MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e92d947e5ba510e9dff65b5e87e56e08df8c70e1bd9a05ea7ed08a860b957295. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e92d947e5ba510e9dff65b5e87e56e08df8c70e1bd9a05ea7ed08a860b957295
SHA3-384 hash: abd431e144fc127240c0a96f67f50d26d8151a589da55e575c0f200ee1269e7a20fa2dd4724ac09e602cd3921f86b5f9
SHA1 hash: 64cc95844eb7e1b367d9e0f3821e0b10b81ae4a0
MD5 hash: 9034993f93ee8a874386bcde4b0206a3
humanhash: cold-cola-artist-tennessee
File name:hesaphareketi-02.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:477'180 bytes
First seen:2023-02-13 15:03:52 UTC
Last seen:2023-02-13 16:35:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:GYa62DaNJTCoOn9JlEPKpOp4EviFeYvegZS1bjotnvPnxKqqL6+TEKMTBwT:GY8aHTbaJePKpOp4zBvgvoNoTLxiwT
Threatray 24'962 similar samples on MalwareBazaar
TLSH T191A44AE121ACC3D7D0F29D712F9A867075F139ACE4D4520C60F99B2E93D23A415DCAEA
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d4bc3484a4848484 (2 x SnakeKeylogger, 1 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe geo TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
hesaphareketi-02.exe
Verdict:
Malicious activity
Analysis date:
2023-02-13 15:06:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b0f428d2-a0a5-44e8-ae24-f47d5ba64b2d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/365123/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.29069.24821.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Сreating synchronization primitives
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/69088/overview
Behaviour
MalwareBazaar
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e92d947e5ba510e9dff65b5e87e56e08df8c70e1bd9a05ea7ed08a860b957295
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6206b943-325e-4b70-98f6-4655d2273997
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1173642
Signature
Contains functionality to detect sleep reduction / modifications
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 806444 Sample: hesaphareketi-02.exe Startdate: 13/02/2023 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Telegram RAT 2->48 50 2 other signatures 2->50 7 hesaphareketi-02.exe 19 2->7         started        10 okqra.exe 2->10         started        13 okqra.exe 2->13         started        process3 file4 28 C:\Users\user\AppData\Local\Temp\uscvwu.exe, PE32 7->28 dropped 15 uscvwu.exe 1 2 7->15         started        60 Multi AV Scanner detection for dropped file 10->60 19 WerFault.exe 4 10 10->19         started        22 WerFault.exe 10 13->22         started        signatures5 process6 dnsIp7 30 C:\Users\user\AppData\Roaming\...\okqra.exe, PE32 15->30 dropped 36 Multi AV Scanner detection for dropped file 15->36 38 Detected unpacking (changes PE section rights) 15->38 40 Detected unpacking (overwrites its own PE header) 15->40 42 6 other signatures 15->42 24 uscvwu.exe 17 3 15->24         started        32 192.168.2.1 unknown unknown 19->32 file8 signatures9 process10 dnsIp11 34 api.telegram.org 149.154.167.220, 443, 49695 TELEGRAMRU United Kingdom 24->34 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->52 54 Tries to steal Mail credentials (via file / registry access) 24->54 56 Creates multiple autostart registry keys 24->56 58 Tries to harvest and steal browser information (history, passwords, etc) 24->58 signatures12
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e92d947e5ba510e9dff65b5e87e56e08df8c70e1bd9a05ea7ed08a860b957295/
Threat name:
Win32.Trojan.GenShell
Create hunting rule
Status:
Malicious
First seen:
2023-02-13 13:00:00 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
14 of 25 (56.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ewzi7s3uuiotx7wlnpipzlobdpyy4hbxwnal2t62cfimc4vokkq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
216509ca0f82c10daa1b7ea155f150766effa1270b1cc4d946f7b6d26851f092
AgentTesla
506cd82114715316ac634852726575bca6bbb040ddef761d253cc6e26562330f
AgentTesla
5b5a5e8c97ff516d8161fe13a09ca8fb3fefbd8655da980058cfe8db3b4644c2
AgentTesla
6941a5420e23e7309cc09e6ffebf847a7c781dbbb726996a2b3d36340d347819
AgentTesla
7a4d0d31bb0250759bfcc1c939db0df5c90e55dc5a17510552e0a273d88dbee8
AgentTesla
808bb32f710ae23d2a4b53b873f766bf56d905dbe8e51810edd15ff79538cd94
AgentTesla
d0ce89d792fe46b6bb39c2eb3437e5b20d3e5bce72d684941b96a49bcac9c39a
AgentTesla
f711597a4eb7c26df4f434b6ba92ba617918340e1fafcf106aadfb0ff4902775
AgentTesla
+ 24'952 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230213-sflvdadd71/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5819264248:AAFhEWqwzH97rboiSTIKhByPMpt7aFJRdMQ/
Unpacked files
SH256 hash:
ba5eca78c75e5b56a8b984b6730fd81265d0001edb656cd9df1cf6f3cb7cb310
MD5 hash:
6065faa663b8faae1b8fbb2f6e135fe0
SHA1 hash:
f92a799c7cf016592920eb878f8a5c708ca42977
Link:
https://www.unpac.me/results/420f8ef9-ad28-4cdc-9d7f-3f6ac1aedd81/
SH256 hash:
1a91b4372297da1a8dd2aa9e47f46fe898de7ee27402f6a9708f6c529526da28
MD5 hash:
3766bbe47ae9f18f3271e110ec7cdabc
SHA1 hash:
f24bf7dab918c509e2d8fff9f6f1ea44333c9e1e
Link:
https://www.unpac.me/results/420f8ef9-ad28-4cdc-9d7f-3f6ac1aedd81/
SH256 hash:
7b74166e5e66ca2bd2c6b534bbffa915cf78bb96205ec2927c0d536a5925195a
MD5 hash:
e21472f28d1aacbb93f7a463ea6b1e77
SHA1 hash:
68c1409c7390b6f9e459fd70917bd0ac4aa12482
Link:
https://www.unpac.me/results/420f8ef9-ad28-4cdc-9d7f-3f6ac1aedd81/
SH256 hash:
e92d947e5ba510e9dff65b5e87e56e08df8c70e1bd9a05ea7ed08a860b957295
MD5 hash:
9034993f93ee8a874386bcde4b0206a3
SHA1 hash:
64cc95844eb7e1b367d9e0f3821e0b10b81ae4a0
Link:
https://www.unpac.me/results/420f8ef9-ad28-4cdc-9d7f-3f6ac1aedd81/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e92d947e5ba5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e92d947e5ba510e9dff65b5e87e56e08df8c70e1bd9a05ea7ed08a860b957295

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/365123/

Comments