MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f405134e5b1e953d5d845e537f74b02cf7ab10402df7020f6bda89ee8532cfba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f405134e5b1e953d5d845e537f74b02cf7ab10402df7020f6bda89ee8532cfba
SHA3-384 hash: b7ab25d323d486869845d693f8f36d04d50ce61992a2496f821732b1ee0a447a390fc9cbd9abe21b897a258d3fdcaa89
SHA1 hash: 4eaf2c68b0d1838a40d544440b6e9c78ecd4309e
MD5 hash: d14379d74462281fb9d1dda8faefc851
humanhash: failed-fifteen-tennessee-berlin
File name:Shipping Documents.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:772'096 bytes
First seen:2023-06-28 16:00:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:ZKnh31z0T55GkKhHkQbErcxWyI6VEoRAYjJn:0L5hxbwcxWyVEonV
Threatray 4'288 similar samples on MalwareBazaar
TLSH T169F461BD29802E97D475E5B2C263088DF67F7032BF138D6B26D252C5862552E37ED80E
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
US US
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Shipping Documents.exe
Verdict:
Malicious activity
Analysis date:
2023-06-28 16:01:33 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/426f05d8-3763-4940-b90e-1488c86c983b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/403603/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.7332.9555.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Restart of the analyzed sample
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin masquerade packed replace
Link:
https://www.filescan.io/uploads/649c593fe1b9083ea6dba1aa/reports/711e6f90-bfd2-4bc8-91ed-8ae86bee1c61/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f405134e5b1e953d5d845e537f74b02cf7ab10402df7020f6bda89ee8532cfba
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8916820b-17f2-4685-aa40-3148a2ed1052
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1262807
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f405134e5b1e953d5d845e537f74b02cf7ab10402df7020f6bda89ee8532cfba/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-28 13:33:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6qcrgts3d2kt2xmelzjx65fqft32wecafx3qed3l3ke65bjsz65a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02bd19db008421b6974fb5794030f064630942d926606f6f183bbc6926192399
AgentTesla
062091e8dfcd454183cd27936fc78e170a8e52fd7229321ec40e912825e22684
AgentTesla
09d70a9a22f7bf12c1a6354b1d90d426e1223576d27ba855f6f48d78bf508833
AgentTesla
0e99461e1d9e814ab13a7c724a4a71e043b9ad82ab978ab15a70e2e3abfa0468
AgentTesla
21a5e58e2fe39e481f9977f94a94d352c4c492e9bd6d79d4ae3bbf4cc4a2d751
AgentTesla
729b3e10a37e42bba3f9999ce8a17bc69f8642d86420f05836a5d0271a718efc
AgentTesla
7681b3e36910fd04d90febb8fe222537db5fa8cb2c699c19a4a6eb3470e71292
AgentTesla
9e5c195dcf2739418a55f6d03c1a05507f533e8a226253ffdd8b93e96f9fea51
AgentTesla
c323cff8253a448437474f68f4792fceb7f3424ca6a3ed260b5fe81acd88d49c
AgentTesla
cec5cc9dfa8e64cd0bacc6aa6f7767729dec65d6a8d53184b887dc89a6a76884
AgentTesla
+ 4'278 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230628-tf7yaaac39/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
1b517dce6fb4e2c82d8652497aea509598e91893eb1006e8f9efe525c8709a16
MD5 hash:
22edd4a44c33e79acbaf7cf0bd406f90
SHA1 hash:
fdd67dc217ff13f7da05dd8b24c7eeb431ea28cf
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/5ae92f14-6431-447c-bdb9-e3034a1f8932/
SH256 hash:
a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209
MD5 hash:
e7709a907be0cdb6ff7eb99daee97c6c
SHA1 hash:
bb3f6871c40f54070b53947bf6958d410ea8bac1
Link:
https://www.unpac.me/results/5ae92f14-6431-447c-bdb9-e3034a1f8932/
SH256 hash:
048f43f1f12185b58f4a1374a910b68c1c38cd993d73cfc0b738ece3dc27ff1c
MD5 hash:
938d77797a11d4d5f902b375edbca4ce
SHA1 hash:
909b63e19ab6dc35fced53a3ddc6859a19c1599f
Link:
https://www.unpac.me/results/5ae92f14-6431-447c-bdb9-e3034a1f8932/
SH256 hash:
1b517dce6fb4e2c82d8652497aea509598e91893eb1006e8f9efe525c8709a16
MD5 hash:
22edd4a44c33e79acbaf7cf0bd406f90
SHA1 hash:
fdd67dc217ff13f7da05dd8b24c7eeb431ea28cf
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/5ae92f14-6431-447c-bdb9-e3034a1f8932/
SH256 hash:
a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209
MD5 hash:
e7709a907be0cdb6ff7eb99daee97c6c
SHA1 hash:
bb3f6871c40f54070b53947bf6958d410ea8bac1
Link:
https://www.unpac.me/results/5ae92f14-6431-447c-bdb9-e3034a1f8932/
SH256 hash:
1b517dce6fb4e2c82d8652497aea509598e91893eb1006e8f9efe525c8709a16
MD5 hash:
22edd4a44c33e79acbaf7cf0bd406f90
SHA1 hash:
fdd67dc217ff13f7da05dd8b24c7eeb431ea28cf
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/5ae92f14-6431-447c-bdb9-e3034a1f8932/
SH256 hash:
048f43f1f12185b58f4a1374a910b68c1c38cd993d73cfc0b738ece3dc27ff1c
MD5 hash:
938d77797a11d4d5f902b375edbca4ce
SHA1 hash:
909b63e19ab6dc35fced53a3ddc6859a19c1599f
Link:
https://www.unpac.me/results/5ae92f14-6431-447c-bdb9-e3034a1f8932/
SH256 hash:
a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209
MD5 hash:
e7709a907be0cdb6ff7eb99daee97c6c
SHA1 hash:
bb3f6871c40f54070b53947bf6958d410ea8bac1
Link:
https://www.unpac.me/results/5ae92f14-6431-447c-bdb9-e3034a1f8932/
SH256 hash:
048f43f1f12185b58f4a1374a910b68c1c38cd993d73cfc0b738ece3dc27ff1c
MD5 hash:
938d77797a11d4d5f902b375edbca4ce
SHA1 hash:
909b63e19ab6dc35fced53a3ddc6859a19c1599f
Link:
https://www.unpac.me/results/5ae92f14-6431-447c-bdb9-e3034a1f8932/
SH256 hash:
f405134e5b1e953d5d845e537f74b02cf7ab10402df7020f6bda89ee8532cfba
MD5 hash:
d14379d74462281fb9d1dda8faefc851
SHA1 hash:
4eaf2c68b0d1838a40d544440b6e9c78ecd4309e
Link:
https://www.unpac.me/results/5ae92f14-6431-447c-bdb9-e3034a1f8932/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/f405134e5b1e953d5d845e537f74b02cf7ab10402df7020f6bda89ee8532cfba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/403603/

Comments