MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2529986a8973dcb1028129512298ae4deffdc5a1e2ac225aa7f54fc44f6830a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2529986a8973dcb1028129512298ae4deffdc5a1e2ac225aa7f54fc44f6830a
SHA3-384 hash: 3e7eea5c6bba8c1919e200d2717442c81f5f79fbb369745684e656ad895b64000d7416a39df71e0cc6c3306c09eb3c2d
SHA1 hash: 0e12a9f1329de8a9fef1b4fb036efc16b3a2920e
MD5 hash: ab8fe952c1a46d0335861441b624728d
humanhash: early-vegan-lactose-fish
File name:SecuriteInfo.com.Win32.PWSX-gen.8839.11249
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'069'056 bytes
First seen:2023-03-01 19:34:54 UTC
Last seen:2023-03-03 09:18:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:VwyZV5JaH7z1KjbItTAXlwywzIrwd7LkOMgOYkS2/NCg0Y2JwM/nwC5LVJOJ:5xqywggShYa/NCgawM/nwcVJO
Threatray 87 similar samples on MalwareBazaar
TLSH T151358CC637BDD422F4EBA032461521CA3A75F5877212F12BA737BB518601BFF7A89580
TrID 66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 3044b271f0e8e0ba (14 x SnakeKeylogger, 13 x AgentTesla, 4 x Formbook)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.8839.11249
Verdict:
Malicious activity
Analysis date:
2023-03-01 19:38:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f4ad5f0d-c6eb-4ca6-95e8-38bb18810ec8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/370962/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.8839.11249.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63ffa8e866e79c93ba0d5e45/reports/9c5b134b-1992-4452-9922-23092bd6c7fa/overview
Verdict:
Malicious
Labled as:
MSIL.Bladabindi.Generic
Link:
https://www.hybrid-analysis.com/sample/b2529986a8973dcb1028129512298ae4deffdc5a1e2ac225aa7f54fc44f6830a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eb2bd1ef-f5a5-4044-a2a3-7b8b0e8c0585
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1185195
Signature
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 818048 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 01/03/2023 Architecture: WINDOWS Score: 100 61 api.telegram.org 2->61 67 Snort IDS alert for network traffic 2->67 69 Sigma detected: Scheduled temp file as task from temp location 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 4 other signatures 2->73 8 SecuriteInfo.com.Win32.PWSX-gen.8839.11249.exe 7 2->8         started        12 AvXRYzvCamo.exe 5 2->12         started        14 GsHLJkZ.exe 2->14         started        16 GsHLJkZ.exe 2->16         started        signatures3 process4 file5 53 C:\Users\user\AppData\...\AvXRYzvCamo.exe, PE32 8->53 dropped 55 C:\Users\...\AvXRYzvCamo.exe:Zone.Identifier, ASCII 8->55 dropped 57 C:\Users\user\AppData\Local\...\tmp1971.tmp, XML 8->57 dropped 59 SecuriteInfo.com.W....8839.11249.exe.log, ASCII 8->59 dropped 83 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->83 85 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->85 87 Uses schtasks.exe or at.exe to add and modify task schedules 8->87 89 Adds a directory exclusion to Windows Defender 8->89 18 SecuriteInfo.com.Win32.PWSX-gen.8839.11249.exe 17 5 8->18         started        23 powershell.exe 19 8->23         started        35 2 other processes 8->35 91 Multi AV Scanner detection for dropped file 12->91 93 Machine Learning detection for dropped file 12->93 25 AvXRYzvCamo.exe 12->25         started        27 schtasks.exe 12->27         started        95 Injects a PE file into a foreign processes 14->95 29 GsHLJkZ.exe 14->29         started        37 2 other processes 14->37 31 GsHLJkZ.exe 16->31         started        33 schtasks.exe 16->33         started        signatures6 process7 dnsIp8 63 api.telegram.org 149.154.167.220, 443, 49698, 49701 