MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5422aab2b092de22741f596fef6ec85bb285f9ddee4efd3b1e5a165f7bddbaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5422aab2b092de22741f596fef6ec85bb285f9ddee4efd3b1e5a165f7bddbaa
SHA3-384 hash: d8e4e275f2e6ec6b14bd5d058330e97021559f80561940da7844a0c46c046ebf688ce4f5aefdb3017e574cc664e961e8
SHA1 hash: d0eb5ca3ebf499647bc1d36e2dd5475bbafeb5a8
MD5 hash: bd312625b12c51b9b43b63626fc3e2d9
humanhash: snake-indigo-grey-papa
File name:Halkbank_Ekstre_20230723_080713_458894.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:828'928 bytes
First seen:2023-07-24 06:04:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:mZvJRBusykXFmATPMXVw9xbA+GyAI84ioERNR81TzBc:oFuw4yMlw9KhyadoEnUzB
Threatray 5'155 similar samples on MalwareBazaar
TLSH T1B905221637596E23F1DCBDF44AA0986113B655917027C3DEDEB20189AEE2B80FF218D3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d455a86d496832b0 (15 x AgentTesla, 10 x Formbook, 8 x Loki)
Reporter abuse_ch
Tags:AgentTesla exe geo Halkbank TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Halkbank_Ekstre_20230723_080713_458894.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-07-24 06:08:59 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/28339cb0-791b-4d5e-9978-5a47700ae1d7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/430547/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.37323.978.22912.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e5422aab2b092de22741f596fef6ec85bb285f9ddee4efd3b1e5a165f7bddbaa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3bb9fef6-97fc-484a-9aaa-dcca0f5d6d3e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1278086
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1278086 Sample: Halkbank_Ekstre_20230723_08... Startdate: 24/07/2023 Architecture: WINDOWS Score: 100 74 Snort IDS alert for network traffic 2->74 76 Found malware configuration 2->76 78 Sigma detected: Scheduled temp file as task from temp location 2->78 80 8 other signatures 2->80 7 Halkbank_Ekstre_20230723_080713_458894.pdf.exe 7 2->7         started        11 kiyDtzCaccn.exe 5 2->11         started        13 plQRn124.exe 5 2->13         started        15 plQRn124.exe 2->15         started        process3 file4 52 C:\Users\user\AppData\...\kiyDtzCaccn.exe, PE32 7->52 dropped 54 C:\Users\...\kiyDtzCaccn.exe:Zone.Identifier, ASCII 7->54 dropped 56 C:\Users\user\AppData\Local\...\tmp1290.tmp, XML 7->56 dropped 58 Halkbank_Ekstre_20..._458894.pdf.exe.log, ASCII 7->58 dropped 92 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->92 94 May check the online IP address of the machine 7->94 96 Uses schtasks.exe or at.exe to add and modify task schedules 7->96 98 Adds a directory exclusion to Windows Defender 7->98 17 Halkbank_Ekstre_20230723_080713_458894.pdf.exe 17 5 7->17         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        100 Multi AV Scanner detection for dropped file 11->100 102 Machine Learning detection for dropped file 11->102 104 Injects a PE file into a foreign processes 11->104 26 kiyDtzCaccn.exe 11->26         started        36 2 other processes 11->36 28 plQRn124.exe 13->28         started        30 schtasks.exe 13->30         started        32 plQRn124.exe 15->32         started        34 schtasks.exe 15->34         started        signatures5 process6 dnsIp7 60 api.ipify.org 17->60 62 api4.ipify.org 64.185.227.156, 443, 49692, 49695 WEBNXUS United States 17->62 72 2 other IPs or domains 17->72 48 C:\Users\user\AppData\...