MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2d87f50cf3fc57319a2b41c12bf0424be27cd79a2bf04a502e236b54aa16610. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2d87f50cf3fc57319a2b41c12bf0424be27cd79a2bf04a502e236b54aa16610
SHA3-384 hash: c0d96a4b885586a7306179491b07146c6bc7e9c65b26a60eed6d2927d66137710b9960aa59479355a38ebca34b0f5594
SHA1 hash: ba21ed0900eef2f77d22010b3addba4cb9b596f8
MD5 hash: 13fe43dbea7dddbe5060066cf39807f3
humanhash: fifteen-north-monkey-zebra
File name:13fe43dbea7dddbe5060066cf39807f3.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:454'248 bytes
First seen:2022-03-28 08:00:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:BGiUlRAttixAkVJJtoLPjYba8c1w37LXBaDIe3TOsD4qggLoTHhX3oAM2ysP5sC:YxAkVJLkY+8IUXBqlTO24BgMTBHwsp
Threatray 19'743 similar samples on MalwareBazaar
TLSH T16DA4CF2F0B9AE555C01234F82AE294CE78F45E4038A9DB519B612D699FFC3437D9E0CB
File icon (PE):PE icon
dhash icon d4f2f0f0f0f2fefc (1 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.jcps.co.za:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/258485/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.3281.24896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Moving a file to the %temp% directory
Reading critical registry keys
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62416b441f204239484075e7/reports/c14da223-f4b0-4f83-831f-0260d8f993a6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6e99291c-c251-4e8b-9454-09317d221e8b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/965638
Signature
.NET source code contains very large array initializations
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2d87f50cf3fc57319a2b41c12bf0424be27cd79a2bf04a502e236b54aa16610/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-28 11:01:27 UTC
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6lmh6ugph7cxggncwqobfpyees7cptlzuk7qjjic4i3lksvbmyia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0de9d600263ebba8c970a3c71faa5ac482d38a2f0daef028e407f0eaa39e6f2e
AgentTesla
0e16551efbf1aacaf4bbc05653978d86979048f338f9fab4a123dd3831dcef4e
AgentTesla
38083f72bb53d42e0b5c1b12bad8916872e0dd00a30ccd5b900e28481ba5c47d
AgentTesla
75a17cb26bd616c7d7b48b0b3add3033b6cd8656d8d20a0618734a3850072632
AgentTesla
84ab32d1af140cca0c1cc02e9eff7f8d2d48bba935b963056d96a5e2dcec4869
AgentTesla
b19e9183915045a170b5156d43e7c88c21522abd259e93745efc8a1b1a7350a8
AgentTesla
d3859b8d0261ca3ea4e4f698e14588545e0de6db369ddcced27c84c4d5ea80da
AgentTesla
+ 19'733 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220328-jwjkhshag7/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Unpacked files
SH256 hash:
a137891ed786eac58fd69443af50a0ac7df1fd11137c126e608b1fa1b59ea73d
MD5 hash:
b88f8edaf9a3a4d2ad926ed296708024
SHA1 hash:
daa55c633a934c62012363c1b4aa4db7c34db480
Link:
https://www.unpac.me/results/dba8cfff-7183-40b7-9ab2-ff080ae5979a/
SH256 hash:
1deb67bad0305a790ae5e7fec4430aaa3fc21c2b170be4dad06d66603fe3e08a
MD5 hash:
7669b681db7c9ead17dd4be4999f1c06
SHA1 hash:
019bea4a8e12f3d0df48a3000532466c92758ec0
Link:
https://www.unpac.me/results/dba8cfff-7183-40b7-9ab2-ff080ae5979a/
SH256 hash:
35f413a41188de939771056eff9bacfaa724483ecf4540500cfb13e7999dfdf6
MD5 hash:
e536852caa72ecbb833fd0ae4a5efe79
SHA1 hash:
6fc9becab22e36301950d5c8b95df75865b6dc97
Link:
https://www.unpac.me/results/dba8cfff-7183-40b7-9ab2-ff080ae5979a/
SH256 hash:
f2d87f50cf3fc57319a2b41c12bf0424be27cd79a2bf04a502e236b54aa16610
MD5 hash:
13fe43dbea7dddbe5060066cf39807f3
SHA1 hash:
ba21ed0900eef2f77d22010b3addba4cb9b596f8
Link:
https://www.unpac.me/results/dba8cfff-7183-40b7-9ab2-ff080ae5979a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2d87f50cf3fc57319a2b41c12bf0424be27cd79a2bf04a502e236b54aa16610

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe f2d87f50cf3fc57319a2b41c12bf0424be27cd79a2bf04a502e236b54aa16610

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2111030/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/258485/

Comments