MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb8e578f777a7963c7e18be9484136f341dae13f47afed2b7c6c46a3f4d47ca2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb8e578f777a7963c7e18be9484136f341dae13f47afed2b7c6c46a3f4d47ca2
SHA3-384 hash: 15f4c4b61cb86d38fca6075c59f220f6033921e8a2d5cccf7af0a71b2a5f8d3500b2485ab7a55601afe06c43afb33973
SHA1 hash: 2194ddaa5ffaebc15d0901fe9837a3ef96609406
MD5 hash: a91b952255664f9d052d71b998b5093e
humanhash: wyoming-mexico-johnny-asparagus
File name:Encargar artículos.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'087'488 bytes
First seen:2023-02-07 13:53:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:dp1WYGDkjwJsoGlWzykX0RShZtfMeGTx6IryXZfR3FYYejL:dp0Y5UsoGlzkwSztfMeKx/EZfcT
Threatray 22'342 similar samples on MalwareBazaar
TLSH T16A357C013AF6C863F44A0A7460283DCC363CEC57ABE9419FB972B96453B2766F5D8D21
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 2b65e6e6e4216161 (1 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Encargar artículos.exe
Verdict:
Malicious activity
Analysis date:
2023-02-07 13:54:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f0ba8e11-05c4-4599-b090-b2dfd410026f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/361369/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63e257fb905a5ac3b909a81a/reports/38cafd07-13eb-4d06-97f9-1237f6431d64/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/bb8e578f777a7963c7e18be9484136f341dae13f47afed2b7c6c46a3f4d47ca2
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d08b56bd-e896-4f85-bf3c-97a8453d14fd
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1167694
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 800474 Sample: Encargar art#U00edculos.exe Startdate: 07/02/2023 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Sigma detected: Scheduled temp file as task from temp location 2->57 59 12 other signatures 2->59 7 spWvAQsthONB.exe 5 2->7         started        10 Encargar art#U00edculos.exe 7 2->10         started        process3 file4 61 Multi AV Scanner detection for dropped file 7->61 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->63 65 May check the online IP address of the machine 7->65 71 2 other signatures 7->71 13 spWvAQsthONB.exe 7->13         started        17 schtasks.exe 7->17         started        35 C:\Users\user\AppData\...\spWvAQsthONB.exe, PE32 10->35 dropped 37 C:\Users\...\spWvAQsthONB.exe:Zone.Identifier, ASCII 10->37 dropped 39 C:\Users\user\AppData\Local\...\tmp3B9B.tmp, XML 10->39 dropped 41 C:\Users\...ncargar art#U00edculos.exe.log, ASCII 10->41 dropped 67 Adds a directory exclusion to Windows Defender 10->67 69 Injects a PE file into a foreign processes 10->69 19 Encargar art#U00edculos.exe 15 2 10->19         started        21 powershell.exe 19 10->21         started        23 powershell.exe 21 10->23         started        25 schtasks.exe 1 10->25         started        signatures5 process6 dnsIp7 43 173.231.16.76, 443, 49696 WEBNXUS United States 13->43 45 api.ipify.org 13->45 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->73 75 Tries to steal Mail credentials (via file / registry access) 13->75 77 Tries to harvest and steal browser information (history, passwords, etc) 13->77 27 conhost.exe 17->27         started        47 api4.ipify.org 64.185.227.155, 443, 49695 WEBNXUS United States 19->47 49 api.telegram.org 149.154.167.220, 443, 49697, 49698 TELEGRAMRU United Kingdom 19->49 51 api.ipify.org 19->51 29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb8e578f777a7963c7e18be9484136f341dae13f47afed2b7c6c46a3f4d47ca2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-07 13:54:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xohfpd3xpj4whr7brpuuqqjw6na5vyj7i6x62k34nrdkh5gupsra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
106e615cf4c53bf171b4dfc288bdddb82e3eddb407399bc18488cd2483f9d871
AgentTesla
24902a43196fd02d2939443510181c165980bd71e889dcff559ca25153c76d81
AgentTesla
2a5098792b07f38355f0e06fee170432226013a21bc18c129212bb868e98f478
AgentTesla
2a890802046e55c856e2a6be5a2268fb8ba4410c15ac51415a1c30b0cd2336b2
AgentTesla
808bb32f710ae23d2a4b53b873f766bf56d905dbe8e51810edd15ff79538cd94
AgentTesla
a7d2bd1e968aea0e81664aa5aabd428a57d12bc8573611543ad72a57661180b8
AgentTesla
c5a38850fd0174c6c0464695cb4a01e8b75b1d3010df4c05a6b70c595ff3cb5e
AgentTesla
+ 22'332 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230207-q7jg8aca35/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5693068931:AAGSQSNIWDJM1FzeZVNHS020I9wVBrQdkRM/
Unpacked files
SH256 hash:
6384dabeffdc0afc3d7f1e18d0033e7482790c0aa2f1f2af7cc39eb81795d0ef
MD5 hash:
f759d70f3bbee3865d9ba45b70c59bea
SHA1 hash:
f07ca29866cf8b0d92f18904860c40a284a5f550
Link:
https://www.unpac.me/results/b6685fd4-2b95-42fa-aa4c-85e6d703dc3e/
SH256 hash:
39963d16434e6f9bf4d91310bdd593940bd30be01fe2dfbed24994db50f913a2
MD5 hash:
79ae97a62e6824fc4fd746bb22a9d7aa
SHA1 hash:
d832b37627b0861a49213061ad8ae5da06f49ffc
Link:
https://www.unpac.me/results/b6685fd4-2b95-42fa-aa4c-85e6d703dc3e/
SH256 hash:
ee815062bdf841f00824e93e8fd1f5d0d4974a4dc887be2998d30b123c853be1
MD5 hash:
31845f994102048df92dd1efc3e27ba7
SHA1 hash:
9ba8c27367da930d903cf12f74f0724bd2ec2feb
Link:
https://www.unpac.me/results/b6685fd4-2b95-42fa-aa4c-85e6d703dc3e/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/b6685fd4-2b95-42fa-aa4c-85e6d703dc3e/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
3a1f73e1cde1598d8d8157f1c63320a379f20b6d9a7476ea2ce0a5e6975a47a5
MD5 hash:
828e7edde7910f070be2d40027c4ace9
SHA1 hash:
7703f346f3c33648be79746372befa73ca65a4c8
Link:
https://www.unpac.me/results/b6685fd4-2b95-42fa-aa4c-85e6d703dc3e/
SH256 hash:
bb8e578f777a7963c7e18be9484136f341dae13f47afed2b7c6c46a3f4d47ca2
MD5 hash:
a91b952255664f9d052d71b998b5093e
SHA1 hash:
2194ddaa5ffaebc15d0901fe9837a3ef96609406
Link:
https://www.unpac.me/results/b6685fd4-2b95-42fa-aa4c-85e6d703dc3e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bb8e578f777a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb8e578f777a7963c7e18be9484136f341dae13f47afed2b7c6c46a3f4d47ca2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe bb8e578f777a7963c7e18be9484136f341dae13f47afed2b7c6c46a3f4d47ca2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/361369/

Comments