MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b532b8d30d6f2e657052c44c27649bf8aed491f0924dd424b586138ee0c2bdb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	b532b8d30d6f2e657052c44c27649bf8aed491f0924dd424b586138ee0c2bdb0
SHA3-384 hash:	6176b17f434e20b923c40fe25f8ea2a8a8e4c3a18db90b4836313fec15037bd4dd974a1c97e67c7ab39cd18b776463dc
SHA1 hash:	41a83e1742e903ed2b2f5ccbadc08300d83de25f
MD5 hash:	938467ebc05c2bdeb3962e731a267eb3
humanhash:	sierra-mike-don-maine
File name:	369012.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	39'936 bytes
First seen:	2022-02-21 14:07:07 UTC
Last seen:	2022-02-21 16:11:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	384:+eg4Ty1jlh+XEQXulaiAMwCKFH2S3dd0hUADkar6:2zEExlmMwCK/3deVD0
Threatray	15'254 similar samples on MalwareBazaar
TLSH	T1BE03E61A6892561DC5D43BF869B1A197663A7CE10124C18FDCF97F29E973223DCC226C
File icon (PE):
dhash icon	174f4559191b1b13 (81 x AgentTesla, 68 x Formbook, 34 x SnakeKeylogger)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

226

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b532b8d30d6f2e657052c44c27649bf8aed491f0924dd424b586138ee0c2bdb0.exe

Verdict:

Malicious activity

Analysis date:

2022-02-21 14:38:43 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1e8efd9e-fc99-49b1-8a3e-e1d744813dac

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/242974/

Detection(s):

SecuriteInfo.com.Trojan.DownloaderNET.322.29345.26154.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Creating a window

Query of malicious DNS domain

Sending a TCP request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/62139cd0a2660f3bb91b8851/reports/a9591de4-e1f4-4f81-b7f6-6f79656dfe97/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/10723a4f-ae45-4a36-af2c-f75759cdf93c

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/943274

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

Creates an undocumented autostart registry key

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Yara detected AgentTesla

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b532b8d30d6f2e657052c44c27649bf8aed491f0924dd424b586138ee0c2bdb0/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-21 09:26:17 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 42 (57.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wuzlruynn4xgk4csyrgcoze37cxnjepqsjg5ijfvqyjy5ygcxwya._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

08ae3a735881e41099740e2e79fcd4107d5e94fe9267e28d6bf8bd9fd80a7ce6

AgentTesla

4429d5de4d9e544c06beba52b737a29e93ae559002e0aaacf532839678cdf7db

AgentTesla

542200906b6fd1d7cbf92964d984d66eb7566451cb68851ab9ddd8761fe68def

AgentTesla

5518f7bfdc3e37c30964a7ff15b31879768bdfda368560a5402b60a85b740801

AgentTesla

8a0d96c6ab22bc62611c7cad581ca536d766063570117e0ddb1747828b5afc96

AgentTesla

960b028edbf5eabe1f2e55212b540fbe642cc4a6c60a829723b137c05055d38c

AgentTesla

c9af30b2a800c774844eee76e019d10b72c4637adbccd34a6de3bcc8a4f32ba4

AgentTesla

+ 15'244 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220221-rfmk8saea3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

b532b8d30d6f2e657052c44c27649bf8aed491f0924dd424b586138ee0c2bdb0

MD5 hash:

938467ebc05c2bdeb3962e731a267eb3

SHA1 hash:

41a83e1742e903ed2b2f5ccbadc08300d83de25f

Link:

https://www.unpac.me/results/9df03800-e142-421b-ae5a-c62ec6ec254d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/b532b8d30d6f2e657052c44c27649bf8aed491f0924dd424b586138ee0c2bdb0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/242974/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample