MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2d04e3471be382205e0e8c40cdee1ccdae9b73527f8a428108ba231da16e68d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2d04e3471be382205e0e8c40cdee1ccdae9b73527f8a428108ba231da16e68d
SHA3-384 hash: 04cf285f35f7dc6f31d97393b29e00f928b2aab6ecb31bdf004f1dd72fad2b3aef8b62db97142f0a1ed6da1e4c94ae56
SHA1 hash: e156647a0116b156fad125663d93bc19f6d6301d
MD5 hash: 23896fb7fd3c88ed96f3dc35e58c9d28
humanhash: mississippi-early-twelve-pip
File name:23896fb7fd3c88ed96f3dc35e58c9d28
Download: download sample
Signature AgentTesla
Create hunting rule
File size:576'000 bytes
First seen:2023-07-11 12:41:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Xz6XGCenfOncsjvY1O0ykUJXDfc0Vw20sDoyEpx/x9:XOWCqfsjvWO0yzJjJFoyEX5
Threatray 422 similar samples on MalwareBazaar
TLSH T1DCC4122361B8F335D85C2FFD1146648A23E82D497C74EB2C8D1B8CD58A7A77414ACADB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
f7c101969fb10e121abf500446015d73
Verdict:
Malicious activity
Analysis date:
2023-07-11 12:44:48 UTC
Tags:
exploit cve-2017-11882 loader agenttesla
Link:
https://app.any.run/tasks/ae71809d-7aaa-4bf5-8c36-d410756be91d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/415596/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68102490.28246.4655.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/64ad4e1a730800029d38a79d/reports/5ec999f5-6350-4d04-8fe9-51467340a88b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f2d04e3471be382205e0e8c40cdee1ccdae9b73527f8a428108ba231da16e68d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/695c3dbe-0eff-487f-a919-d7bc55fdeef9
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1270863
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1270863 Sample: utVLiBXXPD.exe Startdate: 11/07/2023 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 5 other signatures 2->60 7 utVLiBXXPD.exe 4 2->7         started        11 svchost.exe.exe 3 2->11         started        13 svchost.exe.exe 2->13         started        process3 file4 32 C:\Users\user\AppData\...\utVLiBXXPD.exe.log, ASCII 7->32 dropped 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->62 64 May check the online IP address of the machine 7->64 66 Adds a directory exclusion to Windows Defender 7->66 15 utVLiBXXPD.exe 17 5 7->15         started        20 powershell.exe 21 7->20         started        68 Multi AV Scanner detection for dropped file 11->68 70 Machine Learning detection for dropped file 11->70 72 Injects a PE file into a foreign processes 11->72 22 svchost.exe.exe 14 2 11->22         started        24 svchost.exe.exe 13->24         started        signatures5 process6 dnsIp7 34 api4.ipify.org 64.185.227.156, 443, 49692, 49694 WEBNXUS United States 15->34 36 api.telegram.org 149.154.167.220, 443, 49693, 49698 TELEGRAMRU United Kingdom 15->36 38 api.ipify.org 15->38 28 C:\Users\user\AppData\...\svchost.exe.exe, PE32 15->28 dropped 30 C:\Users\...\svchost.exe.exe:Zone.Identifier, ASCII 15->30 dropped 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->44 46 Tries to steal Mail credentials (via file / registry access) 15->46 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->48 26 conhost.exe 20->26         started        40 api.ipify.org 22->40 42 api.ipify.org 24->42 50 Tries to harvest and steal browser information (history, passwords, etc) 24->50 52 Installs a global keyboard hook 24->52 file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f2d04e3471be382205e0e8c40cdee1ccdae9b73527f8a428108ba231da16e68d/
Threat name:
ByteCode-MSIL.Trojan.Spynoon
Create hunting rule
Status:
Malicious
First seen:
2023-07-10 13:21:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6lie4ndrxy4cebpa5dcazxxbztnotnzve74kikaqrorddwqw42gq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3407ca71f8e355af09d5d840ff99f6f7cf6a764ba5825d61bc86ee805425ce79
AgentTesla
461f3de19176b99a3e099a1df86f7f3ba4876fb21b2e1c6487cbcec7eef31a01
AgentTesla
4e7bb77954afbccdc27b8a44ef59bbe072f3fc18966a8b52495306911e2dd59b
AgentTesla
53e575805dc9d69c41f366e65946a7d4adf051f322f463f70e9b2f80d50450cb
AgentTesla
7783bf6570b811d097c413a78782f3efaa9fe3843e99e8326e589a4e142df6ed
AgentTesla
8a0884d4befce2899e84e43d267d28146a5ba97f4fd8e10e9092cd9ecf7252b3
AgentTesla
9e778ed10d6543b0b16f50bbb021181e2cd1d6e9ab230f28492eeb45838c3893
AgentTesla
e72d57159b747a02fd3cce2377fa22b1937603900c82bc9b2780f0aa2747005b
