MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2e927c33beb8e5f1b48f7f2accc05ab7d96baf812a53299e950aa96e98cd109. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2e927c33beb8e5f1b48f7f2accc05ab7d96baf812a53299e950aa96e98cd109
SHA3-384 hash: ef4f03c96ce6d0028519cca4841774ee8e3241a3d5e41171a5d360851268d0a53a76deace9345ff2d13cc4e8700a9993
SHA1 hash: 7f3cfd93b690c4693001b8ff74bdce3e7b794ff7
MD5 hash: c08cb88535a333e1397cbb57e7a24201
humanhash: sad-neptune-quebec-east
File name:Ödeme Onay Fişi.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:965'632 bytes
First seen:2023-09-23 08:04:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:42iNNEisUH/tXwk7CVu7I2XZHQXFJODhNgq2QBQQjqQkMO9LrnwI+:41XEWeaCMU2lQ1YhNgqoKob9Lrw
Threatray 6'452 similar samples on MalwareBazaar
TLSH T19E256DD1F15088DAED6B09F1BD2BA53024D3AE9D94A4410C569EBB1B76F3342209FE1F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter abuse_ch
Tags:AgentTesla exe geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ödeme Onay Fişi.exe
Verdict:
Suspicious activity
Analysis date:
2023-09-23 08:06:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b1e9d1ad-d6f2-45ec-bfbd-62e601801d39

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/450702/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/650e9c331edabd99829ef7a1/reports/8e4ce2a5-4eb7-4b89-9c3c-600188eb82e8/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b2e927c33beb8e5f1b48f7f2accc05ab7d96baf812a53299e950aa96e98cd109
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4885dc7b-8b1f-4649-914b-f6894085081a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1313215
Signature
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2e927c33beb8e5f1b48f7f2accc05ab7d96baf812a53299e950aa96e98cd109/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2023-09-21 13:27:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wluspqz35ohf6g2i67zkztafvn6znoxyckstfgpjkcvjn2mm2eeq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4d5bf61908d4cedb7b9f4dc857e4c469f8feb1b7bdb4cd6190c68fe5ed9abeaa
AgentTesla
6a263de423ef5dbc1724917602ce7426c5e1f4bfc62ca455b31d1af02f67b95d
AgentTesla
98df0b1d208f23cdc1fc3b7cd659393ab072b80e81ce2100d08a1f3f8bfde6e4
AgentTesla
9bee15aa43bcdb1c361ba488354de254e7860b9f006ad7ce7602adc6d7667e62
AgentTesla
b944f0cf50ef8d58b8cb7bc4f3777cbf4c9e6b8017b7ac67546b89677d831441
AgentTesla
bb86f9dc3d6233f657539dbfd68787724b849c96de18c982620805647dbda743
AgentTesla
ee8e7b9f095f6eb61410237052c6195b4aedf3a20a94f9854285f03a76f3a3b2
AgentTesla
f3805d44dbb4499954b88053ba3e51b97d803a9e0cac8825bd084ca74a730496
AgentTesla
+ 6'442 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230923-jyvqkadh7t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
a8a5fa695501c7d7e1c70dc9c7aa9dbaa98d03c4ded262947811cb883c3afe7d
MD5 hash:
200ab8e098a1e41ca357d3cdcfab4bdf
SHA1 hash:
dc2a6966c9b964286e41d8cc77d57bc5e41ed216
Link:
https://www.unpac.me/results/2531d31e-5bfe-4cbf-803b-5d3ed41244d4/
SH256 hash:
f18ede1829f6537e67a2f4e8cdcd767ee6b50b8dab392ecf26c75ac34e1494fb
MD5 hash:
65d61d54ea7665a497fed9699cc9e7e5
SHA1 hash:
8418bb9f902beac21267a1a60ac8431a4179defc
Link:
https://www.unpac.me/results/2531d31e-5bfe-4cbf-803b-5d3ed41244d4/
SH256 hash:
d0c4f1756cfd770069b0ac54ca6365f1ceb14f0e9ead1025faeda8ec2a8367f6
MD5 hash:
36fb59c2c6fa7ca60f490680165f516c
SHA1 hash:
6dd28454c9f1ef797628fe7f179ca7db85834061
Link:
https://www.unpac.me/results/2531d31e-5bfe-4cbf-803b-5d3ed41244d4/
SH256 hash:
2d6ec4a24943b334135367f4510da3e18a4be6d02d0993f1dd510c9d40c960db
MD5 hash:
6633b0c23a6af6689a92ec439743ff03
SHA1 hash:
0852b7d7c91194f43d09960abd8c3c74d2dd6ff7
Link:
https://www.unpac.me/results/2531d31e-5bfe-4cbf-803b-5d3ed41244d4/
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/2531d31e-5bfe-4cbf-803b-5d3ed41244d4/
SH256 hash:
b2e927c33beb8e5f1b48f7f2accc05ab7d96baf812a53299e950aa96e98cd109
MD5 hash:
c08cb88535a333e1397cbb57e7a24201
SHA1 hash:
7f3cfd93b690c4693001b8ff74bdce3e7b794ff7
Link:
https://www.unpac.me/results/2531d31e-5bfe-4cbf-803b-5d3ed41244d4/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b2e927c33beb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2e927c33beb8e5f1b48f7f2accc05ab7d96baf812a53299e950aa96e98cd109

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe b2e927c33beb8e5f1b48f7f2accc05ab7d96baf812a53299e950aa96e98cd109

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/450702/

Comments