MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f827a4622e16afa2f9c9940c7b24d4c81ec206195307a7b5a0761ec735714926. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f827a4622e16afa2f9c9940c7b24d4c81ec206195307a7b5a0761ec735714926
SHA3-384 hash: ad00bdbbd514939648c4a355f6c26cffabd155cb3df3a7046d2af5378113261fd19c0208f41949eb092bc05c9af17d0d
SHA1 hash: 6f813a88a13dfd8971035a1c5c141df8147a4e24
MD5 hash: ef93d3d08147a8dcd2be98923c3e8843
humanhash: connecticut-venus-maryland-ceiling
File name:MV AMIS WEALTH CTM USD 40,000.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:926'208 bytes
First seen:2022-01-25 08:30:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:1Uu3vLkvqWS5Tl+5Iw8kra6EdewbYQ19CJMwdr0cF4cNCDi3RTn32jEYw:1UufYSH5lWIwj7FwngTia4cwI32jEYw
Threatray 14'338 similar samples on MalwareBazaar
TLSH T12715E0007FB5C772C17A6BF814F130048BB5396AA53DD5A92DCB52DA4BBAF208466F07
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/222222/
Detection(s):
Sanesecurity.Rogue.0hr.20220125-0905.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61efb549f81da814afa2b567/reports/1aefbc27-8011-4ed1-b5fc-31b059eb1dc9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/88ef625a-5aa0-46d7-9a68-4555300a2d9b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/928952
Behaviour
Behavior Graph:
n/a
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f827a4622e16afa2f9c9940c7b24d4c81ec206195307a7b5a0761ec735714926/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-01-25 08:31:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7at2iyroc2x2f6ojsqghwjguzapmebqzkmd2pnnaoypmonlrjeta._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f3c70e427d01e986b62b574353b5ae3ffae3ed52dd5fa396beede2d825467fd
AgentTesla
125456fe8027b40d44b67ae250f582c06e13e852d293738b439e5fced671b134
AgentTesla
3592da59898af133a4333cec930aad11b3a69599fdbba0de484a8c7a17aa3a43
AgentTesla
8c7f085967cecc621a83a7c4e949f0f347d0d66e4148d48c16ccb2339b9c675c
AgentTesla
96c34292c35dbb15c36078c6645e2ac7938aeae168167e1493b4e8476c20d3b8
AgentTesla
a594b87a89fc854914af410e6652720110246e8404ecbdb38d025caa75732920
AgentTesla
d03df98c136604138b930409e4c084ac694f1e0f571fbefae620cec8cd05d619
AgentTesla
+ 14'328 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220125-kep7eacca8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot2092755520:AAFUT-2SMjjd39KTAiZYfccbaFzWXamzjz4/sendDocument
Unpacked files
SH256 hash:
f1fdf3cc9532ee737ed8adc8a7dd5eb7f1a53f144472a704d18e80e722c8e217
MD5 hash:
cf810470d408d2aa771056eb5d1d71ff
SHA1 hash:
cb765f8b41bd774d232beec5f30f4c4872907926
Link:
https://www.unpac.me/results/99876f8b-2f3e-48ed-b34e-f6ff006b4236/
SH256 hash:
6ec422c06a2cab656aeeb37044a6a26e45617b1a7455c3f5b2d6cdcaae610de4
MD5 hash:
2211216cb7b930a1a9ff1c59ef4e6bce
SHA1 hash:
bf0c1a49f73cb761dbadf364551ba63c69d3822d
Link:
https://www.unpac.me/results/99876f8b-2f3e-48ed-b34e-f6ff006b4236/
SH256 hash:
8325a5cf7942bb46ac528c836b79180c05d71a4e7de108693d303d56bcc5def1
MD5 hash:
efdf2c54a74297c24bc73285376c432b
SHA1 hash:
564f25afb6c5599cdcd5fafaff32c1475e581af4
Link:
https://www.unpac.me/results/99876f8b-2f3e-48ed-b34e-f6ff006b4236/
SH256 hash:
f827a4622e16afa2f9c9940c7b24d4c81ec206195307a7b5a0761ec735714926
MD5 hash:
ef93d3d08147a8dcd2be98923c3e8843
SHA1 hash:
6f813a88a13dfd8971035a1c5c141df8147a4e24
Link:
https://www.unpac.me/results/99876f8b-2f3e-48ed-b34e-f6ff006b4236/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f827a4622e16/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f827a4622e16afa2f9c9940c7b24d4c81ec206195307a7b5a0761ec735714926

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 7be39c8246f55171ba65e5b2f7a9df7c7902bef93972f0a892491589ed7b37e6

AgentTesla

Executable exe f827a4622e16afa2f9c9940c7b24d4c81ec206195307a7b5a0761ec735714926

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 7be39c8246f55171ba65e5b2f7a9df7c7902bef93972f0a892491589ed7b37e6
Cape
Cape
https://www.capesandbox.com/analysis/222222/

Comments