TELEGRAMRU United Kingdom 18->63 65 192.168.2.1 unknown unknown 18->65 49 C:\Users\user\AppData\Roaming\...behaviorgraphsHLJkZ.exe, PE32 18->49 dropped 51 C:\Users\user\...behaviorgraphsHLJkZ.exe:Zone.Identifier, ASCII 18->51 dropped 75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->75 77 Tries to steal Mail credentials (via file / registry access) 18->77 79 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->79 39 conhost.exe 23->39         started        81 Tries to harvest and steal browser information (history, passwords, etc) 25->81 41 conhost.exe 27->41         started        43 conhost.exe 33->43         started        45 conhost.exe 35->45         started        47 conhost.exe 37->47         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2529986a8973dcb1028129512298ae4deffdc5a1e2ac225aa7f54fc44f6830a/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2023-03-01 17:58:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
11 of 39 (28.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wjjjtbvis464webickkrekmk4tpp7xc2dyvmejnkp5kpyrhwqmfa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
24c69122ace7d707b1838376111192f2bcdbd02531521b656536773b8bc4710c
AgentTesla
366d56c69b0267ee6ac2a27cc199911123ed7f511d3e54ac1c69f52236644e84
AgentTesla
478dba764af2f0d8179f62518b9d675cec897722b4bc9dc75b5bf66cbca0b9a0
AgentTesla
808af00d1b4ec59a042cfa6d2a46549fca9d2d588847287bab70321622e008cd
AgentTesla
91855c7204cf7b1a4a56e87b16e5cde14eb8aba073690ca817f2b937130135d6
AgentTesla
c551529018bda5ce4f1f7c2fbbebad88a1544151676521feb0bb5fcacc4a48be
AgentTesla
ea46cc06d4376c90836299719c0fb4bdc65e8edfc9fa367d0daa3e7cd3e63e77
AgentTesla
f530c59ffce92c129896bbe4c2df821ac097d696e2a3f3f99e3bd4aaa5c6ace8
AgentTesla
+ 77 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230301-yanpnshd8y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5829039825:AAHUTzihFHkYnCe5S3O2k7aL4dVLIHvYzbo/
Unpacked files
SH256 hash:
40887936a802efda8b68f7ebd3e542a6868d7e930fb5650ee219ea249f487b44
MD5 hash:
a4bc278f7d0135513963fbddb94e5e2f
SHA1 hash:
f61ee3041d84d8c66d0b110bd1cb9a95add7fb8c
Link:
https://www.unpac.me/results/b55b6b9f-81ea-4317-9646-b18e5cd4d821/
SH256 hash:
4b285c20ab0272c7b0cc6ba731951a0e82a9453bf4081f895bb6c7ec58c02c1b
MD5 hash:
dee6be8e9ccf642e017ababa2be45c28
SHA1 hash:
d6e427b2f8a49e55248e8f94ee2cab88d00b6a05
Link:
https://www.unpac.me/results/b55b6b9f-81ea-4317-9646-b18e5cd4d821/
SH256 hash:
75754b7b7632813b97921789a5ddb0ff42e2ba0776769fcfab64d99b4c9dcd44
MD5 hash:
c2e2516c28721ec8b44f236cdce0e675
SHA1 hash:
a353ce78b0b097ec6a09c0b0fe79365da3df9a6d
Link:
https://www.unpac.me/results/b55b6b9f-81ea-4317-9646-b18e5cd4d821/
SH256 hash:
9238f3dc0a48695b9d7b88d7ab0922316caa4c16abfd0b6a14770bc5d73e719a
MD5 hash:
3f55a3102497e51fdc2f7887b0223755
SHA1 hash:
355b4fd63d2fabc61e2876d83e71bc52351aa6bc
Link:
https://www.unpac.me/results/b55b6b9f-81ea-4317-9646-b18e5cd4d821/
SH256 hash:
e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29
MD5 hash:
d170ab8c03b9c37d5be449454db131d2
SHA1 hash:
2031b6754a65d21b47dd11a34fee86f048d6048d
Link:
https://www.unpac.me/results/b55b6b9f-81ea-4317-9646-b18e5cd4d821/
SH256 hash:
b2529986a8973dcb1028129512298ae4deffdc5a1e2ac225aa7f54fc44f6830a
MD5 hash:
ab8fe952c1a46d0335861441b624728d
SHA1 hash:
0e12a9f1329de8a9fef1b4fb036efc16b3a2920e
Link:
https://www.unpac.me/results/b55b6b9f-81ea-4317-9646-b18e5cd4d821/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b2529986a897/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/b2529986a8973dcb1028129512298ae4deffdc5a1e2ac225aa7f54fc44f6830a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/370962/

Comments