MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5f4515d071a9ef0fcaf8e3bb1d9f7f473f48082dfa5c25f63edb1be22e7a8ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5f4515d071a9ef0fcaf8e3bb1d9f7f473f48082dfa5c25f63edb1be22e7a8ad
SHA3-384 hash: 72b208cd747b0b988463b2d0f4f89f3650602fb45fd89249bcb5c27840ee0c4290f6cc001de84936d5a95f9024af285c
SHA1 hash: 7f0a951b3fd1fb07e6873d0248f7ffb785e5a587
MD5 hash: c2dd8ea121dbfe0ecc36f7008419b135
humanhash: low-mississippi-illinois-failed
File name:SHIPMENT DOCUMENT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'298'944 bytes
First seen:2023-02-28 15:03:11 UTC
Last seen:2023-02-28 16:28:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:f+D7SzYPJdzGTIKrD/E3nsQG3yrHqqfTkvbVvt7gXLePB8xbCA6/+otqC7:W3SzYxdzGTIKf/EXdGyji6LePB8ha+3I
Threatray 117 similar samples on MalwareBazaar
TLSH T17A559D4C63709C73EADB01B2448512DC0EB4F5CB6516F25A5BA73B429A8ABFFB54E103
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 8070d4ccc2e8d410 (5 x Formbook, 3 x AgentTesla, 3 x SnakeKeylogger)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SHIPMENT DOCUMENT.exe
Verdict:
Malicious activity
Analysis date:
2023-02-28 15:07:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2c471e5f-6405-4266-8fbc-58dc4e35035c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/370657/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1861.20285.16171.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63fe17e3bfec0852a68de5dc/reports/09e1c26e-1021-4c44-acb2-e1fa313de3a5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f5f4515d071a9ef0fcaf8e3bb1d9f7f473f48082dfa5c25f63edb1be22e7a8ad
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4e4cdd8d-6bf1-4922-ba44-1b54cb8f4b40
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1184364
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 817212 Sample: SHIPMENT DOCUMENT.exe Startdate: 28/02/2023 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic 2->56 58 Multi AV Scanner detection for domain / URL 2->58 60 Antivirus detection for URL or domain 2->60 62 7 other signatures 2->62 7 SHIPMENT DOCUMENT.exe 7 2->7         started        11 BbNYxJvbmGYp.exe 5 2->11         started        13 yGbzOMp.exe 2->13         started        15 yGbzOMp.exe 2->15         started        process3 file4 46 C:\Users\user\AppData\...\BbNYxJvbmGYp.exe, PE32 7->46 dropped 48 C:\Users\...\BbNYxJvbmGYp.exe:Zone.Identifier, ASCII 7->48 dropped 50 C:\Users\user\AppData\Local\Temp\tmpE96.tmp, XML 7->50 dropped 52 C:\Users\user\...\SHIPMENT DOCUMENT.exe.log, ASCII 7->52 dropped 76 Writes to foreign memory regions 7->76 78 Allocates memory in foreign processes 7->78 80 Adds a directory exclusion to Windows Defender 7->80 17 RegSvcs.exe 2 4 7->17         started        22 RegSvcs.exe 7->22         started        24 powershell.exe 21 7->24         started        34 2 other processes 7->34 82 Machine Learning detection for dropped file 11->82 84 Injects a PE file into a foreign processes 11->84 26 RegSvcs.exe 11->26         started        28 schtasks.exe 11->28         started        30 conhost.exe 13->30         started        32 conhost.exe 15->32         started        signatures5 process6 dnsIp7 54 mail.bosphoreqroup.com 162.241.27.28, 49715, 49723, 587 UNIFIEDLAYER-AS-1US United States 17->54 44 C:\Users\user\AppData\Roaming\...\yGbzOMp.exe, PE32 17->44 dropped 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->64 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->66 68 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 22->68 36 conhost.exe 24->36         started        70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->70 72 Tries to steal Mail credentials (via file / registry access) 26->72 74 Tries to harvest and steal browser information (history, passwords, etc) 26->74 38 conhost.exe 28->38         started        40 conhost.exe 34->40         started        42 conhost.exe 34->42         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f5f4515d071a9ef0fcaf8e3bb1d9f7f473f48082dfa5c25f63edb1be22e7a8ad/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2023-02-28 10:21:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
19 of 25 (76.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6x2fcxihdkppb7fpry53dwpx6rz7jaec36s4ex3d5wy34ixhvcwq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
35e7b2604df05669b524424447654751c94c6cd5d7d4aec950bdefc4e377fdcd
AgentTesla
67694aa8ad851eae7f51b1e7067470d051f773f7d8ece3e0866290290556e06b
AgentTesla
830259122e9c75a4977848c7a340c7a13efb927302035bf9f3460530c5f4d7dd
AgentTesla
95709146a788e3cae6af75199ba67b1aa327c8fe1c605f2cf8341861389cd011
AgentTesla
b65c4b6176909f6ff47cb1c7321a4855995bfa97a473c0927aeef0e3b714cd83
AgentTesla
b9fd7e1e9b204a2b8fe3c2ee138b05e10b49c76bb29dd20f9d4a0cebfe3b72b8
AgentTesla
c7f0e4ce6d95ce821671196d361bcd2eb1ac9f6837fd4693968fda7b4f926eac
AgentTesla
ca4ae8153f345ff67fb3b4adbba7ed2714dcde706bdf9641d312da6b1aca426c
AgentTesla
cc4027113c42cc0e57bbf7da93a8f5f45a4c82e75704a80c13c080a9caa75d21
AgentTesla
deca2549d1849cf35a4c1a924db6fe95438cde05bd470de9aab41d74167e9dde
AgentTesla
+ 107 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230228-sfljlsbe31/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
161c49079b704918cdea7c6dfe810fed378944dfc4deb10cfae64d4cf81f7471
MD5 hash:
09add106cf96d7b31f7236060144964d
SHA1 hash:
debe8c76245d706d1fdf63790bd5268544d4ee57
Link:
https://www.unpac.me/results/85acb6c4-b824-45bd-8f8c-1623f3d92507/
SH256 hash:
594411ecedd2481667372558d6e27330d0066c4d04c5e8366965f847570f556e
MD5 hash:
50028996a0e4a095aa58060aee6422b0
SHA1 hash:
cd6b18f7e0aa5481e03340efae1feacd3f9f0cda
Link:
https://www.unpac.me/results/85acb6c4-b824-45bd-8f8c-1623f3d92507/
SH256 hash:
8d7dc435e4b64107681b8ad83ef130230296bc0c311b9995f7d2ef950ae599eb
MD5 hash:
9da150a48d30751e1e53a3344e541dea
SHA1 hash:
a2fbda3d40311a429af14b529687df68abb92d2a
Link:
https://www.unpac.me/results/85acb6c4-b824-45bd-8f8c-1623f3d92507/
SH256 hash:
e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29
MD5 hash:
d170ab8c03b9c37d5be449454db131d2
SHA1 hash:
2031b6754a65d21b47dd11a34fee86f048d6048d
Link:
https://www.unpac.me/results/85acb6c4-b824-45bd-8f8c-1623f3d92507/
SH256 hash:
99659fa223e7c1e16928a6ae5a311024b9ad842be8d9588d172f8fb74d6d52c3
MD5 hash:
b3a4365386e0613dce785542e2eee51f
SHA1 hash:
0423cb4c56262cf23eb1593917a09c14ff894fa4
Link:
https://www.unpac.me/results/85acb6c4-b824-45bd-8f8c-1623f3d92507/
SH256 hash:
f5f4515d071a9ef0fcaf8e3bb1d9f7f473f48082dfa5c25f63edb1be22e7a8ad
MD5 hash:
c2dd8ea121dbfe0ecc36f7008419b135
SHA1 hash:
7f0a951b3fd1fb07e6873d0248f7ffb785e5a587
Link:
https://www.unpac.me/results/85acb6c4-b824-45bd-8f8c-1623f3d92507/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f5f4515d071a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/f5f4515d071a9ef0fcaf8e3bb1d9f7f473f48082dfa5c25f63edb1be22e7a8ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip e980e95e1a7d0e5c4eb933fe6cb8b33b0819b3b559aeb761cce8852247cc3947

AgentTesla

Executable exe f5f4515d071a9ef0fcaf8e3bb1d9f7f473f48082dfa5c25f63edb1be22e7a8ad

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 e980e95e1a7d0e5c4eb933fe6cb8b33b0819b3b559aeb761cce8852247cc3947
Cape
Cape
https://www.capesandbox.com/analysis/370657/
  
Dropped by
MD5 daad5651e1e2ac397fd844744f9c306b

Comments