\plQRn124.exe, PE32 17->48 dropped 50 C:\Users\...\plQRn124.exe:Zone.Identifier, ASCII 17->50 dropped 82 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->82 84 Tries to steal Mail credentials (via file / registry access) 17->84 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->86 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        64 api.ipify.org 26->64 66 api.ipify.org 28->66 42 conhost.exe 30->42         started        68 173.231.16.76, 443, 49702 WEBNXUS United States 32->68 70 api.ipify.org 32->70 88 Tries to harvest and steal browser information (history, passwords, etc) 32->88 44 conhost.exe 34->44         started        46 conhost.exe 36->46         started        file8 90 May check the online IP address of the machine 60->90 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5422aab2b092de22741f596fef6ec85bb285f9ddee4efd3b1e5a165f7bddbaa/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-24 04:10:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4vbcvkzlbew6ej2b6wlp55xmqw5sqx4533so7u5r4wqwl5553ova._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
363b5b951382bb7c9af26fadf9a61541d5a2d4e733adcb40fbc87e18579fd69f
AgentTesla
3643035d381e44f0facf01f5463aa05fee4315b2c72fea1a96ef28d0185f7369
AgentTesla
5af1aba19d9dd639542ba941b8e31495d1f9789ed426d376e87e040d5cd9df5f
AgentTesla
7510d23c5bd88ede2d8d2efbd6d851da1dfcdc1dfb089b80a4a310b7fb96df4a
AgentTesla
76d55aec6c6ce78586bcfa2b1ae7e727d9c922ff75a3f2aedc7cba917f793395
AgentTesla
81a48f67c7805ecf8ee47f17999208a9a116fca844d8dff8dbf12f66f4c91445
AgentTesla
ae2f668db376e89695e11dd9bed4d3becf18a74f812b6b647beaf39ab2aa3610
AgentTesla
af093bd71cb66c24a34d31d6efa125d86e6ffa89bfbfad9d20658889553e133d
AgentTesla
c6dc183e0a2208e4a95bbed33b18f8ec0fac159bc5aab10490df7d2dd78026b4
AgentTesla
cc8a067e19c40815e99543a5728c7c12fc2f1a5c64f0a09bfa2504574fcd9a91
AgentTesla
+ 5'145 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection persistence spyware stealer
Link:
https://tria.ge/reports/230724-gs6vjaag2t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
b0650593ee79c50810c861ce8380734ea9de3a1adf77e425cf86b8673ade7b72
MD5 hash:
d68f2f9257c91b202f5d393689199180
SHA1 hash:
c98b52638766aca0e2c82b2416d23f296370660e
Link:
https://www.unpac.me/results/df5b9991-6856-47d7-b206-aae2de293244/
SH256 hash:
77ad347864fa9d1886d8445d0582fa325423ed2b92f70ca2386a88b819f3d31d
MD5 hash:
1bf1dbe2766e00b698fda826c05745ad
SHA1 hash:
ba374122165ec64e0895c208d6d532da8f7ea2cf
Link:
https://www.unpac.me/results/df5b9991-6856-47d7-b206-aae2de293244/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/df5b9991-6856-47d7-b206-aae2de293244/
SH256 hash:
3f9bfaecc765c930a7788b1247229407ce06bf94cabd2b77b8905673ac8d8649
MD5 hash:
22ac08d627b11d82604e7bfbbf81ab8e
SHA1 hash:
8f3db00f6c1da3547e315bae605275bd514ca815
Link:
https://www.unpac.me/results/df5b9991-6856-47d7-b206-aae2de293244/
SH256 hash:
e5422aab2b092de22741f596fef6ec85bb285f9ddee4efd3b1e5a165f7bddbaa
MD5 hash:
bd312625b12c51b9b43b63626fc3e2d9
SHA1 hash:
d0eb5ca3ebf499647bc1d36e2dd5475bbafeb5a8
Link:
https://www.unpac.me/results/df5b9991-6856-47d7-b206-aae2de293244/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e5422aab2b09/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5422aab2b092de22741f596fef6ec85bb285f9ddee4efd3b1e5a165f7bddbaa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe e5422aab2b092de22741f596fef6ec85bb285f9ddee4efd3b1e5a165f7bddbaa

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/430547/

Comments