MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe5734f6621e30a2686219f31e5ebcca7e7851e8a572baf1463551de0d72d4ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	fe5734f6621e30a2686219f31e5ebcca7e7851e8a572baf1463551de0d72d4ea
SHA3-384 hash:	6e87a83febc4aa133bf58491ba4bccd9fbf8cbf137107de9303dbcb4ef0e74706229292be30cad6c44c03d4efb45bd9f
SHA1 hash:	4ff5776425fa957e56937dcaecbf94ebec98f8cf
MD5 hash:	fcbf2c7ad881fc73845f1b228662bbfe
humanhash:	maryland-summer-cat-rugby
File name:	DOCUMENT.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	487'936 bytes
First seen:	2022-12-12 14:27:08 UTC
Last seen:	2023-01-06 10:22:44 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:3YT6u+vGKzFcBG/kRizPjyz5tvtwhpmQ28fY7Bnt/tBrFjcCeo+y:3YtapFcKLeNtlw/W8gntHrF1eo
Threatray	788 similar samples on MalwareBazaar
TLSH	T108A40138862DF906EA10B67D879DA2113D6684877E0F0BF6FD9280056693D5CE7F0A73
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

183

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

DOCUMENT.exe

Verdict:

Malicious activity

Analysis date:

2022-12-12 14:28:31 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/6908d7d7-74e1-4583-98b6-214ac5bb4d12

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/345461/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.64171510.24998.519.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

mimikatz packed

Link:

https://www.filescan.io/uploads/63973a74485d8463dc41410a/reports/c44669d5-b06e-4515-b1c9-b029b9558319/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/32bdfd05-f6d7-41a3-a112-bf847eadcab9

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1132695

Signature

.NET source code contains very large array initializations

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fe5734f6621e30a2686219f31e5ebcca7e7851e8a572baf1463551de0d72d4ea/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-12-11 02:25:19 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7zltj5tcdyyke2dcdhzr4xv4zj7hqupiuvzlv4kggvi54dls2tva._file

Verdict:

malicious

AgentTesla

30b9abba303c9e7186148b7a36e0f6c8ba15fba0a266fd4bae27690219231cad

AgentTesla

473e99cdf2dc25a6bf43a56e9b095639776294bea38321c079cceecb3678c28d

AgentTesla

4911e766770f8f08977e5854fe87bef96d29e80b8c5a0ef483d362d18c9941dd

AgentTesla

66bfc82c4f69f36538f7ff9f5949f72288805850f4b64980c17ec930c6baf224

AgentTesla

81b35baa6211c517fbe57749520eaf024a4f76b5aa7c90e63e509095e0a665a3

AgentTesla

b0e2ee5d5dcf0c508bd3f0d3016bc483d880ae94120fe214a4bff996bcc074aa

AgentTesla

c00660379db4da598cf59eeb74ae9a686803cc4296cbde73a61c988cf87e1d44

AgentTesla

d1ca3f8fb1acd28ee6ce1227880e74fca8aa908ca373931a5180f3cb76bb8fe1

AgentTesla

dc72c7525da8aa1afaadaf707499054dd9be20d0c78318d2f63af1fa37d58546

AgentTesla

+ 778 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221212-rsz24abe65/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/64350767-ff32-4bac-a4a8-fc74e1775b14

Unpacked files

SH256 hash:

fe5734f6621e30a2686219f31e5ebcca7e7851e8a572baf1463551de0d72d4ea

MD5 hash:

fcbf2c7ad881fc73845f1b228662bbfe

SHA1 hash:

4ff5776425fa957e56937dcaecbf94ebec98f8cf

Link:

https://www.unpac.me/results/7a061b09-c7e4-45e8-8793-9f461a5f0bda/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fe5734f6621e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/fe5734f6621e30a2686219f31e5ebcca7e7851e8a572baf1463551de0d72d4ea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip f1270ce895ff157fdf1831ce5bf58142b2f3dc9ed85bcb54ebe9f48a9b9e76e1

AgentTesla

exe fe5734f6621e30a2686219f31e5ebcca7e7851e8a572baf1463551de0d72d4ea

(this sample)

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/345461/

Dropped by

SHA256 f1270ce895ff157fdf1831ce5bf58142b2f3dc9ed85bcb54ebe9f48a9b9e76e1

Dropped by

MD5 991901b931ea1a26704e62e50adfdf79

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample