MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2a3446b8d4482a462c8f8a74b1eaed194f6f09434585ac9200ee1392ccf702e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2a3446b8d4482a462c8f8a74b1eaed194f6f09434585ac9200ee1392ccf702e
SHA3-384 hash: e811a50306cee433ff86887346c7a6c458ddb0340cdfdb086d10b95133598d111ace2d24b985901b94611d18b5d6b3c8
SHA1 hash: 5656ad2c3bd99806850892c8ac6c020126db003f
MD5 hash: 6aa9455c88a3197f4204e66ae5b782a9
humanhash: monkey-three-wolfram-football
File name:SecuriteInfo.com.Win64.PWSX-gen.13860.30959
Download: download sample
Signature AgentTesla
Create hunting rule
File size:680'448 bytes
First seen:2024-04-22 04:27:58 UTC
Last seen:2024-04-22 06:00:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:NqsjVLdPadvmEABBbsHam2l9Tw+3ppZPaUsNpgfMs9dvG:MYVxyzABRsHafDUyphaTpGX
Threatray 10 similar samples on MalwareBazaar
TLSH T1D0E423658B9F8300C58C3B726D425D6443B6B39BD333D7DE5E6DDA990870F980B2821B
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
314
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f2a3446b8d4482a462c8f8a74b1eaed194f6f09434585ac9200ee1392ccf702e.zip
Verdict:
Suspicious activity
Analysis date:
2024-04-22 06:52:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5c562659-9659-4460-874a-c20ce6deec99

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Searching for synchronization primitives
Creating a file
Launching the default Windows debugger (dwwin.exe)
Launching a process
Moving a file to the Program Files subdirectory
Replacing files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6625e7543137a4e0f3bd86e3/reports/3646c61d-d113-4757-98b5-0a6f5dda8618/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f2a3446b8d4482a462c8f8a74b1eaed194f6f09434585ac9200ee1392ccf702e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/599c9831-c6de-40e0-b10b-2c394f8662d1
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1429432
Signature
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f2a3446b8d4482a462c8f8a74b1eaed194f6f09434585ac9200ee1392ccf702e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2a3446b8d4482a462c8f8a74b1eaed194f6f09434585ac9200ee1392ccf702e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-04-22 03:06:24 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6krui24nisbkiywi7ctuwhvo2gkpn4eugrmfvsjab3qtslgpoaxa._file
Verdict:
unknown
Similar samples:
81f6e3ff9cc821300e30acd628d0579793806ebfb89941d04f9bc33998f9a851
AgentTesla
b80690f5312d2360d3a790392594b78aaada3ed6120d9a28300f408f286ce6e6
AgentTesla
e45d04ff7d7cf56be94c3a62cb66f2365d861e1a8c1145d3ef602d2bc68a08cc
AgentTesla
e5732b98cf2583a638596031d273fe494682bbd49e7572de4cc7b1da34d365c5
AgentTesla
f2a3446b8d4482a462c8f8a74b1eaed194f6f09434585ac9200ee1392ccf702e
AgentTesla
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240422-e3netsfd96/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
f2a3446b8d4482a462c8f8a74b1eaed194f6f09434585ac9200ee1392ccf702e
MD5 hash:
6aa9455c88a3197f4204e66ae5b782a9
SHA1 hash:
5656ad2c3bd99806850892c8ac6c020126db003f
Link:
https://www.unpac.me/results/c390097c-8314-450e-97dd-2e253d027fd5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f2a3446b8d44/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 7b62469ae962aa25540537bcef906107f5b078312c7af70843a6bb78bb14fc09

AgentTesla

Executable exe f2a3446b8d4482a462c8f8a74b1eaed194f6f09434585ac9200ee1392ccf702e

(this sample)

  
Dropped by
SHA256 7b62469ae962aa25540537bcef906107f5b078312c7af70843a6bb78bb14fc09
  
Dropped by
MD5 9e019e1fa9dfeced4785aef977a70853

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments