MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f18a2b2d68691d79ca7b517b7111b3bcdc5f978f70735cbda33ba0260b54780f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f18a2b2d68691d79ca7b517b7111b3bcdc5f978f70735cbda33ba0260b54780f
SHA3-384 hash: f985117cd7717f4ffc7b3719406cae941a31dc8ffc95dbdb59592db4c0cdb6a36f35fefc1523172ae87df6c5f65bf536
SHA1 hash: 2d88d39eeb1693aefbff38ff66cdb8f2bc009ba8
MD5 hash: 018f1446f5ec5f968c07ee7c86cfa465
humanhash: blue-white-lima-early
File name:018f1446f5ec5f968c07ee7c86cfa465.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'058'816 bytes
First seen:2023-02-24 13:46:22 UTC
Last seen:2023-02-24 15:29:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:gRllp/4JEyvCmfHve9Oa5A/Q00AQ1PWW+AF:QH/4LfHve9b5A/xvQd
Threatray 529 similar samples on MalwareBazaar
TLSH T1B4359C5772F08537F99F42FC063456CE2D32B253712CE22A5E6B39488E16DFAB1D8261
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
http://208.67.105.179/obizx.exe
Verdict:
Malicious activity
Analysis date:
2023-02-24 02:46:23 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/36cf3573-8928-4eaa-9828-198f48c0d334

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/369486/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63f8bfdb81c7f31327f9ddec/reports/518f4e7d-ef30-49b6-92c3-2d8edb68e996/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f18a2b2d68691d79ca7b517b7111b3bcdc5f978f70735cbda33ba0260b54780f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a65071c5-6c16-4093-9c82-d40d407df1a5
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1181892
Signature
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f18a2b2d68691d79ca7b517b7111b3bcdc5f978f70735cbda33ba0260b54780f/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-02-23 21:56:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6gfcwllineoxtst3kf5xcentxtof7f4pobzvzpndhoqcmc2upahq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
17b6e0bb426b762e1caee67606532e3350d8c752c0625994424916e0fba527ab
AgentTesla
255169d7b1e38899a7ab422e4c44cf11b39b0259144178e24b437cb864674a4d
AgentTesla
294729ec196ae05dac756fc559dd4acbbb9368486901157424a0d71354018b60
AgentTesla
2dd2ebd30b691da32cc47292b130a4781fabf091f341e045a7a72b53c5566ba6
AgentTesla
5113b6fbc97bc224a327cdcdfa5558d3526652b76b5a157e744f2fd9a9be0aa7
AgentTesla
564e748a2164cc70ec2c77d9830e301dedc3439f165fd8cc798bbd53fa168862
AgentTesla
5b4d52030d1568ee351d1f51d467ec102f4923ad9947f7a9237076fff39b7791
AgentTesla
626b38eceda55688275aec055e69b4cfbf2853b6e3d32e7ad0dfee6f1873fc02
AgentTesla
d5b1e18d554082aca046f9795f7de36aa1c7109871c5c9cb637d223396afb000
AgentTesla
ffbed79e038cf8090a789bd931d8e17f940f7c51bd1491c1102530c76b0ff502
AgentTesla
+ 519 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230224-q3jx7abe77/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
b2dd5bcf9138720f9ffeca3b8aefa001e40b2dd879c1db3bb8e47281c3575f8e
MD5 hash:
301d49f143b4559eebb04d6604c9c806
SHA1 hash:
8e1065918d606bf77bf8d0fd3375de5c1e4ec0b3
Link:
https://www.unpac.me/results/b33eff20-7eeb-4309-ac76-3a39692e94eb/
SH256 hash:
a56e52fdd478f1bea41acd4fd3148a8d0d7ec0b4b3f9cb9c7175bf51efcf2efc
MD5 hash:
aa4142ed5694fc1cfaf771b1821a55a8
SHA1 hash:
4c54fc567be5d7793cd354f19dc899429291bc5c
Link:
https://www.unpac.me/results/b33eff20-7eeb-4309-ac76-3a39692e94eb/
SH256 hash:
78df7f186011ed70b946e8c108240edd3cb7c47a18f3c1781e5df47ed6f3a55c
MD5 hash:
aa43f32f85ec050c62ea529b9a352471
SHA1 hash:
4b6563cf549239fdf3ce36dde32f14116c55e566
Link:
https://www.unpac.me/results/b33eff20-7eeb-4309-ac76-3a39692e94eb/
SH256 hash:
648749114b1a7f198b44dba4261ea0ca4f6752d76bd1842f1b3f6429c7f2506f
MD5 hash:
583545ed70314bb191ffcafb5a686fb9
SHA1 hash:
4977b87e43a706353cb5161bf1d3512aa0938282
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/b33eff20-7eeb-4309-ac76-3a39692e94eb/
Parent samples :
082690655361b35e9d40944052ab73cc0a621c46b26797b4103eac51b25d7247
c1f9f8a6133d2f6f01574b1a8dafabae2376448bc7a6727a66b8070b66ff15dd
7c84afbd1d85d46654f72829812a1f2eb3cee52899e39d7bc54be3a4c8fe45d8
397e51f9b8a9a61de32f21b12d23334dca268c256d9024cfe4fb3605bd9c4204
a76b7df57b1b16e4bac4e1e19e88b1a03c0b31aec4441046be5cbe7ce68cd58c
d8ead95646470952403879a6bc78117d895ffe37a3b3a551cf65731a1260c8ad
42c55bc7230056d825019e88be1682afb9a3500de5d0e4582a1db497f9ec902d
8431eb1fb2cdcdc154e0692322e26cfb020248e5c64a5bb1f5989878ea69974c
b05d969714238e447faff32ccbe88b5ddef15a089157a0dcfd18a2f03cd493bb
ffbed79e038cf8090a789bd931d8e17f940f7c51bd1491c1102530c76b0ff502
3703e29e26455c33c0f38d99036cb9ca0a0126e4f46ed5ff5900b4b4dc49cd14
cdf98d2d51a7776d859d4e866bcca6c3d323e076ef86654b0e1071137433368f
9f9cd55cae9d3807b8b594dc0d21f373b011ced9fb9c5b5c967245e274966647
67e9518c5adca9e7235912cdf74ad530841ff8879a5cb38c5d7767b8ea16d491
4be7ea0807b3e60e8d123107ce1da7dde5c044c2cbc04a8ff9733540a3c4ffaf
b4afb050b3582ac523796306096936a520c5faf302d60b934d8f59bbdc97aceb
300e22ba7444d4fd02bfbdd2e336bbc861ec4be97576b1065bfa49309946fd4c
9705354879b69702831083e4c3113e7f61c2d33a8eff41a73c7c1ca678df9588
fb948365420fb40a1f19fdb12b15670c15b1eb8626d6e12f792184683e72b557
18e15b5d7924548af144cf5449eda73c8d67c093a6c945ac00db6de533ff13db
ceeb2e11ecbce4f2948f5505afa83c9e7594284d701234791c8d32d0b05521de
7a5b7449fcd765f1a3be1dc0c8286cb46afe94b8c8040a0d268b27fe8d658ee4
f826131b5c356693f53746f0af896eaac4217ef48a1e148759541c21fe29b07d
04698304959253365ac8015e9af904b4be0e1938c63a5b91276028636a90cbbc
971dfc5c82fae0d102f99d405119645d49629ab7679fe0d7eafeffeba4041d45
