MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb324ac6fc91d827646e61d40b5213f55ab7359d611559d876825fe7d4cd0b57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb324ac6fc91d827646e61d40b5213f55ab7359d611559d876825fe7d4cd0b57
SHA3-384 hash: cbdb1f3f15df827fdb8817a3ba40f502c28f9236ffd8a7e544b50b46d0fe99e4a2e0ddcfadd2fe06ab0052ef9d09bc47
SHA1 hash: 86be99f907b769aa732688d2953a1ac93ad0dcd3
MD5 hash: 1fabf5ad5a8be2ff5c05c1d605c0056d
humanhash: nebraska-ack-pizza-arkansas
File name:1fabf5ad5a8be2ff5c05c1d605c0056d.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:949'760 bytes
First seen:2022-02-14 18:05:43 UTC
Last seen:2022-02-14 19:55:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:ou92ofHSu2KxkNwrcvDbllNqB63lv0Yx55lWhW:omfy1ukV7gY3fxd
Threatray 14'229 similar samples on MalwareBazaar
TLSH T12715020177ABAA23C57B0FB7D4B6424167B4EA16852BD37B64D431ED1C8B36C0E72239
File icon (PE):PE icon
dhash icon f8a4b2b4b4b4b2c0 (20 x AgentTesla, 8 x Loki, 6 x Formbook)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.jesmedla.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241470/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1197.981.15323.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/620a9a1e54047500bb54f54e/reports/c8ddd8e0-bcf6-409f-b381-bf4df0d10084/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/34d6def7-43be-4f03-aee4-5118364daf68
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/939643
Signature
.NET source code contains potential unpacker
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bb324ac6fc91d827646e61d40b5213f55ab7359d611559d876825fe7d4cd0b57/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-14 18:06:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xmzevrx4shmcozdomhkawuqt6vnlonm5mekvtwdwqjp6pvgnbnlq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01b7ecba4c040bd3c352b2023e1f7f38c2b2ef741f23a91301153f03760d3505
AgentTesla
07cfb6b285785e234989d0a0d94945a518b31af4a1fe8a37238fb61910a62bdc
AgentTesla
285a61210326ff7f555c101bd70e19297a0eae42d1cb60a054c9b3827476920a
AgentTesla
7a8f5dbcd00d364145d28a29b058adc75da8041fe35d852ad9cf9ae439b51cfa
AgentTesla
9bceb9680d39094087add5289a7e19aa93168faf9c5f2465700b117d59e8d841
AgentTesla
acf07e3a8e5eab40aaa587590fe81ec7a98b0eb238d5640a857495500a9df71a
AgentTesla
bc297a5178f17d2b1f7c69649155df74086c99486c2caa5a1117fd45f52f41fa
AgentTesla
d1fea52507fc97ff419f8dd2ea8ecf689fb7c066cf8f18453378e95bf399c3d6
AgentTesla
da599a875bc329ff6666771a7b7df56e40a4727fd7e6261828aa8cd545a7a587
AgentTesla
+ 14'219 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220214-wprnrsbhbp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
3ca74eb4ce4c2c5604dc298949ae47996d93063abfde0682d689205561d17d44
MD5 hash:
4e35b541f3d9162d0ac93d336df67779
SHA1 hash:
bb9e65761186806d4bada659e9d5db0c070501d4
Link:
https://www.unpac.me/results/8b589f67-16bd-41ce-a84e-c17e36be6b00/
SH256 hash:
0f9e39d31651f8b2d8ce4be90d4405772c59a29435c0ab53fe19d31edf47e0ed
MD5 hash:
19d3f5f04a132c8702408699fa8d6ed5
SHA1 hash:
aaac7e7328d0829a3d5e3ed5d0556aa0081553bd
Link:
https://www.unpac.me/results/8b589f67-16bd-41ce-a84e-c17e36be6b00/
SH256 hash:
e5426203386b8990d6dc6582a6253f8f940e5addd84ed0b76aba9aaa59f80933
MD5 hash:
0e3a6eba36fa6a5ef84cf54fa112a11e
SHA1 hash:
2739366f05c6cca845f99f2ff037fbb383580265
Link:
https://www.unpac.me/results/8b589f67-16bd-41ce-a84e-c17e36be6b00/
SH256 hash:
8f4f12b4ee97c886d2780d8e4c4083a875304e178e7ea0b8938a7fa4ed3e9d44
MD5 hash:
f15600f3eda309c53b67f0390127fb05
SHA1 hash:
060c9ef40f8dbff428ccf8d05a53bde52f2a5ad8
Link:
https://www.unpac.me/results/8b589f67-16bd-41ce-a84e-c17e36be6b00/
SH256 hash:
bb324ac6fc91d827646e61d40b5213f55ab7359d611559d876825fe7d4cd0b57
MD5 hash:
1fabf5ad5a8be2ff5c05c1d605c0056d
SHA1 hash:
86be99f907b769aa732688d2953a1ac93ad0dcd3
Link:
https://www.unpac.me/results/8b589f67-16bd-41ce-a84e-c17e36be6b00/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bb324ac6fc91/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb324ac6fc91d827646e61d40b5213f55ab7359d611559d876825fe7d4cd0b57

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe bb324ac6fc91d827646e61d40b5213f55ab7359d611559d876825fe7d4cd0b57

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2040361/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/241470/

Comments