MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d254745ca2edd62c5e9d3231b3131ae065b2e1759fe9916df96e6c14af59a99e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d254745ca2edd62c5e9d3231b3131ae065b2e1759fe9916df96e6c14af59a99e
SHA3-384 hash: b3e4f0962ac910e3689b7f750605846773116dff21499814955e0bb4f611bf9a2721b3831775a82eaacbfca4389a4aa4
SHA1 hash: fc09b42732f4882bc43845aa16448db259db2820
MD5 hash: 49b30367cc4e82565b22cf3299d673c0
humanhash: bulldog-nevada-sixteen-cup
File name:160-4833933645027883.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:385'650 bytes
First seen:2022-11-24 09:59:37 UTC
Last seen:2022-11-28 14:46:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ab6770b0a8635b9d92a5838920cfe770 (84 x Formbook, 30 x AgentTesla, 15 x Loki)
ssdeep 6144:QBn1tG7w8exMNhxFa0L0CCEPnedspOjYj2d8xKGAZNj1a0vC3aAeFaWPT6QFa7Hm:gQDexMBA0L0AYNd8VALjIMC3aLtT6QFz
Threatray 20'018 similar samples on MalwareBazaar
TLSH T1518423B7BDE181F7C40B92313C36B374C7BAE6C956651F8783605F3F282568E0A911A6
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
222
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
160-4833933645027883.exe
Verdict:
Malicious activity
Analysis date:
2022-11-24 10:02:48 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/8c0f034b-a1b8-444d-a8ab-c3d7db885baf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338005/
Detection(s):
SecuriteInfo.com.FileRepMalware.3958.9826.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/637f40a6ccc04a029db33f8d/reports/b683f0a7-710f-4f9c-93d5-8756d49f17f7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/577ece28-13c1-4042-9244-0a2e8a90fecc
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1120434
Signature
.NET source code contains very large array initializations
Detected unpacking (creates a PE file in dynamic memory)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 753148 Sample: 160-4833933645027883.exe Startdate: 24/11/2022 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected AgentTesla 2->48 50 2 other signatures 2->50 8 160-4833933645027883.exe 19 2->8         started        11 luintelyveapby.exe 1 2->11         started        14 luintelyveapby.exe 1 2->14         started        process3 file4 36 C:\Users\user\AppData\Local\...\gleyixnnq.exe, PE32 8->36 dropped 16 gleyixnnq.exe 1 3 8->16         started        52 Multi AV Scanner detection for dropped file 11->52 20 WerFault.exe 10 11->20         started        22 conhost.exe 11->22         started        24 WerFault.exe 10 14->24         started        26 conhost.exe 14->26         started        signatures5 process6 file7 34 C:\Users\user\AppData\...\luintelyveapby.exe, PE32 16->34 dropped 38 Multi AV Scanner detection for dropped file 16->38 40 Detected unpacking (creates a PE file in dynamic memory) 16->40 42 Maps a DLL or memory area into another process 16->42 28 gleyixnnq.exe 2 16->28         started        30 conhost.exe 16->30         started        signatures8 process9 process10 32 WerFault.exe 20 9 28->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d254745ca2edd62c5e9d3231b3131ae065b2e1759fe9916df96e6c14af59a99e/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-11-24 09:49:25 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2jkhixfc5xlcyxu5giy3gey24bs3fylvt7uzc3pznzwbjl2zvgpa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05793491a0160fba57cf1219dd69f0c49a1fd9a43cafe0f78590c1e526f298c6
AgentTesla
19036261b89b27743d0b8c2353751f57b256357525068f67b166608b1eb33268
AgentTesla
19de4d4d72c8afbd254b044dff3b4959036a10fb75a1c79deb85fd4a29cfc802
AgentTesla
3315dba57b06d3e95fdab93ad09e5a67755b7ecf81274b0907cfe2e051e36b3b
AgentTesla
91b511bb7a9d86543503ce39dbda14d12f86d8d704a7e97c070356a182902bf7
AgentTesla
9f660ff6e3caee11f67955164f6960a03343ab34ff7d234c004579aee754d9ce
AgentTesla
b077c634471ee290e38f9e3ced5375888f93890e6b0840b8db2c1691175019ee
AgentTesla
d19f7c46b3fa82c6f7902bdc4679d13f9933f72c2826e817bff08e7d0869a92c
AgentTesla
e2150f160d11a8a7917b38060171eceeb1d68209ca5c81394682b0d828f35ac9
AgentTesla
ef93be06b93e89bc68dd92ca713f40e320a654c49a241a6884785acf964b8ba9
AgentTesla
+ 20'008 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221124-l1nq5sfc57/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dff68e0b-001f-432b-9438-2928c2b344a9
Unpacked files
SH256 hash:
4a2f751ade893e4047bed1fde647496804a95f05b115923987896ec942e5e76c
MD5 hash:
e78da4f5ee29898248aaf59d6aebd206
SHA1 hash:
2edc93509848eecea7a2bc01b36b58be74faa4a6
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/f7ee3448-558c-44c7-abe8-c97b2150b914/
Parent samples :
b077c634471ee290e38f9e3ced5375888f93890e6b0840b8db2c1691175019ee
d254745ca2edd62c5e9d3231b3131ae065b2e1759fe9916df96e6c14af59a99e
SH256 hash:
2668a97429e0591f37d064dc062ba2ea5c5d625b1c7b3476e9f090bf70d60ac1
MD5 hash:
c8cb40779fd4a777c0f430bbb5d9f4b0
SHA1 hash:
2286ae0eafed7de5f975ae66a935f3440901f100
Link:
https://www.unpac.me/results/f7ee3448-558c-44c7-abe8-c97b2150b914/
SH256 hash:
d254745ca2edd62c5e9d3231b3131ae065b2e1759fe9916df96e6c14af59a99e
MD5 hash:
49b30367cc4e82565b22cf3299d673c0
SHA1 hash:
fc09b42732f4882bc43845aa16448db259db2820
Link:
https://www.unpac.me/results/f7ee3448-558c-44c7-abe8-c97b2150b914/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d254745ca2ed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.93
Link:
https://yomi.yoroi.company/submissions/d254745ca2edd62c5e9d3231b3131ae065b2e1759fe9916df96e6c14af59a99e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 9320335e97cdd424812d2eca07cd65145a8ffa772102308ea39294ea2a1d7090

AgentTesla

Executable exe d254745ca2edd62c5e9d3231b3131ae065b2e1759fe9916df96e6c14af59a99e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/338005/
  
Dropped by
SHA256 9320335e97cdd424812d2eca07cd65145a8ffa772102308ea39294ea2a1d7090
  
Dropped by
MD5 70c411a9753bb90abd5597a4c0dc327a

Comments