MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f26f175b6191179d1652a4be425c02968ed105891604aae297b2efc14a88c5f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f26f175b6191179d1652a4be425c02968ed105891604aae297b2efc14a88c5f5
SHA3-384 hash: 3cbf8381878e99031c78cbd984f16c9c07d7edfc38ae00a0157f7635226d2cc1a9608bbb76d0ea584b1d0eee44daf805
SHA1 hash: eb047beda8995694838e5abccbc0c2a1624c41b4
MD5 hash: e3307782269b833514ec9ac50cf97adb
humanhash: papa-steak-michigan-wolfram
File name:AWB5032675620_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:890'880 bytes
First seen:2022-03-11 12:16:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:0r1MxRAjU4uY79QCZoLAn8McOwiVWo8G0yf6U:8fQ4uS9Vvn8McU7
Threatray 16'669 similar samples on MalwareBazaar
TLSH T1B915CFE0EE5883BEED10727AC1E808701EB5299E3421FF1A954D01DE0A67FCF55E652E
Reporter TeamDreier
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/249404/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/622b3dc20cd58dbd927df9b6/reports/0b13e6c5-0c38-4a32-9e61-ce0487489d81/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e04963d5-3bd2-4aca-a25f-5bf089480c10
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/954850
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f26f175b6191179d1652a4be425c02968ed105891604aae297b2efc14a88c5f5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-11 12:17:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
24 of 27 (88.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6jxrow3bselz2fssus7eexacs2hncbmjcyckvyuxwlx4csuiyx2q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1dd55c3da57f38fa92cf2ea0beb0f05afdc542492b66158a6190f681dcaffdfc
AgentTesla
20caa9bbab7ef41b3766a4fc9c1690b84b9425a1105eb563673a5000f02936b3
AgentTesla
21bd5e4845c12f0601ae8988314a461339e03e78267cac80f4a34ce93ad404ab
AgentTesla
6f47301c8691d7f68ccf71931b8e2664fad0720d1f4d01f4bfda35cd1a076bd1
AgentTesla
8fcfe841647c5f4d3f10b59fa63b2e2dff841b4c5c39cbfa828146281e49ad77
AgentTesla
a08a2ea7f574259a68c3cc7d0ff2c1f46e9a57e9802cf5fc41803787564451e8
AgentTesla
a46f86c07e8b027436a3fbaea75328a4ba9de62225ca949f61c6c9c3187b90bf
AgentTesla
c05e310c646407fa733712a98c822a5416ca1124322429d8d2a90966e909a6b5
AgentTesla
cfdd61cbadd16020af664f9a06e87fb4a5aff6b7ad97ad003c201d96208faaa1
AgentTesla
+ 16'659 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220311-pf2daacdfn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
.NET Reactor proctector
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
d79119d4b35b89c1bdd31db29ef95988eea95a676ef1edb9ad21be4af6b5f2a6
MD5 hash:
ac2e0c0f92583634c590f3e39b56af90
SHA1 hash:
b81241cf80c82a0e6d40e2e66902a216498f5acc
Link:
https://www.unpac.me/results/c3faf59e-eb33-448d-bfc5-c747c07e25e2/
SH256 hash:
c75ccb1a5b4a0fc08251048105696b3b7eb8d270ad1317b5277a8dd8d37472b1
MD5 hash:
29adbabd1bd6f1b4905e8fbb404c4c0a
SHA1 hash:
9f3fb1a294c11a85ced4e05d8c555dc2598ea520
Link:
https://www.unpac.me/results/c3faf59e-eb33-448d-bfc5-c747c07e25e2/
Parent samples :
718108fa6ed209c41519790279fa6e86ea7ac2de9bf48528c48f50f97602bf3b
4e2bdf836d194b0403c2692bd0f6d3f113eda05b3e6925c88e0e2d7899f2a595
42c62f61b68113876875636bdae131773cb34e6c0e6e656662ec68d8b34b0c13
ac6e353a17337ed2a5b17500d60f5c74c71d479fd88ce124f256fe09b1378798
e38b4383a70321dc1aa407523474413fe583399fe638aad66fe9113096a8b203
ec84bde980efa561e8c00450fc300a499497d96d5adb5d1d3d587f1ada6549dd
460a7bca0fd3387dfb440db9676a8d784894d9e4ec35c61e4866578bac46dd51
33688ef783b3f8913608927cc25e28bb4a7097a2636d734af213956c60178784
SH256 hash:
8dfa6700baab81a326aaf1b7cbed8b6e92b06ccd8321d174faacb446a7105189
MD5 hash:
2722ce8897865fc5a4f1b4a0fbe52011
SHA1 hash:
8caa566b9bca816fa5f41610f32e048adb6e164c
Link:
https://www.unpac.me/results/c3faf59e-eb33-448d-bfc5-c747c07e25e2/
SH256 hash:
9b00e2fa33ad72dec22a5e107ab6886da72bbe0bed89a721e877c1dc3ce6a662
MD5 hash:
b4c9c16228f0ee1de70ffc6264fb720c
SHA1 hash:
437049e452a511e220abdb32df695cdf07f5a7d0
Link:
https://www.unpac.me/results/c3faf59e-eb33-448d-bfc5-c747c07e25e2/
SH256 hash:
f26f175b6191179d1652a4be425c02968ed105891604aae297b2efc14a88c5f5
MD5 hash:
e3307782269b833514ec9ac50cf97adb
SHA1 hash:
eb047beda8995694838e5abccbc0c2a1624c41b4
Link:
https://www.unpac.me/results/c3faf59e-eb33-448d-bfc5-c747c07e25e2/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f26f175b6191/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f26f175b6191179d1652a4be425c02968ed105891604aae297b2efc14a88c5f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f26f175b6191179d1652a4be425c02968ed105891604aae297b2efc14a88c5f5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/249404/

Comments