AgentTesla
e8028a0714a8604b1ec7e5d91cf50948e895a05cc180d9c07bcbc80e542d30ce
AgentTesla
eb9013c343ab4b99b91861620223802a978910ccc099ecabe8b3a00bb59c6309
AgentTesla
+ 412 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230711-pxbtysgh97/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6020538814:AAGi6ggZTjZC0BhIaunk2td_4MY4oUZFF7Y/
Unpacked files
SH256 hash:
adf8860798bc1ca9e6f09f1ec54d1fc6e00a677f8b16af6766da6546ff85bc53
MD5 hash:
c2842dbf4c75af42c88749d2ba469af0
SHA1 hash:
b6c8a062c58f1d469353c0a093857d089c858f80
Link:
https://www.unpac.me/results/e05f997f-2bf3-4ebf-82e1-d1f0a46caa20/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/e05f997f-2bf3-4ebf-82e1-d1f0a46caa20/
SH256 hash:
9c443781108d5a40294c721b8b370ad4c26e53e8d2424a6f8683b3b953d8a653
MD5 hash:
1c6c905a2f4984090aa66d605dee478a
SHA1 hash:
14bf0c9bcde603f5fd38dad8fc2b8379d319a309
Link:
https://www.unpac.me/results/e05f997f-2bf3-4ebf-82e1-d1f0a46caa20/
SH256 hash:
adf8860798bc1ca9e6f09f1ec54d1fc6e00a677f8b16af6766da6546ff85bc53
MD5 hash:
c2842dbf4c75af42c88749d2ba469af0
SHA1 hash:
b6c8a062c58f1d469353c0a093857d089c858f80
Link:
https://www.unpac.me/results/e05f997f-2bf3-4ebf-82e1-d1f0a46caa20/
SH256 hash:
320f0ba22da606538e87d111217c545a875c1d813b7c51ab54fb5d7bd7665112
MD5 hash:
2749d9627cd2c773de8606d9ef9de8a4
SHA1 hash:
00d141d2cafeed15964c33be6950fed99d6692e9
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/e05f997f-2bf3-4ebf-82e1-d1f0a46caa20/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/e05f997f-2bf3-4ebf-82e1-d1f0a46caa20/
SH256 hash:
9c443781108d5a40294c721b8b370ad4c26e53e8d2424a6f8683b3b953d8a653
MD5 hash:
1c6c905a2f4984090aa66d605dee478a
SHA1 hash:
14bf0c9bcde603f5fd38dad8fc2b8379d319a309
Link:
https://www.unpac.me/results/e05f997f-2bf3-4ebf-82e1-d1f0a46caa20/
SH256 hash:
adf8860798bc1ca9e6f09f1ec54d1fc6e00a677f8b16af6766da6546ff85bc53
MD5 hash:
c2842dbf4c75af42c88749d2ba469af0
SHA1 hash:
b6c8a062c58f1d469353c0a093857d089c858f80
Link:
https://www.unpac.me/results/e05f997f-2bf3-4ebf-82e1-d1f0a46caa20/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/e05f997f-2bf3-4ebf-82e1-d1f0a46caa20/
SH256 hash:
9c443781108d5a40294c721b8b370ad4c26e53e8d2424a6f8683b3b953d8a653
MD5 hash:
1c6c905a2f4984090aa66d605dee478a
SHA1 hash:
14bf0c9bcde603f5fd38dad8fc2b8379d319a309
Link:
https://www.unpac.me/results/e05f997f-2bf3-4ebf-82e1-d1f0a46caa20/
SH256 hash:
320f0ba22da606538e87d111217c545a875c1d813b7c51ab54fb5d7bd7665112
MD5 hash:
2749d9627cd2c773de8606d9ef9de8a4
SHA1 hash:
00d141d2cafeed15964c33be6950fed99d6692e9
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/e05f997f-2bf3-4ebf-82e1-d1f0a46caa20/
SH256 hash:
320f0ba22da606538e87d111217c545a875c1d813b7c51ab54fb5d7bd7665112
MD5 hash:
2749d9627cd2c773de8606d9ef9de8a4
SHA1 hash:
00d141d2cafeed15964c33be6950fed99d6692e9
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/e05f997f-2bf3-4ebf-82e1-d1f0a46caa20/
SH256 hash:
adf8860798bc1ca9e6f09f1ec54d1fc6e00a677f8b16af6766da6546ff85bc53
MD5 hash:
c2842dbf4c75af42c88749d2ba469af0
SHA1 hash:
b6c8a062c58f1d469353c0a093857d089c858f80
Link:
https://www.unpac.me/results/e05f997f-2bf3-4ebf-82e1-d1f0a46caa20/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/e05f997f-2bf3-4ebf-82e1-d1f0a46caa20/
SH256 hash:
9c443781108d5a40294c721b8b370ad4c26e53e8d2424a6f8683b3b953d8a653
MD5 hash:
1c6c905a2f4984090aa66d605dee478a
SHA1 hash:
14bf0c9bcde603f5fd38dad8fc2b8379d319a309
Link:
https://www.unpac.me/results/e05f997f-2bf3-4ebf-82e1-d1f0a46caa20/
SH256 hash:
320f0ba22da606538e87d111217c545a875c1d813b7c51ab54fb5d7bd7665112
MD5 hash:
2749d9627cd2c773de8606d9ef9de8a4
SHA1 hash:
00d141d2cafeed15964c33be6950fed99d6692e9
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/e05f997f-2bf3-4ebf-82e1-d1f0a46caa20/
SH256 hash:
f2d04e3471be382205e0e8c40cdee1ccdae9b73527f8a428108ba231da16e68d
MD5 hash:
23896fb7fd3c88ed96f3dc35e58c9d28
SHA1 hash:
e156647a0116b156fad125663d93bc19f6d6301d
Link:
https://www.unpac.me/results/e05f997f-2bf3-4ebf-82e1-d1f0a46caa20/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f2d04e3471be/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe f2d04e3471be382205e0e8c40cdee1ccdae9b73527f8a428108ba231da16e68d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2680643/
Cape
Cape
https://www.capesandbox.com/analysis/415596/

Comments


Avatar
zbet commented on 2023-07-11 12:41:07 UTC

url : hxxp://87.121.221.212/secdivinezx.exe