc36fc5990458b2954b567
  
Dropped by
MD5 4973639fdafc5f4c42e6fe6e502e822f

Comments