MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de2387252a9a00bbad8b4e50b4eea5f426c701b3ac6c9cdb85921b2b9fa220ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments 1

SHA256 hash:	de2387252a9a00bbad8b4e50b4eea5f426c701b3ac6c9cdb85921b2b9fa220ed
SHA3-384 hash:	2ed44b64f059fe2dc464170662b092211e8c4d0842a81228972e4f8e2edcb0816b86262a8b106ecf9d9c7140be85ec93
SHA1 hash:	9d100cc882a8e2ef390a8366b4f559c892d01098
MD5 hash:	da4a3878ed0b549954294e4ca19ed140
humanhash:	glucose-diet-steak-sweet
File name:	da4a3878ed0b549954294e4ca19ed140
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	892'928 bytes
First seen:	2022-01-21 20:50:12 UTC
Last seen:	2022-01-21 23:56:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	12288:qgL9EyDPCpQYz2EsuXZPetn7TTlL09UdKq6+i9vYF9Ah7QydAuF3JvSepLfgd9rE:DapQu2xC2nriI6+i9vYF
Threatray	14'564 similar samples on MalwareBazaar
TLSH	T1B515089D325071EFC867C572CEA81CA4EB61747A971BC207901312ADAE4DA97DF242F3
Reporter	zbetcheckin
Tags:	32 AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

369

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

da4a3878ed0b549954294e4ca19ed140

Verdict:

Malicious activity

Analysis date:

2022-01-22 02:21:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1b27d8df-f5a0-44dd-93d2-4d55ab314fa0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/221571/

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.GLJ.genEldorado.2609.20715.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Unauthorized injection to a recently created process

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

ftp.exe obfuscated packed remote.exe

Link:

https://www.filescan.io/uploads/61eb1cba0f8c757253d65a8a/reports/e6641d61-c5b4-4149-a1c6-76a3558cb652/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e22bb5e9-2e64-4ab5-9914-cd355b8aec2b

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/925488

Signature

.NET source code contains very large array initializations

Antivirus detection for URL or domain

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Modifies the hosts file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/de2387252a9a00bbad8b4e50b4eea5f426c701b3ac6c9cdb85921b2b9fa220ed/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-21 20:52:55 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3yryojjktialxlmljzilj3vf6qtmoantvrwjzw4fsinsxh5cedwq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

7291efc2174f4ad5ee7a13579fb5e12f43fd5b27d610de22c50a152e540e92d9

AgentTesla

8078e1f99bc52197192e8e06ca039b8cac18c86c99bffa2ef70bdc3ca2bfa7ba

AgentTesla

83bf33f59a2317bc1dd4457798cae79e2d607d511cf12c3c0cff36886fe20d19

AgentTesla

a5b4a1aa53134e93a392b7b90cc7c5d4a939d4f61bdf330de08d49fa1b4356ed

AgentTesla

e41c50d817a963a03c07188bda3e42f164f1ce189f2875dc7f5125594d4ec159

AgentTesla

ecd1fe2b5e0b6ce3b21a567913fdbde90f7f21a30955de30101bad4e35b7f75f

AgentTesla

fc40429e1461e2cc002fdb2b131ca7eadd4f3a688a24130197667c3493213986

AgentTesla

+ 14'554 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220121-zm6axsbah9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

a092ae5f705794f654f41c0d869e1b7b6dcbb5f7a37f3468714276653dcbb315

MD5 hash:

843b2675ddcfa227b5e4689c9742d28e

SHA1 hash:

e0ea3517f658f6467cd8d05c0e6598d8585b0482

Link:

https://www.unpac.me/results/e86aa158-baab-4975-a167-c3782330a694/

SH256 hash:

91205df0a38631c4554d9e2a8cef45c925c754224fa0f1076324839324a97b30

MD5 hash:

33588e7e15e59b3e0bdec470e57e4898

SHA1 hash:

a97252c112f4c5b8f4019304deb10371c1467947

Link:

https://www.unpac.me/results/e86aa158-baab-4975-a167-c3782330a694/

SH256 hash:

09a10832c8aaab27f2f6b9798fc931459ab49fa57a3d5ef396a58c7545a1aaf2

MD5 hash:

f1d28fdb0d954fea4698532a4c12fa0a

SHA1 hash:

7eba28231d6b584570643c776a86b70a1f96a67a

Link:

https://www.unpac.me/results/e86aa158-baab-4975-a167-c3782330a694/

SH256 hash:

de2387252a9a00bbad8b4e50b4eea5f426c701b3ac6c9cdb85921b2b9fa220ed

MD5 hash:

da4a3878ed0b549954294e4ca19ed140

SHA1 hash:

9d100cc882a8e2ef390a8366b4f559c892d01098

Link:

https://www.unpac.me/results/e86aa158-baab-4975-a167-c3782330a694/

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/de2387252a9a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/de2387252a9a00bbad8b4e50b4eea5f426c701b3ac6c9cdb85921b2b9fa220ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

exe de2387252a9a00bbad8b4e50b4eea5f426c701b3ac6c9cdb85921b2b9fa220ed

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1996308/

Cape

https://www.capesandbox.com/analysis/221571/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2022-01-21 20:50:15 UTC

url : hxxp://peak-tv.tk/petercodyzx.exe