MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b78040849f2b58f1cf44d65b15df6aa282b0958cda4445f691633e39b2c644ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b78040849f2b58f1cf44d65b15df6aa282b0958cda4445f691633e39b2c644ea
SHA3-384 hash: 62a2ffc9867d7e6d8f5cc19c3bf498135facf89c0040214e9f05d2d411a04c4b4c1cce6f62b470334f1c9ccf20692de9
SHA1 hash: 0d51003f107cac03dfa08a7072f7f3531a587e6f
MD5 hash: ed85bceeb4c1114d9cc4beca54e1b506
humanhash: video-alpha-apart-dakota
File name:I6T-MC-AMAP 1151426612 2022 2022V0000398....exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:327'138 bytes
First seen:2022-12-22 00:52:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ab6770b0a8635b9d92a5838920cfe770 (84 x Formbook, 30 x AgentTesla, 15 x Loki)
ssdeep 6144:QBn1qDJB40ZMqJxwk+rpQDOFgcMhZnbDm0FYc2uE28G8aOGTwe:gqN60Z/wFrlgcaZfNFYc2u58HGce
Threatray 2'258 similar samples on MalwareBazaar
TLSH T18264222912D1E663DA87123186B75936F27BA3203027915B4BD4FE7F5D3B5C1E80A3E2
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
I6T-MC-AMAP 1151426612 2022 2022V0000398....exe
Verdict:
Malicious activity
Analysis date:
2022-12-22 00:55:18 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/feed0fe5-6cf9-4264-8de5-86f5c43386a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/348898/
Detection(s):
SecuriteInfo.com.Win32.InjectorX-gen.17874.22056.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for the window
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63a3aa6f69b0db15ccdca7a2/reports/6a16445a-771e-42cf-b808-f16bbc6fb1ee/overview
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/538afe17-fe38-4fe3-b361-402936447d7c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1139082
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b78040849f2b58f1cf44d65b15df6aa282b0958cda4445f691633e39b2c644ea/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-12-07 06:58:13 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
28 of 40 (70.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w6aebbe7fnmpdt2e2znrlx3kukblbfmm3jcel5urmm7dtmwgitva._file
Verdict:
malicious
Similar samples:
037d18a0489c63d5d9ba87f8ea9652c511df0787eb9d8fe361cfab7f93e03582
AgentTesla
0d09e99b2a15cae89b2b6c61ae744d8437b2289615d909ee58ee52ac865b5872
AgentTesla
12a921f6abb929d4f8b28924868dcc468299e44745c37db3aa7e4ac9bfe38869
AgentTesla
2d5d72d557920e6beef5c35e3cdd3ddd1339b2c4306e4b79e540058afede2063
AgentTesla
6e8de74475e365bdd0f573a03266f447a13f30a76cc2c71d14c1fc5607e1ae5d
AgentTesla
783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06
AgentTesla
8a8bd03d6e56297acd34652142a5cb999089c75e28decf038c43eeccc14158ba
AgentTesla
91b5a61f0615710ef9ca5fd015e1cbe36b908516c5882463e4bdc694133c0829
AgentTesla
f88caffeed956cd5b1671dde49bfc61dac4fd2007b46287debf7dab6c179bf46
AgentTesla
+ 2'248 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221222-a8mm9sgg9w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla payload
AgentTesla
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7f995756-52b6-4562-bbd8-dabea976a14f
Unpacked files
SH256 hash:
9735eb3db3bb8e63249cdc5659de544ff6fac0f9e9987b1c7b0ccac8c2aadb69
MD5 hash:
c094f82f282257c7d88030e3bc561729
SHA1 hash:
e09147f7b9874bcfbebda13c7ab6ced7d6c6ae17
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/e0c38860-0fb4-4726-baea-2cc37c0a576f/
Parent samples :
f0da229cd56486cb27d1465410147676261d663a62aa9e95f27fda1b2ee5a662
b78040849f2b58f1cf44d65b15df6aa282b0958cda4445f691633e39b2c644ea
7eb652a8ae8849d8b7fb0f2cc9a0b6a591874c564c7ab275fe519ba37895a43f
830259122e9c75a4977848c7a340c7a13efb927302035bf9f3460530c5f4d7dd
b506dc9b1bc7904f4e8abc8a14d0b44ccc1c0a7ca687761349d38a425baa1348
fd2ddd6b33014512158a83661ab481547e2b7b34a80d2c32ef05ae37826c4e42
6fe8c589727c61797e7f1be599e1b8d19d5ba37bd71d7223f866c6d94dfbaf1c
4e07c4b00b345ceb00f859475df5179802164912527f8feae6820a8ef50bb15f
ffdf5ac834d24512efa206781e9555b3a4ec7de8e27733de0b1187cf3b26fbf4
b9eef3caa6be71a2a745055198dd0243a792b8faf6314554e050c037733c7588
62dc73beb92c72827a3408e42c9220f5d33258258ff03bfc7285d02f7372eee8
df4f3740e1876d09c3d045fdcc6a6245576994091fcc7cafe4c6b7fc76428b95
SH256 hash:
b60516c713e9e499babb6cd3443eed7c54cb20c7155d896938ff6cecc6765a65
MD5 hash:
244c4ae87b8353d1ec7758d5e588d8ee
SHA1 hash:
9aed5e2c231207811c6e0b1126314c31101d5724
Link:
https://www.unpac.me/results/e0c38860-0fb4-4726-baea-2cc37c0a576f/
SH256 hash:
7862ea8ba3d9871c4cb6a27e3963e7f95ae623c775bd64e4fa47adeb35f74d9d
MD5 hash:
ca1239188efbadaae5ee97af133749ba
SHA1 hash:
eb88a573b850adbf3689dd78e6352bc2d725a439
Link:
https://www.unpac.me/results/e0c38860-0fb4-4726-baea-2cc37c0a576f/
SH256 hash:
b78040849f2b58f1cf44d65b15df6aa282b0958cda4445f691633e39b2c644ea
MD5 hash:
ed85bceeb4c1114d9cc4beca54e1b506
SHA1 hash:
0d51003f107cac03dfa08a7072f7f3531a587e6f
Link:
https://www.unpac.me/results/e0c38860-0fb4-4726-baea-2cc37c0a576f/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b78040849f2b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b78040849f2b58f1cf44d65b15df6aa282b0958cda4445f691633e39b2c644ea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe b78040849f2b58f1cf44d65b15df6aa282b0958cda4445f691633e39b2c644ea

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/348898/

Comments