MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f72ee457b7e53954dc20479dc5ae8eb4f7ad0674235292a8c348772f875b52ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f72ee457b7e53954dc20479dc5ae8eb4f7ad0674235292a8c348772f875b52ab
SHA3-384 hash: 2e4b61c6369d813a12a6ccfdeed216ca2fa04ed28501cbd4532982ed991e6f7bb9304e9cc99853ac90746f08b23e390d
SHA1 hash: 69fccaad6915755256b68f7f422c946dc1a69041
MD5 hash: 89c36bdf74a2c15aef18f4725ad37a70
humanhash: golf-lemon-india-winner
File name:f72ee457b7e53954dc20479dc5ae8eb4f7ad0674235292a8c348772f875b52ab
Download: download sample
Signature AgentTesla
Create hunting rule
File size:585'728 bytes
First seen:2023-05-14 09:42:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:F3fRnGP8BW77kzFOFIwY14UjSrN78/YEQ:zMK2NGh1TSrNw/2
Threatray 348 similar samples on MalwareBazaar
TLSH T1E5C49D3C8DBD5232E7B0D2B58BAC8871F06CA42F3191FE6A18DBD19116C3956B9C316D
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b0cf4a4c4c4ccfb0 (31 x Formbook, 20 x RemcosRAT, 18 x AgentTesla)
Reporter petikvx
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
00382562524253626.zip
Verdict:
Malicious activity
Analysis date:
2023-05-05 08:57:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/986ea10e-2d95-4981-bc68-9cf8c9503276

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/389331/
Detection(s):
SecuriteInfo.com.Variant.Barys.315692.6310.29861.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
barys formbook packed
Link:
https://www.filescan.io/uploads/6460ad32fcd24773a4dc09a9/reports/dae3435e-dba1-4043-8409-b141d332e275/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f72ee457b7e53954dc20479dc5ae8eb4f7ad0674235292a8c348772f875b52ab
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/76f6f2ed-a23a-45bf-ae83-e3611ae9b76f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1232722
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 865702 Sample: RqEf2d5PSA.exe Startdate: 14/05/2023 Architecture: WINDOWS Score: 100 52 Found malware configuration 2->52 54 Sigma detected: Scheduled temp file as task from temp location 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 8 other signatures 2->58 7 RqEf2d5PSA.exe 6 2->7         started        11 PkICLemLl.exe 5 2->11         started        13 myapp5.exe 1 2->13         started        15 myapp5.exe 1 2->15         started        process3 file4 38 C:\Users\user\AppData\Roaming\PkICLemLl.exe, PE32 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmp1E83.tmp, XML 7->40 dropped 42 C:\Users\user\AppData\...\RqEf2d5PSA.exe.log, ASCII 7->42 dropped 74 Uses schtasks.exe or at.exe to add and modify task schedules 7->74 76 Writes to foreign memory regions 7->76 78 Injects a PE file into a foreign processes 7->78 17 vbc.exe 17 9 7->17         started        22 schtasks.exe 1 7->22         started        80 Multi AV Scanner detection for dropped file 11->80 82 Machine Learning detection for dropped file 11->82 24 vbc.exe 8 11->24         started        26 schtasks.exe 1 11->26         started        28 conhost.exe 13->28         started        30 conhost.exe 15->30         started        signatures5 process6 dnsIp7 44 smtp.ionos.com 74.208.5.2, 49691, 49692, 49696 ONEANDONE-ASBrauerstrasse48DE United States 17->44 46 api4.ipify.org 64.185.227.155, 443, 49690, 49695 WEBNXUS United States 17->46 48 api.ipify.org 17->48 36 C:\Users\user\AppData\Roaming\...\myapp5.exe, PE32 17->36 dropped 60 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->60 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->62 64 May check the online IP address of the machine 17->64 66 Installs a global keyboard hook 17->66 32 conhost.exe 22->32         started        50 api.ipify.org 24->50 68 Tries to steal Mail credentials (via file / registry access) 24->68 70 Tries to harvest and steal browser information (history, passwords, etc) 24->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->72 34 conhost.exe 26->34         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f72ee457b7e53954dc20479dc5ae8eb4f7ad0674235292a8c348772f875b52ab/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-03 20:45:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=64xoiv5x4u4vjxbai6o4lluowt322btuenjjfkgdjb3s7b23kkvq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
323f73b7cd367686fdc28a770469e6f6b3b1e45b6f375ef836bd3636880a102c
AgentTesla
34d42a9226293c7e412c37c20a94a64cb0e648f7e6bca5904477658024375a0f
AgentTesla
6c5deef73d02f6a72b9e5db340f3a5e3743d6a63fe0827815378bf2b13624d39
AgentTesla
70a1b64420a2202bf2604534c79f77006eebf716760374daa283d1dd36900a19
AgentTesla
a1ad0c868b1516099bd98539e2461b5d5f875ac42fab278297dab51687ac2037
AgentTesla
bf6a195481cb4cba11f09c03c4fca9be90f011fc883dad09b8b79a4b94e3aafc
AgentTesla
c80a78a69b180edbd9c52c5828d7adabfba05645618ed23d9728d1ea8ab394b1
AgentTesla
f72ee457b7e53954dc20479dc5ae8eb4f7ad0674235292a8c348772f875b52ab
AgentTesla
+ 338 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230514-lpxvnsbe32/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Uses the VBS compiler for execution
AgentTesla
Unpacked files
SH256 hash:
99a67625efb3299dc5fa5b15a7c0b0d6a82399dd8d5ee245c6654dd6b403d73d
MD5 hash:
54dd5155c5006bcc9316e91bfa82c72c
SHA1 hash:
d6b8b6de3f61583270b93e76d1b341f4b970258f
Link:
https://www.unpac.me/results/11d8ce75-b2e0-4da3-93ae-c7ab3095eab7/
SH256 hash:
ea8d4c91ec5bba5e1db6c17730d7ba5cdbb5ff3c1a777f70c90e91ce599d9b5d
MD5 hash:
27f5124bf8f451bca8d8a15c73c4f521
SHA1 hash:
5fd557e109b8fd1c3b362b64f0ba9f1600c07211
Link:
https://www.unpac.me/results/11d8ce75-b2e0-4da3-93ae-c7ab3095eab7/
SH256 hash:
66468d78c2de656979ec1bbb98302cbf1c532ff51327d524f3ada9ef099d1fe5
MD5 hash:
8469469f088198438136e1e014322804
SHA1 hash:
10e7bdd8e97692158d644bfa799f368cc8056b17
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/11d8ce75-b2e0-4da3-93ae-c7ab3095eab7/
Parent samples :
d09abd46b7e3761fd73b421dd29f8cbd81383c8e8dd19a09d7d63f4ced66f767
f72ee457b7e53954dc20479dc5ae8eb4f7ad0674235292a8c348772f875b52ab
SH256 hash:
f72ee457b7e53954dc20479dc5ae8eb4f7ad0674235292a8c348772f875b52ab
MD5 hash:
89c36bdf74a2c15aef18f4725ad37a70
SHA1 hash:
69fccaad6915755256b68f7f422c946dc1a69041
Link:
https://www.unpac.me/results/11d8ce75-b2e0-4da3-93ae-c7ab3095eab7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/f72ee457b7e53954dc20479dc5ae8eb4f7ad0674235292a8c348772f875b52ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/389331/

Comments