3d38bac8b15d5ab3b1f5b2c13610928eb7482057dbd2b111be9c287aefc407e8
c5805f6651b3ac3e15f770607a867a8c014d2637a8af30ac272b744409b0d170
564e748a2164cc70ec2c77d9830e301dedc3439f165fd8cc798bbd53fa168862
c6922f3de8e40e5e56073a9a180de581ac3ae0eacf20f6623e0de4c7eef693e1
770c54042217d87ffe83dd0674d556c6bde9d1acc4a4cd830820170ebf2e7ca4
a53eafec588919d171746ba18abf11ca4643c9e2b858d3e825b5141946af0901
5b4d52030d1568ee351d1f51d467ec102f4923ad9947f7a9237076fff39b7791
5113b6fbc97bc224a327cdcdfa5558d3526652b76b5a157e744f2fd9a9be0aa7
9df08396c2e40b7ad647f56a6441a309996dd3b6ac40cb5944753c9fee5a38bb
df439bff97d28e23956a71daa13d628a07b7cc2973ca3a6956d7b9036d13700c
17b6e0bb426b762e1caee67606532e3350d8c752c0625994424916e0fba527ab
af2a4df6137e85a5f69a4e5478992d32bee91b7208757879e3b98aba9ec88919
78fedb4b5349e928c359cdbc4e5b0e106ce84a0ee729538e9a28795c5c8fea4e
e82d940033891932405dfdeedbd283a3be9dcea92d0a4d3cda675abc3345dfc4
094b5e896bf9c2b8b10f16de33313f39384a9e42784a49e3176a0d9b565bb0d7
2dd2ebd30b691da32cc47292b130a4781fabf091f341e045a7a72b53c5566ba6
f18a2b2d68691d79ca7b517b7111b3bcdc5f978f70735cbda33ba0260b54780f
754d1ba349e7f1633d9a6ee33497c5543aeb8710e70e89e799368d00b6e7062a
4905116d90f4b6b08798705b2bce585c9c17e8ebb83cc17b998265e2ceb97525
2ada13943b92d98911f75e2844fe9beba7659cfeef2aaa521ff9df0fb4bf7f15
8fea022b2f3c3f6f97a8c4ebe93fe862fb731fa82f8d23ac8cd11c21a4824041
04ff0a9d357afb8e0d2f7dc07f9a9d3ded1104c25f4cad3dc08524f235283245
d7e3abee48bb92e413e8a2dab38594934ea6bcdde8dd493dccd01bd4808020b6
1d9870e41cc277f5ae025cc7b5f062da933e1a78d39f76393f0c12ff45f57fe5
d5ed9504812940d2447bb851ae8bb2467a1578b4554b52bac7654ca62d9e04c1
de46ab143d523dfdba34843a47df51f1112cac3bc7b3c8c053ab791b2c0a5010
3bc2c61a0e15a16eb536081daadd7275600e57f0be74d284dc64ef64552e2cc4
5020f288ce75458c32396de7fbf75933adb16ae00d868f999667ee34a2eb295c
SH256 hash:
8f0c7e3047346b8d6477ff6d4639fd6157602c7ebc840f3432b99263f1cb415c
MD5 hash:
e5b073b30db1b058298f5df032164e4d
SHA1 hash:
15d3ada4e7ac01b766615b9b66785e7e2ae9b0ca
Link:
https://www.unpac.me/results/b33eff20-7eeb-4309-ac76-3a39692e94eb/
SH256 hash:
f18a2b2d68691d79ca7b517b7111b3bcdc5f978f70735cbda33ba0260b54780f
MD5 hash:
018f1446f5ec5f968c07ee7c86cfa465
SHA1 hash:
2d88d39eeb1693aefbff38ff66cdb8f2bc009ba8
Link:
https://www.unpac.me/results/b33eff20-7eeb-4309-ac76-3a39692e94eb/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f18a2b2d6869/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/f18a2b2d68691d79ca7b517b7111b3bcdc5f978f70735cbda33ba0260b54780f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe f18a2b2d68691d79ca7b517b7111b3bcdc5f978f70735cbda33ba0260b54780f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2271081/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/369486/

Comments