MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f933570e8d0c10e3df51c688fc88c45b69cd0ea54a5698c356dc14c9d95eda00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	f933570e8d0c10e3df51c688fc88c45b69cd0ea54a5698c356dc14c9d95eda00
SHA3-384 hash:	4ee3b7928c546c6d7fb4f1271cf66a468c05478f68b7b8fd09f55558fdc04ddafc766fe8126f798f6f586853e0c16301
SHA1 hash:	3a815367ba97218b687a88878a2ab5af876e7f12
MD5 hash:	58631a00282deb581b5f700e81d3b7db
humanhash:	triple-comet-fix-artist
File name:	TT Payment.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	656'896 bytes
First seen:	2023-07-14 07:46:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'467 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:nDp8MIAUghbw8LbdPRhI6KOK6dYCW60oW81I9eGS+PM249z:KMdnhpPRG6KOJX0N81SM249
Threatray	4'998 similar samples on MalwareBazaar
TLSH	T1C9D4BE4533749E32E4AEC2B8242920C8DF79B43E64B6E21A5F5A34D11E60F77772B643
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	lowmal3
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

268

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

TT Payment.exe

Verdict:

Malicious activity

Analysis date:

2023-07-14 07:48:27 UTC

Tags:

agenttesla stealer

Link:

https://app.any.run/tasks/57e5cc9e-4673-4e8f-931d-a90f9c3e721d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/418649/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.32199.24446.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Restart of the analyzed sample

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/f933570e8d0c10e3df51c688fc88c45b69cd0ea54a5698c356dc14c9d95eda00

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/71e8ae86-dba2-4440-bc75-e5ffe4e07bde

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1273018

Signature

.NET source code contains potential unpacker

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f933570e8d0c10e3df51c688fc88c45b69cd0ea54a5698c356dc14c9d95eda00/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-07-14 05:23:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 38 (57.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7ezvodunbqiohx2ry2epzcgelnu42dvfjjljrq2w3qkmtwk63iaa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1f2d567b84fe0bb347de827e0004b1d84d1397e27570bfeadbef622d6b3f1654

AgentTesla

3b6936f2021bc0c7e777572f7b3d6d07cade8364d0e0c184b64772ff33093c05

AgentTesla

44e5d64cb7530cb3bf9c086a5f1cb7aa7c8a0cd61f08a316b08a95e9d629d853

AgentTesla

57d148e97edd36a56b6cb5fdfae00c5224b198f9660426e68f4a0555844d803b

AgentTesla

6cc4f246c1f5909591e0eef75590deb089a32a07eb568e0a5667fb46e1a37a56

AgentTesla

cf754ba143aca919dc53b8869d18ceb489014003092559062018193d6e0928bb

AgentTesla

e01a2923333399c3e27f0ad7be478f1fa0e61976c7d9e4a64ca7674565b7e130

AgentTesla

e2d2c19d0bb31b4fbe2f0b028e62937b4c63a655cb485fbe415341594f26c376

AgentTesla

fc39a3e6bd87bd2f7a2247a2270e17b5b6b061ba64723c0c582d53d80a3448e8

AgentTesla

+ 4'988 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230714-jmh8dsde5w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

1cf2939092e336d63c03a4218027add3cb63cde5e326313cd5e4045c77675a51

MD5 hash:

f30cf76b93ad8c1147483627501dde4b

SHA1 hash:

ae5a36e0575e838c68d13df1ffb2c26843b51310

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/10c3083d-4c25-4edf-bf0d-6d2b7f0c8fad/

Parent samples :

6cc4f246c1f5909591e0eef75590deb089a32a07eb568e0a5667fb46e1a37a56
1f2d567b84fe0bb347de827e0004b1d84d1397e27570bfeadbef622d6b3f1654
e2d2c19d0bb31b4fbe2f0b028e62937b4c63a655cb485fbe415341594f26c376
f933570e8d0c10e3df51c688fc88c45b69cd0ea54a5698c356dc14c9d95eda00
ce33bd7da486a90b2654cfed2c52f1cdb23c2183ace17f4ae26eb36531c6e0ee
3cbee8541701e9f374b952159f4650e7db1cc37865edf714506cb677da8906d5
e163660f2b270299aa1ff5846e0b7b8d9eac1f91ad2d3f5cfe3cfc261123bdcf

SH256 hash:

53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77

MD5 hash:

37e82d3e2864e27b34f5fbacaea759c3

SHA1 hash:

a87024a466e052bff09a170bb8c6f374f6c84c32

Link:

https://www.unpac.me/results/10c3083d-4c25-4edf-bf0d-6d2b7f0c8fad/

SH256 hash:

3e24c77fe108059f14fe61b8400c5fe023dc2b0ec7c4fe23fa9911681086f7a9

MD5 hash:

a5228b97b33467ac41fac5cac2718252

SHA1 hash:

28bb020c8a53b046fc8e8106f2913e62c5941a0d

Link:

https://www.unpac.me/results/10c3083d-4c25-4edf-bf0d-6d2b7f0c8fad/

SH256 hash:

47fb013b7f30bad5e08395e63c0268ac255c63f57a9ec003a081e2f66018727b

MD5 hash:

5f54d574fd99709837be259783906ff8

SHA1 hash:

04b8432d65101c3eaf1de7af9ee493c70682c5d0

Link:

https://www.unpac.me/results/10c3083d-4c25-4edf-bf0d-6d2b7f0c8fad/

SH256 hash:

f933570e8d0c10e3df51c688fc88c45b69cd0ea54a5698c356dc14c9d95eda00

MD5 hash:

58631a00282deb581b5f700e81d3b7db

SHA1 hash:

3a815367ba97218b687a88878a2ab5af876e7f12

Link:

https://www.unpac.me/results/10c3083d-4c25-4edf-bf0d-6d2b7f0c8fad/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f933570e8d0c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f933570e8d0c10e3df51c688fc88c45b69cd0ea54a5698c356dc14c9d95eda00

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe f933570e8d0c10e3df51c688fc88c45b69cd0ea54a5698c356dc14c9d95eda00

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/418649/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample