MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b22abd888626ea081b6ebd01a1e293e3ddd67ff21f25758ac14ef7a4f85ad1e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	b22abd888626ea081b6ebd01a1e293e3ddd67ff21f25758ac14ef7a4f85ad1e2
SHA3-384 hash:	a9ffe34b04507b54ab420042cc3933f44975d23cc08b732cdac26a69302e17f155e3d3cca516e36c84ae3f189658a9a6
SHA1 hash:	c62df733c46c201c102d7c3f44a36c03ff013389
MD5 hash:	f46cde5bfc506138f1786edae97d5513
humanhash:	violet-wyoming-fifteen-fourteen
File name:	SecuriteInfo.com.Win32.PWSX-gen.24166.15968
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'115'136 bytes
First seen:	2022-11-08 09:39:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:gUEkyPATFrm0Rt26CB2Am4N0ZA2rNAAnb2mW8X7yR6:gUO47Rt2rsAmZ+0vW8X7+6
Threatray	22'904 similar samples on MalwareBazaar
TLSH	T10A35C0A034702FB5E67ECBF69628162483F32DA9625AF64E4CE170EB1573FD24620D17
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13097/50/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

203

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.24166.15968

Verdict:

Malicious activity

Analysis date:

2022-11-08 09:42:57 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/e545d64a-cec3-4f1d-b404-4f25e17b1845

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/330453/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.24166.15968.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/636a24005a33779d69ce9c3e/reports/66e423b0-4978-46c1-92b5-f2069e571897/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d71911db-aed0-457f-991d-63523ec1f488

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1108078

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b22abd888626ea081b6ebd01a1e293e3ddd67ff21f25758ac14ef7a4f85ad1e2/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-11-08 07:24:24 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wivl3cege3vaqg3oxua2dyut4po5m77sd4sxlcwbj332j6c22hra._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0974f06e3838a87a0e6364e011e72f8d416f64cf08557d790940d8399aca7037

AgentTesla

3767d055b8af7151cf6e469755a1fc4bb974411d4b6b0f1a322c9c6cb20e1184

AgentTesla

4073df659d58e6b8619746e412f0649a8fc4a67da64d27e4a1dcadf797cfcc70

AgentTesla

57723ebe18b3371ec8c844fa7a0bc1039b420d2cf56759a2ad3cd087b459989f

AgentTesla

94954f4e2dd4bdb9d9a25687adb61397ba91eb0dbd5d14df01fe281222cd35d4

AgentTesla

9ea9e37ac1dbdbf112de65d1aea38f6c30977e7af3b1f460d5c1530332d371fd

AgentTesla

b37d9a54e81fc3feac68afee6c776fea62e111491db1da57456452beabe118ac

AgentTesla

+ 22'894 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221108-lm78maaaf5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c6bc61c2-f7da-424d-9614-11984b364e5b

Unpacked files

SH256 hash:

13e80fde971ff150ba6cc8008a9be6c02401fa85925b91662b84f1da7b0826d8

MD5 hash:

0d529117d051d9f40242787b84fe9e0c

SHA1 hash:

90623a4bc25293f51803b60cdcad2e54fbcee67f

Link:

https://www.unpac.me/results/8b9d1dc4-87af-4142-a0fc-f7244ea8fdae/

SH256 hash:

642dc5053ff7c8236904ba7b8c45a8b7ce30804bbe4cf08de8753ac438b2bc99

MD5 hash:

b75998012d4b071bbf89675317bf00f4

SHA1 hash:

84310138656f40ac18f806eb98001429395986ed

Link:

https://www.unpac.me/results/8b9d1dc4-87af-4142-a0fc-f7244ea8fdae/

SH256 hash:

cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4

MD5 hash:

aabd0bdc81026ade6c57383f21d5c227

SHA1 hash:

4b26936bb8c03be6d7963184215a5ab594ecb765

Link:

https://www.unpac.me/results/8b9d1dc4-87af-4142-a0fc-f7244ea8fdae/

SH256 hash:

5f4c27c4810a43d7f29b4126a2a745572ccfa6821ee645eaa6bb21b01504118e

MD5 hash:

aed2bd2c2ec6bcfa378a967cd8668299

SHA1 hash:

18e4568d44a29e38401bf6d91ca3bec245b8c219

Link:

https://www.unpac.me/results/8b9d1dc4-87af-4142-a0fc-f7244ea8fdae/

SH256 hash:

f32a5d7c703d6e13f6b794ed1fae30cfcb02f82239c0f6edf82d81da22dcd77c

MD5 hash:

661224a72294873e1a7997df2e70d52a

SHA1 hash:

135374d48e917902ced794c74a045d699a8faf18

Link:

https://www.unpac.me/results/8b9d1dc4-87af-4142-a0fc-f7244ea8fdae/

SH256 hash:

b22abd888626ea081b6ebd01a1e293e3ddd67ff21f25758ac14ef7a4f85ad1e2

MD5 hash:

f46cde5bfc506138f1786edae97d5513

SHA1 hash:

c62df733c46c201c102d7c3f44a36c03ff013389

Link:

https://www.unpac.me/results/8b9d1dc4-87af-4142-a0fc-f7244ea8fdae/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b22abd888626/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/330453/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample