MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5b3722272deec8e2c5e092ddbc1d45c5f31901cc18ea380d36fe9c343f69f8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	f5b3722272deec8e2c5e092ddbc1d45c5f31901cc18ea380d36fe9c343f69f8e
SHA3-384 hash:	13b2b22437ae10e5a53a645e711a420844fc34a413c1d83b3267d6bdad04d3b39deab313b2cbffc8b10b34cfb85c1bfb
SHA1 hash:	683748f998327c5db9ee03ed3c6bd8ac197509a2
MD5 hash:	42e540d7b10d4c370f31cf556b36cc9e
humanhash:	table-shade-missouri-delta
File name:	payment.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	865'792 bytes
First seen:	2022-03-02 14:56:47 UTC
Last seen:	2022-03-02 16:54:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:ZxNnSR/IhDj4oejXgaAoeduRtpd/FmDTiIvzP2ZmsC1pMLnv2/X45iKUuxMbr15F:ZxNnPoVXgAPTX/F+TJLP8bqzPnRTP
Threatray	15'554 similar samples on MalwareBazaar
TLSH	T1CF05C00839E65038FD3A8BF1DAD4EBF19B6EF221D48930F564000E159A55BBC8949EFD
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

204

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/246338/

Detection(s):

Sanesecurity.Rogue.0hr.20220302-0504.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Сreating synchronization primitives

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/621f85c10cd58dbd92635983/reports/a5dad8e0-933f-4952-a479-b19f75e671c0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7ebea74a-137d-48aa-be84-a78dcf5bea66

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/949211

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Allocates memory in foreign processes

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the hosts file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/f5b3722272deec8e2c5e092ddbc1d45c5f31901cc18ea380d36fe9c343f69f8e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-03-02 02:17:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 27 (81.48%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6wzxeits33wi4lc6bew5xqoulrptdea4yghkhagtn7u4gq7wt6ha._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

7ae9fbdb3d92bcc4f41221d4ee410d3e742daf6966ca8655e921c308001974c4

AgentTesla

a0cb2a6e4529cca361bcb939c02b9e0e093f07891b4066732e85a56c9659a194

AgentTesla

c9200cb5d55018691f1b7467f90ba449d85272f2952847aab726ce53d14a63d3

AgentTesla

d09834e61f459e41d6abc13831cb6c488e4b763a14e83d9634aaf1fb37aa91c9

AgentTesla

d9ea0b78760df096a1be005cec699a167d7d1a7cbce5b9895f1ac4ec3e067499

AgentTesla

f9109d580be456d185505ce08cb2e1ec0028d9e2fdd0248ddeb102437cba30f7

AgentTesla

f9d8a845ceb291d06ea20a7656d7fb79e77ce728097bc61163ab60a24afc8b19

AgentTesla

fcfa3e25921c401d956ee669cd7612dccae1fc7772673b39d395f476d49ca1fc

AgentTesla

+ 15'544 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/220302-sbmwwaghgk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Drops file in Drivers directory

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

e5d61d97129556b54ca64ef8bf6354958920242938c3d07e14f90958fb97149d

MD5 hash:

1f84a9dc7a20d204dcbeb83841db77dd

SHA1 hash:

99045de9100db0f5ef0e8c42e5dbc5a6aacaafb0

Link:

https://www.unpac.me/results/f9dce54b-cd39-4796-971d-ecd315607ecc/

SH256 hash:

e3bdaf9e98eb65a070cf4424bc123e57ade151c41e4a0d375e769749155c1715

MD5 hash:

78a25e75b94923e889ecd100349facbe

SHA1 hash:

6b3f8db525d3c98f92ed480e664ab8ee9458340b

Link:

https://www.unpac.me/results/f9dce54b-cd39-4796-971d-ecd315607ecc/

SH256 hash:

9b35e906399e0cbbf625f9f7b7dbe02ebbcf369092ccd8e26ccaf60a77716d5a

MD5 hash:

036e06f7f5e5eed1431fbddae6028f4a

SHA1 hash:

64c245b7e357ceddde4150a87d2a929522f77ae5

Link:

https://www.unpac.me/results/f9dce54b-cd39-4796-971d-ecd315607ecc/

SH256 hash:

5a24b1a0188261c70d0a5aeffb778500ed1512f16e5c11f6f5a7fa1ab78a7d38

MD5 hash:

89aa33b4e1ef0d577b9297dc0639a849

SHA1 hash:

28b5cdf3801d61923e6c1102c04e2e009212cb21

Link:

https://www.unpac.me/results/f9dce54b-cd39-4796-971d-ecd315607ecc/

SH256 hash:

f5b3722272deec8e2c5e092ddbc1d45c5f31901cc18ea380d36fe9c343f69f8e

MD5 hash:

42e540d7b10d4c370f31cf556b36cc9e

SHA1 hash:

683748f998327c5db9ee03ed3c6bd8ac197509a2

Link:

https://www.unpac.me/results/f9dce54b-cd39-4796-971d-ecd315607ecc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f5b3722272deec8e2c5e092ddbc1d45c5f31901cc18ea380d36fe9c343f69f8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/246338/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample