MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2227038e0ff26cbcf040a694c1e6e0fd3c42316179c97eb539744aebc4ec0f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2227038e0ff26cbcf040a694c1e6e0fd3c42316179c97eb539744aebc4ec0f2
SHA3-384 hash: cad4c0485055221416f854d42a4511bfd91da031ae173211a225e994ff53a1e00f0989dcb16024c1d2be6b6bb14efc0a
SHA1 hash: 157242e38eebbd0d84aa9d5568d99768d1610944
MD5 hash: baef837e12c5deaa2459a73398749217
humanhash: jig-nine-stream-video
File name:baef837e12c5deaa2459a73398749217.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:666'624 bytes
First seen:2023-04-05 13:12:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:XxgKMupv8myT55upXd92/K4Hil8m5VOy9rx3SEo/:XBF8myTDmi/sl88Oy9rBSEo
Threatray 1'842 similar samples on MalwareBazaar
TLSH T12BE4125973FD8B35C09E1B7BF8A6311507F4F63A3092EB1E6DC196E84DA374098112AB
TrID 49.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.7% (.SCR) Windows screen saver (13097/50/3)
7.0% (.EXE) Win64 Executable (generic) (10523/12/4)
4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 00706dd050697000 (9 x AgentTesla, 5 x Loki, 4 x Formbook)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
243
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PSC_ A-2303310.doc
Verdict:
Malicious activity
Analysis date:
2023-04-05 12:10:30 UTC
Tags:
exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/1b5b1f50-3a77-4d49-b2f7-079fe3c421d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380312/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/642d73de7dc0445b23891655/reports/ec58b3cb-ebdb-4396-81b6-2f3039668747/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f2227038e0ff26cbcf040a694c1e6e0fd3c42316179c97eb539744aebc4ec0f2
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d35f0d8-1d54-4574-b667-7cb7397d98c8
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1209125
Signature
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 842040 Sample: ZypC4liuk1.exe Startdate: 05/04/2023 Architecture: WINDOWS Score: 100 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected zgRAT 2->55 57 2 other signatures 2->57 6 ZypC4liuk1.exe 3 2->6         started        10 RMBJLaF.exe 3 2->10         started        12 RMBJLaF.exe 2 2->12         started        process3 file4 23 C:\Users\user\AppData\...\ZypC4liuk1.exe.log, ASCII 6->23 dropped 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->59 61 May check the online IP address of the machine 6->61 63 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->63 14 ZypC4liuk1.exe 17 5 6->14         started        65 Multi AV Scanner detection for dropped file 10->65 67 Injects a PE file into a foreign processes 10->67 19 RMBJLaF.exe 14 2 10->19         started        21 RMBJLaF.exe 12->21         started        signatures5 process6 dnsIp7 29 api4.ipify.org 64.185.227.155, 443, 49700 WEBNXUS United States 14->29 31 server327.web-hosting.com 67.223.118.132, 25, 49703, 49708 VIMRO-AS15189US United States 14->31 33 api.ipify.org 14->33 25 C:\Users\user\AppData\Roaming\...\RMBJLaF.exe, PE32 14->25 dropped 27 C:\Users\user\...\RMBJLaF.exe:Zone.Identifier, ASCII 14->27 dropped 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->43 45 Tries to steal Mail credentials (via file / registry access) 14->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->47 35 104.237.62.211, 443, 49705 WEBNXUS United States 19->35 37 api.ipify.org 19->37 39 173.231.16.76, 443, 49707 WEBNXUS United States 21->39 41 api.ipify.org 21->41 49 Tries to harvest and steal browser information (history, passwords, etc) 21->49 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2227038e0ff26cbcf040a694c1e6e0fd3c42316179c97eb539744aebc4ec0f2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-04-05 12:46:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
17 of 35 (48.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6irhaoha74tmxtyebjuuyhtob7j4iiywc6ojp22ts5ck5pcoydza._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2c5117280800871fbceb13a571a8d602c17f3c08247c8ccf546bb9dc8adda73e
AgentTesla
493781dc1d845e09f96742dfdc2edaef673ac5d4b2139875929166f2627dc161
AgentTesla
63dfdf139256d716209f2c662066602cf83e2b8d5988195c6e3cc07c2746a430
AgentTesla
686579ac798116984a5f68c10fff3ae521d14c3cfc5e7891618a963693dfeb6f
AgentTesla
89a0e99ef4a97ea1ad4212d7f539c9e851b97108f93a6ff64bbb0b5a5e8997d7
AgentTesla
d1a22dda5220ba19084b3e191aa4cf0028dc48e3176294f3bc298f0d4936de03
AgentTesla
d6c81069f8763d1bb3ee317188270f97b60271b52ab35bd92080dde6913ad2e2
AgentTesla
e2e68b7e99d8253a02362747671cd1a55293166b771043a7bdb689f56331abc9
AgentTesla
e4d939344533d8c8b97cbc723acd7c4f6195b5d81be576d93918a943b67d8edd
AgentTesla
+ 1'832 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230405-qf3f1sgg9t/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
eea722c2d34583f9959dc92ac1ce9a18bc0b68615d581fc021b0db6e9e44232f
MD5 hash:
e419328c0b7b5bede988d1c0716a649f
SHA1 hash:
bd00ccbdf88a05b208661d894be66061826bd364
Link:
https://www.unpac.me/results/3c38b80c-9bae-4e5b-9e8a-ae1b11163e7d/
SH256 hash:
386edb83430023a4479798ed095026ef28f97acb8ee072a55d4b00f156bb6026
MD5 hash:
719b13e2c8bacf1f67955653f48f50d8
SHA1 hash:
b27df5618c0c5e2bc65d7b11c14ca9a0a2efa070
Link:
https://www.unpac.me/results/3c38b80c-9bae-4e5b-9e8a-ae1b11163e7d/
SH256 hash:
4499077fe4f2c56b509836c30fb2dfc9410d73b0767bbbf88696ca941df6a623
MD5 hash:
1990b2894ddc5c880fd0719698058001
SHA1 hash:
9fc799bbb24905e466ef2a115cd8c0a7a18e2382
Link:
https://www.unpac.me/results/3c38b80c-9bae-4e5b-9e8a-ae1b11163e7d/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/3c38b80c-9bae-4e5b-9e8a-ae1b11163e7d/
SH256 hash:
1bc68c8262b3aecc3e6ff57d237f1ef007917c95c437d5a34db5e06789944ef2
MD5 hash:
c41a47c5b538fc200aa1d9980117ea99
SHA1 hash:
36de4ab8c9b7575a97b26e311167424bf1b38f71
Link:
https://www.unpac.me/results/3c38b80c-9bae-4e5b-9e8a-ae1b11163e7d/
SH256 hash:
f2227038e0ff26cbcf040a694c1e6e0fd3c42316179c97eb539744aebc4ec0f2
MD5 hash:
baef837e12c5deaa2459a73398749217
SHA1 hash:
157242e38eebbd0d84aa9d5568d99768d1610944
Link:
https://www.unpac.me/results/3c38b80c-9bae-4e5b-9e8a-ae1b11163e7d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f2227038e0ff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2227038e0ff26cbcf040a694c1e6e0fd3c42316179c97eb539744aebc4ec0f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe f2227038e0ff26cbcf040a694c1e6e0fd3c42316179c97eb539744aebc4ec0f2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2598337/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/380312/

Comments