MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbea1423f0bad7f114b89acccbecb9f1df6deffb838f7a83cb660fb03b11ac28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbea1423f0bad7f114b89acccbecb9f1df6deffb838f7a83cb660fb03b11ac28
SHA3-384 hash: d961912fadee4cf2131dcdd6d39b4368da6bf5050b7c20ee87e19a2096245dc6e82189bfedafc02feb5631f24d2eef2f
SHA1 hash: 5cf849257dc43d900922e5ab2a0682c1a5841bee
MD5 hash: e486f315c516d62729c6029926445dcf
humanhash: jig-muppet-georgia-romeo
File name:FİYAT TEKLİFİ İSTEĞİ_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:438'278 bytes
First seen:2022-03-29 08:33:40 UTC
Last seen:2022-03-31 09:42:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:uNeZVlXhqtkpVOyjmRn1MOfRSwNuqb8CTnYOCUlrAISvb:uNmwtkUR1lJH/jCUlwT
Threatray 19'682 similar samples on MalwareBazaar
TLSH T168947DAFDA17558ED4F928F5C67FA6D252CC07E4B8790BC1E2401B72A12DA85F84334B
File icon (PE):PE icon
dhash icon 71ccd4d4d4fc3c46 (1 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/259069/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.16842.30285.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/11962/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe overlay packed python shell32.dll
Link:
https://www.filescan.io/uploads/6242c47e1f204239484950bf/reports/d876ab2b-9e91-41df-b801-beeb729149d1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/321149dd-8d86-4a84-acf4-f4b84c38c707
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/967215
Signature
.NET source code contains very large array initializations
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dbea1423f0bad7f114b89acccbecb9f1df6deffb838f7a83cb660fb03b11ac28/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2022-03-29 08:08:16 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3pvbii7qxll7cffytlgmx3fz6hpw3373qohxva6lmyh3aoyrvqua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
10a83aa402e7ea8968bb1e13485800737d614484da21d83c14eb54b1aafeeaaa
AgentTesla
7642c30cee6aa8c2ca74e267f4522ec280ae3fc402056eb07187a10dd0d92885
AgentTesla
88f27270e5c224bb7b8854267e53b8d0655392a89a14574a6661fc75a80b5a9b
AgentTesla
91db81cd38b9f713767e35c4012057b99734e8e0e889af77935c6a0b47eedcbb
AgentTesla
a871695c7312b67a4d3e5c3a41094a5c3824fcfa9f02ee67b2e0d21a0ba061d2
AgentTesla
f403d42973ac773f89be5f033e0ab6268e0078dda5dca6301ccd4924fbe9ec76
AgentTesla
+ 19'672 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220329-kge48achc3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Unpacked files
SH256 hash:
f785d8831173a074886bf77b854098b29e398a713d0a2873abe908c4c2c2d47b
MD5 hash:
08e8dbf99991432b9fbf73fc97b1fc3b
SHA1 hash:
aa3e1e376d9a97332637f1ec56b475af6d5ad117
Link:
https://www.unpac.me/results/afac0963-d0c1-4900-855c-8cf237617742/
SH256 hash:
e71fa602352288d68c037eb9e438de195e99531de4c865f5859768506a4a3ee2
MD5 hash:
2cbbdd4dc7d98b94601ea4d3cf0e48e2
SHA1 hash:
32343a058e68222177778b866464d50451aff938
Link:
https://www.unpac.me/results/afac0963-d0c1-4900-855c-8cf237617742/
SH256 hash:
5b7965cd08ca34d2bb710a2fe515561117d4a2d5c11304503ca74b9a8d2a34ae
MD5 hash:
c4e91a4b9ae2cb58b5ad901f8ec34c24
SHA1 hash:
e9eb5111ebab27e5533e2131703a2598584b3db8
Link:
https://www.unpac.me/results/afac0963-d0c1-4900-855c-8cf237617742/
SH256 hash:
dbea1423f0bad7f114b89acccbecb9f1df6deffb838f7a83cb660fb03b11ac28
MD5 hash:
e486f315c516d62729c6029926445dcf
SHA1 hash:
5cf849257dc43d900922e5ab2a0682c1a5841bee
Link:
https://www.unpac.me/results/afac0963-d0c1-4900-855c-8cf237617742/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dbea1423f0bad7f114b89acccbecb9f1df6deffb838f7a83cb660fb03b11ac28

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe dbea1423f0bad7f114b89acccbecb9f1df6deffb838f7a83cb660fb03b11ac28

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/259069/

Comments