MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb542cde48005850014e7114960bb009602a7ce0d6792accd820f06bced70b25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb542cde48005850014e7114960bb009602a7ce0d6792accd820f06bced70b25
SHA3-384 hash: 746907ee5f34232bdf804caabb0f6bed51fb3a1b5015609ec838ca15bc0e709114622548fe3f88b16809f1d7bc121283
SHA1 hash: de9a46c23d5e9b720fcf6cd2878347cba8d73664
MD5 hash: d54a0a2fe591979110963b16bc186801
humanhash: butter-autumn-november-glucose
File name:BL672802783628376927.xls.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:492'032 bytes
First seen:2022-12-12 08:45:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:2fc4rSTfVJ5Adq9S9i5vT0lHL/pQkfRFTl6ow:2ffq559RolrJfRRkow
Threatray 781 similar samples on MalwareBazaar
TLSH T1C2A4028E834B7725F72FCA35309430F9BB666713ED107B98B78E57182461F8198F84A9
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 8f43484c4c4a418f (10 x AgentTesla, 1 x Formbook)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/345353/
Detection(s):
Win.Dropper.Nanocore-9831995-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a service
Loading a system driver
Launching a process
Using the Windows Management Instrumentation requests
Creating a file
Сreating synchronization primitives
DNS request
Creating a window
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Enabling autorun for a service
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6396ea4dd4d7598ad9052784/reports/3a6e9107-5215-48d0-8a98-f2a1de79a7d0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4ac3fd5a-c6a3-4cea-8969-dedeab8a454c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1132510
Signature
.NET source code contains very large array initializations
Creates autostart registry keys with suspicious names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 765234 Sample: BL672802783628376927.xls.exe Startdate: 12/12/2022 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 6 other signatures 2->49 6 BL672802783628376927.xls.exe 4 2 2->6         started        10 adbe.exe 2 2->10         started        12 adbe.exe 1 2->12         started        process3 file4 23 C:\Users\user\AppData\Local\Temp\?????.sys, PE32+ 6->23 dropped 25 C:\Users\...\BL672802783628376927.xls.exe.log, CSV 6->25 dropped 51 Writes to foreign memory regions 6->51 53 Sample is not signed and drops a device driver 6->53 55 Injects a PE file into a foreign processes 6->55 14 CasPol.exe 17 7 6->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        signatures5 process6 dnsIp7 29 api4.ipify.org 64.185.227.156, 443, 49695 WEBNXUS United States 14->29 31 api.telegram.org 149.154.167.220, 443, 49696 TELEGRAMRU United Kingdom 14->31 33 2 other IPs or domains 14->33 27 C:\Users\user\AppData\Roaming\adbe\adbe.exe, PE32 14->27 dropped 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->35 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->37 39 May check the online IP address of the machine 14->39 41 7 other signatures 14->41 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb542cde48005850014e7114960bb009602a7ce0d6792accd820f06bced70b25/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-12-07 16:34:05 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7nkczxsiabmfaakooekjmc5qbfqcu7ha2z4svtgyedygxtwxbmsq._file
Verdict:
malicious
Similar samples:
3a26dd85c2956529f42c1622a093f7b817cbd4af7a474d75198df9e455ac753f
AgentTesla
533afea70b1fd1d2bc1bc9ade167aa251bdfaca969dbda48b240a17e01891986
AgentTesla
66242b095b2cfb53b52d1743a42aaa9fd94c6b53f58869c4b1c9d893a541e3a6
AgentTesla
7265ba924abcc035e8263873f5ed19842a0ad724b408fb816e7c1b64768b0cf0
AgentTesla
73a4ca1224bc4657443596157d3ce150bcd4b6dd32217f2467818c7efea4ee43
AgentTesla
866056e13d99c7a721a0e66aef8c2526dd2b8b6cecc90b0583699a175eeb66b7
AgentTesla
a9cf955162a9164b63c70530a2ed72b02ab53f7b39a3a9ece842cd2bebfb117c
AgentTesla
d508322a60cd4cec0047c9ec6324607c9901b87328751de54507724add138d4a
AgentTesla
db9bb4ecdc01a72d728f9fc7e522848ba7afe64bfa27516f0505a179db2f7345
AgentTesla
e82920cb9b7cf1077cdddabb9b56e84c70653f836ef85ea4d4a700501ccd12a3
AgentTesla
+ 771 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221212-kpa58sah78/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Sets service image path in registry
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5923086581:AAHHsNwaaRESZsgwKX8Ot_JZc9dbVzzFQEw/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a65a2c00-2c0f-4861-b935-7b6e0a76e6ab
Unpacked files
SH256 hash:
fb542cde48005850014e7114960bb009602a7ce0d6792accd820f06bced70b25
MD5 hash:
d54a0a2fe591979110963b16bc186801
SHA1 hash:
de9a46c23d5e9b720fcf6cd2878347cba8d73664
Link:
https://www.unpac.me/results/dd53bd7f-a76e-4163-ba40-4423649c940f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/fb542cde48005850014e7114960bb009602a7ce0d6792accd820f06bced70b25

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe fb542cde48005850014e7114960bb009602a7ce0d6792accd820f06bced70b25

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/345353/

Comments