MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1152b70f5918e5fcb1e0648d485d7ed5b06a2394bf182ff0a1049cabb04d065. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1152b70f5918e5fcb1e0648d485d7ed5b06a2394bf182ff0a1049cabb04d065
SHA3-384 hash: a6d6f8da7fda08d71645768e88eedb7526cf2d4e88c08a39661d4c92750d0702b5f0900756079e370bea885dc1be1966
SHA1 hash: 7f835b755ba442c3644686f822c16b9ac0ddd4aa
MD5 hash: 6e4e9358322821e9c69fa70a7f1eebb9
humanhash: colorado-virginia-alabama-moon
File name:PO2302841R2.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'306'624 bytes
First seen:2023-06-14 08:04:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:MqrExSjcPI40hXvNrJdLjN9/dF2KVLb1MfUZ:MVxSjrPhfdJNN91RpbefUZ
Threatray 5'380 similar samples on MalwareBazaar
TLSH T17255A23E18BE123795B4C6A6CFE5886BF040EDB731226D39A4D77396433694229C713E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 13607332330b0bb3 (55 x AgentTesla, 16 x RedLineStealer, 13 x MassLogger)
Reporter cocaman
Tags:AgentTesla exe Shipping

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO2302841R2.exe
Verdict:
Malicious activity
Analysis date:
2023-06-14 08:06:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/75da9a03-be06-4b0e-b94b-160799e8cfdb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/398645/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDS.61012259.30732.16616.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/648974b0b1178157d133320b/reports/36d31959-f4e0-444a-89e8-60b801209693/overview
Verdict:
Malicious
Labled as:
Trojan.GenericS
Link:
https://www.hybrid-analysis.com/sample/d1152b70f5918e5fcb1e0648d485d7ed5b06a2394bf182ff0a1049cabb04d065
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b66aebba-164f-49dc-b503-c0ef1fdef101
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1254246
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d1152b70f5918e5fcb1e0648d485d7ed5b06a2394bf182ff0a1049cabb04d065/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-13 15:46:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2eksw4hvsghf7sy6azenjbox5vnqnirzjpyyf7ykcbe4voye2bsq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
44e5d64cb7530cb3bf9c086a5f1cb7aa7c8a0cd61f08a316b08a95e9d629d853
AgentTesla
57191284c75940f3a637266acc38d3a503ab97a52c9d99a0a85ff61d27420b6f
AgentTesla
58036d338d5e813b0143524d21a140f38d8b58f1a531b72f7ce4a82091380185
AgentTesla
5d9023550ab2c666d9361bb72940be22b4304febbb93f21e4a93ea93748f33c8
AgentTesla
60e1ed8c3c6bc9d9ef48d6e2129a75c8d39deb97844ab5b17944539e4400f24a
AgentTesla
84ccefabf526a27d7d711f91219ba6531857883cc103dcfe1823f7d8240eb760
AgentTesla
852e0d9a8f474077261d053d587868b211e70eff320a7e7067c3fc1cb3253ea5
AgentTesla
8617b9831e3ac243a932ac26cb32dcf1b3554300389c2d6d88b920b5d97be0dd
AgentTesla
a6732c43b74439cbbb8fff0defb66d8f81ce10e8c50a940e5f5819c1722bbeca
AgentTesla
eeb2bc1861ce16da1ce6bf7a28f19b6096454dd3f1133d3cc4f89e6eadf67dfa
AgentTesla
+ 5'370 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230614-jyts9seh51/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6083045754:AAHbkpeZPAvRW4Fa_9KflBf2DYAR9w_K-Zw/
Unpacked files
SH256 hash:
f8dbc6077f6b01c6eec334061d687ff1b291a2aa5513cf1e0b5bde4a8dbc5588
MD5 hash:
15aab611795bcbf2758052944013be1a
SHA1 hash:
772a1002b111e117cf3b1e9f0cabda4894777399
Link:
https://www.unpac.me/results/a47bc174-b51b-49dc-b77f-61e33ca52f8c/
SH256 hash:
90abc1235306796e82f284392509f1cd6c9150b8fa2b93b5cd976537462c7b53
MD5 hash:
363cc1ac1fa18f653a353d6e8cbc18ae
SHA1 hash:
63670df5c3909c16060eae0e74b491f1985ea37f
Link:
https://www.unpac.me/results/a47bc174-b51b-49dc-b77f-61e33ca52f8c/
SH256 hash:
252feae5708e150267f0d57d8f70c9612c5f641a7d5548903e0892affd2eef9f
MD5 hash:
42ab83288f9e761e3e5ee4f724c75915
SHA1 hash:
1251a3a94e155365fd55f1cf21c1399b317d3a4f
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/a47bc174-b51b-49dc-b77f-61e33ca52f8c/
Parent samples :
d1152b70f5918e5fcb1e0648d485d7ed5b06a2394bf182ff0a1049cabb04d065
499fc905a60527c707ad9253ddc60628e9538a47f3faf923aff4f1f2eb535f57
0f9668c1aeead48b7e5e2b89df2e0b917a478e67da9f6a562e77b42f533c45ac
SH256 hash:
32eab90aeb5290617b366eebe2df5550449d7952ba04b29ad05700b1d47a7ffd
MD5 hash:
1900d5d2bb0a268859c1868a76233147
SHA1 hash:
0d4f357f7d08780f4f7cc19ba8a5ad48fc62004f
Link:
https://www.unpac.me/results/a47bc174-b51b-49dc-b77f-61e33ca52f8c/
SH256 hash:
95c0b395f49ef2a717257f05ba5adb610c0731e3b3bc80a2e28468233bd3d984
MD5 hash:
9174a6c397e673ceee1e9d3832383cec
SHA1 hash:
09abd9b199d2c67e21495e497fef5cf9144a19b2
Link:
https://www.unpac.me/results/a47bc174-b51b-49dc-b77f-61e33ca52f8c/
SH256 hash:
d1152b70f5918e5fcb1e0648d485d7ed5b06a2394bf182ff0a1049cabb04d065
MD5 hash:
6e4e9358322821e9c69fa70a7f1eebb9
SHA1 hash:
7f835b755ba442c3644686f822c16b9ac0ddd4aa
Link:
https://www.unpac.me/results/a47bc174-b51b-49dc-b77f-61e33ca52f8c/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d1152b70f591/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1152b70f5918e5fcb1e0648d485d7ed5b06a2394bf182ff0a1049cabb04d065

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z e0d66ed08b0e06fe834efc4d953c9407380d5202edc634427f859bd0026cae40

AgentTesla

Executable exe d1152b70f5918e5fcb1e0648d485d7ed5b06a2394bf182ff0a1049cabb04d065

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 e0d66ed08b0e06fe834efc4d953c9407380d5202edc634427f859bd0026cae40
Cape
Cape
https://www.capesandbox.com/analysis/398645/
  
Dropped by
MD5 ac9892aeed1bca2495672d9e14366307

Comments