MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 beeb242bb1a4ffa7cc706ac482236afb457d52ffdb0defcde160528b858c6b03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: beeb242bb1a4ffa7cc706ac482236afb457d52ffdb0defcde160528b858c6b03
SHA3-384 hash: b7dc7b492510cd6e46e7d41e767a61b8853f41855fd9932da29d97674d53e8c2adb1a9d6e8bd6f44d92222846238c0eb
SHA1 hash: 04b2e12f3ea3d5a7f08368364da82fd701eba6af
MD5 hash: 8fcb19e02d18c366516e3f171626915b
humanhash: blossom-carpet-idaho-echo
File name:Done.Ps1
Download: download sample
Signature AgentTesla
Create hunting rule
File size:434'973 bytes
First seen:2022-11-26 08:35:41 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12288:emE2c2tF7mzczXwzis3Y7NZswOdWlRnHn:Jaz2Azis3mfB7jnH
Threatray 20'126 similar samples on MalwareBazaar
TLSH T1269492328315FDEC663EBC8AC8D420955CDC5853E368475EF1421ABBBA72A71CF74A24
Reporter 0xToxin
Tags:AgentTesla ps1


Avatar
0xToxin
http://codesparrow.net/Done.Ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
493
Origin country :
IL IL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6381cff55be128ac718ef0c4/reports/e4486603-7a02-4325-8137-dc1c1de5d29c/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1121532
Signature
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Downloads files with wrong headers with respect to MIME Content-Type
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/beeb242bb1a4ffa7cc706ac482236afb457d52ffdb0defcde160528b858c6b03/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-25 15:23:44 UTC
File Type:
Text (PowerShell)
AV detection:
8 of 26 (30.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x3vsik5rut72ptdqnlciei3k7ncx2ux73mg67tpbmbjixbmmnmbq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
106e360fa4467673bc46d467e7436c9cdee3d638cd14db8f5c8aff07fec90ebe
AgentTesla
1cb43bce49d7a44e1002c1f05659947a5cf9be256d585179af424a495d0716f7
AgentTesla
5e06fec23859ec0d327ed84a9b536a03ca52204cedf4887149150cf7d02db8e7
AgentTesla
61d404fca3e77c9da77c817cf0e35541e15ea11350f6068d22e33a03a28a5e35
AgentTesla
68560ba1282ff5825be68c2a7c9aef2fa6a643a42fbe1947572fa5a1d0281425
AgentTesla
b396f3f9fa5b3acac6ddbd6699ceeff35c671c1d0d595a69b187c2a107cd31eb
AgentTesla
fb0911990564af7079182bb5d5b798145056413d295927ac4c53cd1abc4512dc
AgentTesla
+ 20'116 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221126-khk2vsfa28/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
AgentTesla
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/beeb242bb1a4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/beeb242bb1a4ffa7cc706ac482236afb457d52ffdb0defcde160528b858c6b03

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

PowerShell (PS) ps1 beeb242bb1a4ffa7cc706ac482236afb457d52ffdb0defcde160528b858c6b03

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2433682/
  
Delivery method
Distributed via web download

Comments