MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff241eca2063eb38b03d6dbe8d1af4e36536c10399ddcf9fcf1528f343f97f4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff241eca2063eb38b03d6dbe8d1af4e36536c10399ddcf9fcf1528f343f97f4a
SHA3-384 hash: 2b9c28198fcfe880f7f61ebeae18ae0c20dde071212f59389a555f6783316d5532c98ba223d557e4f4d74447ba0089f1
SHA1 hash: 9985cbedc75b7e977fbefc65aa088a9e13d8821c
MD5 hash: d8d15e4db0df148a65585f4c3a1c51c0
humanhash: november-thirteen-maryland-missouri
File name:qRHLrBumsHRQyA7.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:751'616 bytes
First seen:2023-09-20 11:25:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:VdRU72iNtz0535WZb3Uf3t1pydPR3gACUC/iT5+L7Mdqie:9U71f0GxkQpwACUC6T5+vMI/
Threatray 5'770 similar samples on MalwareBazaar
TLSH T1C9F4F1203AAC9FE3D33A63F54699954513F5652F903EE3450DC378CB6A61F908B21BA3
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
qRHLrBumsHRQyA7.exe
Verdict:
Malicious activity
Analysis date:
2023-09-20 11:26:58 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/7ef8b2e4-1636-421d-8619-9bab6d2fc089

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/450011/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/650ad69143cd377b1e9fb5b8/reports/78655e6b-4f95-4a77-b5cc-bbf3092b5c9a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ff241eca2063eb38b03d6dbe8d1af4e36536c10399ddcf9fcf1528f343f97f4a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d47e47a4-cc5e-4106-a88d-0f781216c0c5
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1311486
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff241eca2063eb38b03d6dbe8d1af4e36536c10399ddcf9fcf1528f343f97f4a/
Threat name:
ByteCode-MSIL.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2023-09-20 09:17:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
19 of 37 (51.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=74sb5srampvtrmb5nw7i2gxu4nstnqidtho47h6pcuupgq7zp5fa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
104c937fc2b61a982610bc109941759dd8a5e48fbb868d9c03e3c1602e83b593
AgentTesla
20ae755cd163b0421ca9c12bc545e9bc22e256a64553ff27423c6e3146a05298
AgentTesla
372293f19446ed57ca833445d5d1efd66a6e4fc56ce5fd3164de5077845f2e87
AgentTesla
3ccdf1603e94bd0f3666122adf6eb7b1773d67e742cdbb2292423c8c7dccdf5d
AgentTesla
4f04a42a32afc88988279c6bd13c58623b9d8989d11119be3f1e3a35fe4d7fa0
AgentTesla
7bb0c7435eac35a50637bb58058fb0b71629b39cc0e7222b991cefeaffdc79a5
AgentTesla
afaeeb8f276bbc3a0e313afd63200cc6437d4c344a658ce3ee0582a8b68a7a1c
AgentTesla
b3f8e456aeaba0afc976104eeec20357a09e59da003df7061c954cb434f877ef
AgentTesla
c973ac0f49c3e9fe8acb6116504cce59e13c040105707d3a241802c3e53df783
AgentTesla
d9819797562fc37901466523b731e2114efd43d2395887cf44116e7b208e7d71
AgentTesla
+ 5'760 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230920-njbrcshh98/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1153223870891958314/4fjTdg6uWPR-Mfasd2z9A9lMK59UySWkNCvaFZXMHtU0FDbkkjIMF2XSDIeUY1fHd9R4
Unpacked files
SH256 hash:
66e79c557dff656111f7a93ac89e374c095fa81c8d00915c08c7b5d1a5bc3e8f
MD5 hash:
df98bf9a765ee4c05e4d485569d4b40a
SHA1 hash:
d3846abca9d04f475b78fd4b2a90a1b73083cbb7
Link:
https://www.unpac.me/results/0d63501f-32cf-4b1b-94fe-f530e3c4675c/
SH256 hash:
4c00f6d566b9f3d3f8407d44e477db87926c08fa089a351b165547de5a07d9d9
MD5 hash:
4fb1a7084bad3b1016533fee03610952
SHA1 hash:
d099e51ce5d9790bdc706a6f703294ad595cacb8
Link:
https://www.unpac.me/results/0d63501f-32cf-4b1b-94fe-f530e3c4675c/
SH256 hash:
d3c0f8d7e5eff92fb6378a1ccc62c8aba3944d12ccaade18fda748c9a7f0ecf7
MD5 hash:
cce65b953270fbe80deb6caf52235324
SHA1 hash:
95bb8e25a82869095e66e2efce10e82ec9780a46
Link:
https://www.unpac.me/results/0d63501f-32cf-4b1b-94fe-f530e3c4675c/
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/0d63501f-32cf-4b1b-94fe-f530e3c4675c/
SH256 hash:
ff241eca2063eb38b03d6dbe8d1af4e36536c10399ddcf9fcf1528f343f97f4a
MD5 hash:
d8d15e4db0df148a65585f4c3a1c51c0
SHA1 hash:
9985cbedc75b7e977fbefc65aa088a9e13d8821c
Link:
https://www.unpac.me/results/0d63501f-32cf-4b1b-94fe-f530e3c4675c/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ff241eca2063/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/ff241eca2063eb38b03d6dbe8d1af4e36536c10399ddcf9fcf1528f343f97f4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 0f153e7da13556161c16cda9153ed3c59a692cfdbb0a7cb6fb2753f3cb9a6618

AgentTesla

Executable exe ff241eca2063eb38b03d6dbe8d1af4e36536c10399ddcf9fcf1528f343f97f4a

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 0f153e7da13556161c16cda9153ed3c59a692cfdbb0a7cb6fb2753f3cb9a6618
Cape
Cape
https://www.capesandbox.com/analysis/450011/
  
Dropped by
MD5 2b61f3f7e9dd004a37d2480313a0df39

Comments