MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf35e7ee59cf81f74be092d43acbb711377f115426db8e9f6f45fa1bbb3086b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf35e7ee59cf81f74be092d43acbb711377f115426db8e9f6f45fa1bbb3086b7
SHA3-384 hash: b007939b0a3a78deaf076e34acddd3678586d4b265f74130e878626e4f041da4bef1e6c811fe0f3f20b7e436e38deeeb
SHA1 hash: 65963c27166ef3757ca9a3660b4d809cd25d03fd
MD5 hash: 2d34f0e43b6204e390469023e4ce4870
humanhash: india-robert-triple-kilo
File name:image002.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:6'656 bytes
First seen:2022-09-24 10:17:48 UTC
Last seen:2022-09-29 14:07:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 96:KcpeTRA2Cx6eNczzQpgIcrX4Atk7g016HBJ1bFnU:JgzCKzigI+AF16H/8
Threatray 1'040 similar samples on MalwareBazaar
TLSH T102D1B512E7FD9732E9A20BBA5CB36381173CF7528E13C76C1CC0524EAE527A44A60769
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
315
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
image002.exe
Verdict:
Malicious activity
Analysis date:
2022-09-21 10:26:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/34106fb8-894a-416a-8dd4-9e19d1ba5f9a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312879/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/632ed99926a88abc7d230113/reports/371b9c2d-a7de-450d-a685-b35823e53ff9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ac751c09-abaa-4beb-85a4-8ade3c506574
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1076445
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Encrypted powershell cmdline option found
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries the IP of a very long domain name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf35e7ee59cf81f74be092d43acbb711377f115426db8e9f6f45fa1bbb3086b7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-20 13:36:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x426p3szz6a7os7aslkdvs5xce3x6ekue3ny5h3pix5bxozqq23q._file
Verdict:
malicious
Similar samples:
02aeff4e07664864d428440cab4be050ddc1504ff997ce0fef7068899139318d
AgentTesla
67dc36b32a718de5d05b8ccf59d8a0415a76c8c42729065145f7f9da83726b7b
AgentTesla
74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
AgentTesla
77b7758c451f9937848e83eb12fdfae2b7e555fba1e2c3816170fefe87439e23
AgentTesla
a6db7e8c70adc90b74c0f08503f49cf041d79afed3b916676892725ce2dbcce0
AgentTesla
acbc5e7367f627f945f99b9b6e5b3debe0ab53bd62474f2c8e59564e2883217f
AgentTesla
b4a4d9ba766e3333fc68276c91f49430f2f95c1b555fcf72697e33e80646c6c2
AgentTesla
d5c3c233551f93893a0cd5fdcc2f51bb1fd76c22a92028dbb460071504ef67fb
AgentTesla
fbd2cb021582048f9df1e5ae9a65c92e90bb9b3024763616ffa4043b18876239
AgentTesla
+ 1'030 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220924-mbx4ysbad5/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6f5b467f-6323-4d8a-82b5-cf2a8522a0aa
Unpacked files
SH256 hash:
bf35e7ee59cf81f74be092d43acbb711377f115426db8e9f6f45fa1bbb3086b7
MD5 hash:
2d34f0e43b6204e390469023e4ce4870
SHA1 hash:
65963c27166ef3757ca9a3660b4d809cd25d03fd
Link:
https://www.unpac.me/results/3ba0bd46-cce9-4a28-8353-073d7fcb4285/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bf35e7ee59cf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/bf35e7ee59cf81f74be092d43acbb711377f115426db8e9f6f45fa1bbb3086b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 2f8b08bc0ff7ea80f283cfe26640c49b6ee0cc1ebd63fa61ef31d3ef42a0ea22

AgentTesla

Executable exe bf35e7ee59cf81f74be092d43acbb711377f115426db8e9f6f45fa1bbb3086b7

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/312879/
  
Dropped by
SHA256 2f8b08bc0ff7ea80f283cfe26640c49b6ee0cc1ebd63fa61ef31d3ef42a0ea22
  
Dropped by
MD5 e9060ba0b286837d4cecf9756dbc0527

Comments