MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f01102bc0d4dd2e2508bcf195df1e52fe46afeba7b079cd7d9f51007ed9b6141. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	f01102bc0d4dd2e2508bcf195df1e52fe46afeba7b079cd7d9f51007ed9b6141
SHA3-384 hash:	4b46bc6bd42eb2b637b51027d2c033db03273417e55910c23d33ee697acaf83bc6d404b2f7e99f0e5df8c45916df3bf3
SHA1 hash:	109bb100a50bdfea6f07150241832e0d15dc57aa
MD5 hash:	0172e22c44174c1a72395169757359cd
humanhash:	dakota-johnny-yellow-july
File name:	Bank TT request.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	93'184 bytes
First seen:	2023-01-26 14:29:39 UTC
Last seen:	2023-01-30 13:18:00 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	1536:JhkXYQqraJZMrFSq06312wR7JEuaXKNVcb5uXlWoaPbZVWZvwgET5N6Zm:oYQqraJZMrFf0+R7yueisgkoaP1VYxEn
Threatray	1'001 similar samples on MalwareBazaar
TLSH	T1CD93F75573FC461BF3BF06B87A7518640EBAF91BA522D7582D9D20CE0A227C08B5137B
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

183

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Bank TT request.exe

Verdict:

No threats detected

Analysis date:

2023-01-26 14:32:40 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/21241f05-76b0-4543-a181-93a5a74d2c7d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/357150/

Detection(s):

Sanesecurity.Rogue.0hr.20230126-1133.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a file

Launching a process

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

DNS request

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/63d28e6d528134caf043453a/reports/6550c43b-8dbf-4695-b6de-b9d7cc59fcd7/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/82b26884-34b2-4f20-9e33-cd56a4b0281f

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1159606

Signature

.NET source code references suspicious native API functions

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f01102bc0d4dd2e2508bcf195df1e52fe46afeba7b079cd7d9f51007ed9b6141/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-01-26 14:29:27 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6aiqfpanjxjoeuelz4mv34pff7sgv7v2pmdzzv6z6uiap3m3mfaq._file

Verdict:

malicious

AgentTesla

41d58a31e2befb91705b4630f2cc48bfe9c09d5c26aee2034e5279b7bb314f4c

AgentTesla

59494a51618f234021c0dae2d87667ce9e431b8a75a1b4952d3e48bf71492fbb

AgentTesla

6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778

AgentTesla

65a2b3cf112d50e941051116e68b736239d521bf7611e143ae1c83f93716f6f5

AgentTesla

8d7c1cb321e7b41dc11548e8a3e02c0394e50494b06d499e0465eb3919372d04

AgentTesla

911c9969dfd1e3f89fc0078e539f8fd12f751a84efef74f506a301cba2b9010b

AgentTesla

914e09b5e1bee2e3bbb2d77f8fae1a8069f67b887f6abf9c5785e9fc5e39dd1c

AgentTesla

9a2232a4a9ceef2c3fcfee0acca71d5717395aff8abd1b6b26aa3a5c266b3fae

AgentTesla

a7555fbbb59c9e063dfa6b392af01c02f1d23679e53882fc1cb6d3a432330c50

AgentTesla

+ 991 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230126-rt5zqsfd31/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

f01102bc0d4dd2e2508bcf195df1e52fe46afeba7b079cd7d9f51007ed9b6141

MD5 hash:

0172e22c44174c1a72395169757359cd

SHA1 hash:

109bb100a50bdfea6f07150241832e0d15dc57aa

Link:

https://www.unpac.me/results/fbd5af97-005b-43b4-9923-5405f0506172/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/f01102bc0d4dd2e2508bcf195df1e52fe46afeba7b079cd7d9f51007ed9b6141

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 62dee34bb2b74ff4e75f8473a471559b457ef40bb247ce98c703d5fe17f316d1

AgentTesla

exe f01102bc0d4dd2e2508bcf195df1e52fe46afeba7b079cd7d9f51007ed9b6141

(this sample)

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/357150/

Dropped by

SHA256 62dee34bb2b74ff4e75f8473a471559b457ef40bb247ce98c703d5fe17f316d1

Dropped by

MD5 09b9a8f30086f2c68419039452190df6

Dropped by

SHA256 48c272ac3047c2e410a325ea623745001faa0fa9e55a58bc7688dc310ba07870

Dropped by

MD5 5ef15abd937eb2220e45ddd243f7958d

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample