MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f797a34828089feb29e7f77d31f184b335d7958755d385fad50d69fdbd3660d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	f797a34828089feb29e7f77d31f184b335d7958755d385fad50d69fdbd3660d2
SHA3-384 hash:	fc553940bce9499195ba443cab380dd2a683da83188eee34ad8693893d3ffedb9e8575c89844ae02f131024cc48154e1
SHA1 hash:	9c804dc2a5b381ab9ccc69073434fbcd03e6398e
MD5 hash:	b3469fface251fb3d6a9e2da0d236802
humanhash:	three-princess-arkansas-lake
File name:	HSBC-Payment_Advice_pdf.scr
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	2'171'392 bytes
First seen:	2023-03-15 15:32:22 UTC
Last seen:	2023-03-15 17:28:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:a+WDYaOZ49Ot09OX7l348A5NyVeGZEeN36QMr/+QyiAv1L+khttmq6NjszOVbz5i:uYf6s6ihs3sC7bk0u
Threatray	1'402 similar samples on MalwareBazaar
TLSH	T136A56CB11693FEC4D73F1E74C8083A409C15086767AC9668FDC93AA7A3D91A4DF9C6B0
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	f8d8d0f0c0d0c0c0 (11 x AveMariaRAT, 10 x AgentTesla, 9 x Formbook)
Reporter	abuse_ch
Tags:	AgentTesla exe HSBC scr

Intelligence

File Origin

# of uploads :

# of downloads :

330

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

HSBC-Payment_Advice_pdf.scr

Verdict:

Malicious activity

Analysis date:

2023-03-15 15:35:38 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c78ad779-38e6-4e45-a95a-fda2dac5e238

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/374614/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.30942.4576.26643.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Sending a custom TCP request

Launching a process

Sending a UDP request

DNS request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6411e531c6e3c1f3261ac259/reports/c46a469e-a29a-40e4-aff4-d7757a20ec21/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/f797a34828089feb29e7f77d31f184b335d7958755d385fad50d69fdbd3660d2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d9eb0461-4bc3-4307-bd55-c5c733f79322

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1194286

Signature

Encrypted powershell cmdline option found

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ipconfig to lookup or modify the Windows network settings

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f797a34828089feb29e7f77d31f184b335d7958755d385fad50d69fdbd3660d2/

Threat name:

Win32.Adware.RedCap

Status:

Malicious

First seen:

2023-03-15 08:31:24 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=66l2gsbibcp6wkph656td4mewm25pfmhkxjyl6wvbvu73pjwmdja._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

493781dc1d845e09f96742dfdc2edaef673ac5d4b2139875929166f2627dc161

AgentTesla

5f0ac25045091660d4c19a11ef3fa4c75ca597a69bde1ccbee3a99135fcb1832

AgentTesla

9a8c1fe1c53db8a44a8971664845fc5a63f34199504f3156101d8005059247a9

AgentTesla

ae9f0a09b1f95cb4ef05dc51e749a6b33e641a67cbf7cafc6fef41dbbd5b7671

AgentTesla

d6c81069f8763d1bb3ee317188270f97b60271b52ab35bd92080dde6913ad2e2

AgentTesla

e2cffdf34c55f9b0975fc651a0f49db65ff59c34610221fe5efac13d72911310

AgentTesla

f3341ea77e5c8f5e57ee22b1842656ff8225d0fef647bef19d0b0fcc6b87200d

AgentTesla

+ 1'392 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230315-sy7jssgb6s/

Behaviour

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

AgentTesla

Unpacked files

SH256 hash:

f797a34828089feb29e7f77d31f184b335d7958755d385fad50d69fdbd3660d2

MD5 hash:

b3469fface251fb3d6a9e2da0d236802

SHA1 hash:

9c804dc2a5b381ab9ccc69073434fbcd03e6398e

Link:

https://www.unpac.me/results/3ceb50ef-4b38-4f91-9edb-9289d73a4d34/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f797a3482808/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f797a34828089feb29e7f77d31f184b335d7958755d385fad50d69fdbd3660d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/374614/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample