MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f46fe0537b24b1682cf6468dd8c1eb82d91ed26e8d3de246dcb7153582ef9212. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f46fe0537b24b1682cf6468dd8c1eb82d91ed26e8d3de246dcb7153582ef9212
SHA3-384 hash: 865f9ef6d0778d59787ec3a90f4de1e9a768e98fc3582a63f4e406c34cc88b792f7764a70d9189c0aab761b5db4a93e2
SHA1 hash: fd9e53012d21978335aec52b3fb8f765ffb2bb4c
MD5 hash: 06b989be29ce7249ccfec892a631088d
humanhash: pennsylvania-idaho-kansas-oranges
File name:Shipment.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:707'584 bytes
First seen:2022-05-25 18:17:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:TGZFF0UC7q84v1x8covL31UOblGwudnOoIGoPUzxPNaaCPbFMR4w3i4v:rp478zRUglu5OR1PUl2DFKly
Threatray 17'764 similar samples on MalwareBazaar
TLSH T190E4024BF661AFE4F43D03BE717119622F209722E5BED66868A571870C713C2509BDC7
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
354
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Shipment.exe
Verdict:
Malicious activity
Analysis date:
2022-05-25 18:20:57 UTC
Tags:
agenttesla trojan rat
Link:
https://app.any.run/tasks/3defb6a9-e923-4323-8968-15faa1ac3100

