MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb4297e1d60fbf0c9670f3a436d3c00993307ccf5bbf9bade4a6ebcb608edd6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb4297e1d60fbf0c9670f3a436d3c00993307ccf5bbf9bade4a6ebcb608edd6c
SHA3-384 hash: f0de5704341e9b0c9eee558e2b5958d40a6ecf31cf674d04ac6634a16d36a27a878ed9d96b75e3ae9ff7dd155c3345d2
SHA1 hash: cb40f86b808c7b7812fff7820dc596d3a78e5760
MD5 hash: 2ddec3a033a6ded2ec135bb2f3ec897d
humanhash: uncle-nitrogen-seven-eleven
File name:file
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'825'280 bytes
First seen:2023-03-20 18:28:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:rWWKtu1Dze6HDpLaCKyUjOK/sQg1GuYfyQ6vOHRQPrMgYJvlaWW33Q4Sfp8gkAmh:6JJjdagPM3v90Q6pYX
TLSH T15D855BF20283FEC5A76F1D4484143940AC1418676BBC9768FDC92A97A3E9524EF9DEF0
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter jstrosch
Tags:.NET AgentTesla exe MSIL

Intelligence

File Origin
# of uploads :
1
# of downloads :
270
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-20 18:33:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1fe914f9-ec6f-4bdd-801d-c6ce3f661579

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/375994/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6418a5f03b01ade53e6fc029/reports/e7f005d9-4fc6-4bc4-9675-d9d20ecfd8c2/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/bb4297e1d60fbf0c9670f3a436d3c00993307ccf5bbf9bade4a6ebcb608edd6c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c933a62a-8d44-4962-97af-f8213852cbfa
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1198002
Signature
Creates multiple autostart registry keys
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830902 Sample: file.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 51 api4.ipify.org 2->51 53 api.telegram.org 2->53 55 api.ipify.org 2->55 65 Snort IDS alert for network traffic 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 Yara detected Telegram RAT 2->69 71 5 other signatures 2->71 8 file.exe 1 8 2->8         started        12 Qasvjoldkyh.exe 4 2->12         started        14 kDPmkTm.exe 4 2->14         started        16 2 other processes 2->16 signatures3 process4 file5 45 C:\Users\user\AppData\...\Qasvjoldkyh.exe, PE32 8->45 dropped 47 C:\Users\...\Qasvjoldkyh.exe:Zone.Identifier, ASCII 8->47 dropped 49 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 8->49 dropped 85 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->85 87 May check the online IP address of the machine 8->87 89 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->89 91 Creates multiple autostart registry keys 8->91 18 file.exe 17 5 8->18         started        23 powershell.exe 15 8->23         started        25 file.exe 8->25         started        93 Multi AV Scanner detection for dropped file 12->93 95 Machine Learning detection for dropped file 12->95 97 Encrypted powershell cmdline option found 12->97 27 Qasvjoldkyh.exe 12->27         started        29 powershell.exe 12->29         started        99 Injects a PE file into a foreign processes 14->99 31 powershell.exe 14->31         started        33 kDPmkTm.exe 14->33         started        signatures6 process7 dnsIp8 57 api4.ipify.org 104.237.62.211, 443, 49697, 49700 WEBNXUS United States 18->57 59 api.telegram.org 149.154.167.220, 443, 49698, 49702 TELEGRAMRU United Kingdom 18->59 63 2 other IPs or domains 18->63 41 C:\Users\user\AppData\Roaming\...\kDPmkTm.exe, PE32 18->41 dropped 43 C:\Users\user\...\kDPmkTm.exe:Zone.Identifier, ASCII 18->43 dropped 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->73 75 Tries to steal Mail credentials (via file / registry access) 18->75 77 Creates multiple autostart registry keys 18->77 35 conhost.exe 23->35         started        61 api.ipify.org 27->61 79 Tries to harvest and steal browser information (history, passwords, etc) 27->79 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->81 83 Installs a global keyboard hook 27->83 37 conhost.exe 29->37         started        39 conhost.exe 31->39         started        file9 signatures10 process11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bb4297e1d60fbf0c9670f3a436d3c00993307ccf5bbf9bade4a6ebcb608edd6c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-20 18:29:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xnbjpyowb67qzftq6osdnu6abgjta7gplo7zxlpeu3v4wyeo3vwa._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230320-w4ww2aeh34/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/
Unpacked files
SH256 hash:
30859f8d1d409cfa51e9975d2ff25e46dd1586f0a3fa9c52482e1e25456e465a
MD5 hash:
23aed79245f5bc54afa8f687665971c6
SHA1 hash:
fdb08d00c2c69a67814cc7e4a6ea4c0adc3cf81a
Link:
https://www.unpac.me/results/30ef9244-fb33-433e-9b3a-315e60147bf6/
SH256 hash:
94bb9d2af34715c6f9ec0d626fb329eaf0f77372e305bb8aaf324e760a17266a
MD5 hash:
a9bf40dca3c081bfa0184eec8046b69f
SHA1 hash:
e9bb7f20b391bf4a5a861649e3bd0d9f5cd017b6
Link:
https://www.unpac.me/results/30ef9244-fb33-433e-9b3a-315e60147bf6/
SH256 hash:
99ab1ab754ec1b48a4408afd1ea2ba62445944cd69c194dd0b0831429f6ac9d3
MD5 hash:
aa9abaaaef8edce4c73dc8276a4128ef
SHA1 hash:
07830eda93b91ed2dc28c6da4c0842407db85381
Link:
https://www.unpac.me/results/30ef9244-fb33-433e-9b3a-315e60147bf6/
SH256 hash:
bb4297e1d60fbf0c9670f3a436d3c00993307ccf5bbf9bade4a6ebcb608edd6c
MD5 hash:
2ddec3a033a6ded2ec135bb2f3ec897d
SHA1 hash:
cb40f86b808c7b7812fff7820dc596d3a78e5760
Link:
https://www.unpac.me/results/30ef9244-fb33-433e-9b3a-315e60147bf6/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bb4297e1d60f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb4297e1d60fbf0c9670f3a436d3c00993307ccf5bbf9bade4a6ebcb608edd6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe bb4297e1d60fbf0c9670f3a436d3c00993307ccf5bbf9bade4a6ebcb608edd6c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2538577/
Cape
Cape
https://www.capesandbox.com/analysis/375994/

Comments