MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1bf8b2454c2ca8961343acc4201349f0aece7080de6e0d08aad2a2b04dd4da5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1bf8b2454c2ca8961343acc4201349f0aece7080de6e0d08aad2a2b04dd4da5
SHA3-384 hash: be7cdb2507727e220d21409251addae9dd08f483e764fec859be4489d145882c0805472b3d5366e5bcd2810353137093
SHA1 hash: 5e4b9feb1a733300cfa62c9d042fa3c74b824d76
MD5 hash: 80500affc4d3734701f4d66473465f96
humanhash: don-football-spring-blossom
File name:f1bf8b2454c2ca8961343acc4201349f0aece7080de6e0d08aad2a2b04dd4da5
Download: download sample
Signature AgentTesla
Create hunting rule
File size:956'928 bytes
First seen:2023-06-08 10:30:35 UTC
Last seen:2023-06-08 11:41:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:sS8hue/3H1XDC4n1Gm/yWk3QxVRN8wf5xXIe63soOHlm6DCfpGIu15YaAsjTaZ:sBXDCMq0n2wfAJ3H2m6GubmZ
Threatray 4'976 similar samples on MalwareBazaar
TLSH T10C15CF50A2A85F5AE43A87F54471D87403F65E6EB87ED60B4EDABCCB3A72F510250E03
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f21a832134353535 (2 x AgentTesla)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
256
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f1bf8b2454c2ca8961343acc4201349f0aece7080de6e0d08aad2a2b04dd4da5
Verdict:
Malicious activity
Analysis date:
2023-06-08 10:30:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/71bd5024-f8c7-4d56-8d16-09488d0a82ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/396890/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67108072.611.4732.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin packed stormkitty
Link:
https://www.filescan.io/uploads/6481ade68237763a9bd6824f/reports/6789c0cb-f40f-42e6-a290-e748eb8bd314/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f1bf8b2454c2ca8961343acc4201349f0aece7080de6e0d08aad2a2b04dd4da5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/72b33775-15b9-42c9-a896-757c03e402f9
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1251083
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f1bf8b2454c2ca8961343acc4201349f0aece7080de6e0d08aad2a2b04dd4da5/
Threat name:
ByteCode-MSIL.Trojan.StormKitty
Create hunting rule
Status:
Malicious
First seen:
2023-05-18 19:47:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
35
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6g7ywjcuylfisyjuhlgeeajut4fozzyibxtobuekvuvcwbg5jwsq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
21b178d2c4a37e242aba83fb691e598e442539566e5bfabc30f7501798684b4d
AgentTesla
6e57cd573de3d14fe09f11364476b54f2b935d545be1258ee843d31573846622
AgentTesla
70d1cc05dbcd41513d2bf9ba133005723b11c2444f642c82548c7cfa04912ecc
AgentTesla
7cdbc9e74ca8d6119202864a709809712505bac9f32b6d60c552f01a1ac090c3
AgentTesla
a2350b33548abf34e63361ea80d402e3d6f83571bea91578bea7ea578e57af44
AgentTesla
a86d1dc8abd7cdd7ce8eb34ee9e739c35ba49d2a4a4c9d62d0da1d2dc14addf1
AgentTesla
a9c9e0370fb2f43eca748b7b3ae730a1d7ef09cd0d61641530b998576c6ab5a4
AgentTesla
aec1fac2d6bb7c644aa0d34bc37c4a95517fe4f903b99b433f195bed50efbe67
AgentTesla
+ 4'966 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230608-mkc55sec43/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6236057808:AAEPjUfD2i1Z2Y6D-v4tJe2o-ZsIOYXQJ0Q/
Unpacked files
SH256 hash:
7efcaa274616e35ef0f2756cc5ce8551f08b946bdefbedba7a41f7ea1cc21e9d
MD5 hash:
9fab22761b4ddedc7ea3d71c7e6de73e
SHA1 hash:
ea08ecbef5a3bd0e701cb2a1b63bdfa131a92f02
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/b3b508b1-6a87-485a-a1e4-30dc55c5c400/
Parent samples :
a9c9e0370fb2f43eca748b7b3ae730a1d7ef09cd0d61641530b998576c6ab5a4
f1bf8b2454c2ca8961343acc4201349f0aece7080de6e0d08aad2a2b04dd4da5
SH256 hash:
1309711c7143e4f8759caeb158240d0434e095759ea0f6c5c461b95d7f623ab4
MD5 hash:
6062aaef57fa5fffaedea56333a2f6ee
SHA1 hash:
b3ea14da348e91f92fc5321958cedc45b0997b9b
Link:
https://www.unpac.me/results/b3b508b1-6a87-485a-a1e4-30dc55c5c400/
SH256 hash:
a5f78aa16c2768f81470f04b40c84da1dd9314357c7521eb71c36ec712f0f566
MD5 hash:
526056067b7115d85c76377ed6e14107
SHA1 hash:
e87ca25318f30c7fc79b41c98c1d38de43c6fada
Link:
https://www.unpac.me/results/b3b508b1-6a87-485a-a1e4-30dc55c5c400/
SH256 hash:
2907ceb0aff33154a49177d6e04e822538f3fb439a55264cdf84b162564afea6
MD5 hash:
ae06e9b9c5d6df3bdb39fbbc75d9b9cd
SHA1 hash:
b03aff7dda4462819b1250e44d80c83aca37237f
Link:
https://www.unpac.me/results/b3b508b1-6a87-485a-a1e4-30dc55c5c400/
SH256 hash:
b52c29ba9ef8996bdf721950d900db96f1befb9883eb38c2075528e60c7aabd4
MD5 hash:
7b6143d9d94c8b80d191b77d8b6d1ba2
SHA1 hash:
1c91704ff6da2a9dd8aaa2ff2d5a5f69a445f76b
Link:
https://www.unpac.me/results/b3b508b1-6a87-485a-a1e4-30dc55c5c400/
SH256 hash:
f1bf8b2454c2ca8961343acc4201349f0aece7080de6e0d08aad2a2b04dd4da5
MD5 hash:
80500affc4d3734701f4d66473465f96
SHA1 hash:
5e4b9feb1a733300cfa62c9d042fa3c74b824d76
Link:
https://www.unpac.me/results/b3b508b1-6a87-485a-a1e4-30dc55c5c400/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f1bf8b2454c2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1bf8b2454c2ca8961343acc4201349f0aece7080de6e0d08aad2a2b04dd4da5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/396890/

Comments