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274600/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expand.exe fareit obfuscated packed wacatac
Link:
https://www.filescan.io/uploads/628e72f23ec49f83a6cb3419/reports/cf695c83-8ebf-462f-ad04-dd1570404a23/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf656501-bb4c-482d-a2f8-b92343d36197
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1001772
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 634268 Sample: Shipment.exe Startdate: 25/05/2022 Architecture: WINDOWS Score: 100 74 Malicious sample detected (through community Yara rule) 2->74 76 Multi AV Scanner detection for dropped file 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 7 other signatures 2->80 7 Shipment.exe 7 2->7         started        11 prAyoao.exe 5 2->11         started        13 prAyoao.exe 2->13         started        process3 file4 52 C:\Users\user\AppData\Roaming\kvlrnvIb.exe, PE32 7->52 dropped 54 C:\Users\...\kvlrnvIb.exe:Zone.Identifier, ASCII 7->54 dropped 56 C:\Users\user\AppData\Local\...\tmp9964.tmp, XML 7->56 dropped 58 C:\Users\user\AppData\...\Shipment.exe.log, ASCII 7->58 dropped 82 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->82 84 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->84 86 Uses schtasks.exe or at.exe to add and modify task schedules 7->86 15 Shipment.exe 2 9 7->15         started        20 powershell.exe 25 7->20         started        22 schtasks.exe 1 7->22         started        32 2 other processes 7->32 88 Multi AV Scanner detection for dropped file 11->88 90 Machine Learning detection for dropped file 11->90 92 Adds a directory exclusion to Windows Defender 11->92 24 prAyoao.exe 11->24         started        26 powershell.exe 11->26         started        28 schtasks.exe 11->28         started        94 Injects a PE file into a foreign processes 13->94 30 prAyoao.exe 13->30         started        34 2 other processes 13->34 signatures5 process6 dnsIp7 60 webmail.wrcs.in 103.138.189.137, 587 GBLINK-AS-APGBLINKNETWORKSOLUTIONSPRIVATELIMITEDIN India 15->60 48 C:\Users\user\AppData\Roaming\...\prAyoao.exe, PE32 15->48 dropped 50 C:\Users\user\...\prAyoao.exe:Zone.Identifier, ASCII 15->50 dropped 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->64 66 Tries to steal Mail credentials (via file / registry access) 15->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->68 36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        62 192.168.2.1 unknown unknown 24->62 40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        70 Tries to harvest and steal ftp login credentials 30->70 72 Tries to harvest and steal browser information (history, passwords, etc) 30->72 44 conhost.exe 34->44         started        46 conhost.exe 34->46         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f46fe0537b24b1682cf6468dd8c1eb82d91ed26e8d3de246dcb7153582ef9212/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-25 17:09:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
21 of 41 (51.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6rx6au33esywqlhwi2g5rqplqlmr5utoru66erw4w4ktlaxpsija._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3cff2b73d77305ffe8c02b009feca9ad0fbdbbbfeec0a1db831caa127f58ef73
AgentTesla
4b3b8f1f6ab69340cea4c78f21cb691e6efdb3ede2973a6315e947b281ea25c8
AgentTesla
4b3efdba2a0251d16190ac0faabe18091b391b70e55ac58d17f8ad2ac0baab68
AgentTesla
781a63f173507bbaf99c4937f324e8b1e746f807583f48328e6005ce6aae003b
AgentTesla
9549182c055153e44fdaaacdddd4a58d343600de6b93df05e7800f715d496f2d
AgentTesla
ebdbd8487dfdaebc34214de4e2f6fdfc5b5cfb30b9fa98ca9269a4cfae16cb93
AgentTesla
f1a566ebee3c225b2683813ce31c30f6e7648c1dcdd03c991a2d2e99c11bc6d7
AgentTesla
f8f3a24e97b0c9e4941baab62a4eeb64b9cc7e82ad97398b95b58fbf1289fb24
AgentTesla
+ 17'754 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220525-wxk6ysgbem/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
suricata: ET MALWARE AgentTesla Exfil Via SMTP
Unpacked files
SH256 hash:
75552b5a5ee3c974041d14faa590ae2c2ed0418f893646f2c8d656d7cfbe46e2
MD5 hash:
ff0ae86eaab019d5abd0ed69442af13e
SHA1 hash:
f6b5bb43c8e3f709cd8b4d74147d38c6758a9fdc
Link:
https://www.unpac.me/results/8d060cf0-7be3-4d51-b738-a584c840b4c9/
SH256 hash:
2c8cfb7facd4f89a9c140ea87c6dd9e71b5a07c228d5621122cc1ebf5a60218f
MD5 hash:
3ffad51753e08a6717b9ca0f6bb0d32d
SHA1 hash:
dfb5e851e18d3f5cc1658143daa4492d8db2d1c7
Link:
https://www.unpac.me/results/8d060cf0-7be3-4d51-b738-a584c840b4c9/
SH256 hash:
c720d8d87e5744ef459c160ae3ae85984519c5cee89d4acd3d4156f929ebcca2
MD5 hash:
86f922d84e1b89f646bc23cb3d878a9c
SHA1 hash:
b61f4401c1a144d704988cf4e55dd9a71f8d8263
Link:
https://www.unpac.me/results/8d060cf0-7be3-4d51-b738-a584c840b4c9/
SH256 hash:
0283941f1f7ae72f88bb3044addc3f4274549c3fd771612ec3df95c80b708c9e
MD5 hash:
abcf7824b477074db7ac154a80d1e329
SHA1 hash:
9c6982829bff318776560846de7bcc39d3c16f7f
Link:
https://www.unpac.me/results/8d060cf0-7be3-4d51-b738-a584c840b4c9/
SH256 hash:
2595bd8d4e1497e407a53111d3aad1d495f99a0d8ce1f0505b8041b43e877156
MD5 hash:
b384f66780c1ee44c9caf25e0558f224
SHA1 hash:
829727600013b41bc5b8c3e332bb7c2fdc6bb213
Link:
https://www.unpac.me/results/8d060cf0-7be3-4d51-b738-a584c840b4c9/
SH256 hash:
f46fe0537b24b1682cf6468dd8c1eb82d91ed26e8d3de246dcb7153582ef9212
MD5 hash:
06b989be29ce7249ccfec892a631088d
SHA1 hash:
fd9e53012d21978335aec52b3fb8f765ffb2bb4c
Link:
https://www.unpac.me/results/8d060cf0-7be3-4d51-b738-a584c840b4c9/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f46fe0537b24/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f46fe0537b24b1682cf6468dd8c1eb82d91ed26e8d3de246dcb7153582ef9212

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f46fe0537b24b1682cf6468dd8c1eb82d91ed26e8d3de246dcb7153582ef9212

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/274600/

Comments