MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff83137921b3eeff0d4fb13d18137b9350419d94b84e42f791251dd83af8563a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 2 File information Comments

SHA256 hash:	ff83137921b3eeff0d4fb13d18137b9350419d94b84e42f791251dd83af8563a
SHA3-384 hash:	4c1accaccafb0bdd75125689668be3c4eaee0a53b2b0aaace64f38e03984256b1c0c1773ab7917a049af9daf4fd5902c
SHA1 hash:	ca3545f6c9a141c5e9427228583f1159156a258e
MD5 hash:	bfb82aaa5891e706317c355a2db9a44e
humanhash:	muppet-crazy-hawaii-three
File name:	bfb82aaa5891e706317c355a2db9a44e.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	623'104 bytes
First seen:	2023-07-13 11:48:00 UTC
Last seen:	2023-07-14 07:51:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:C7PpgVMJn0mCoufxPvAfuN8yuF82NLGC0ewHxRcU5oXq+3Ut:YH94xsunuF82Ny3Ywq3U
Threatray	5'083 similar samples on MalwareBazaar
TLSH	T18FD41229793D9B27D2699BF0115565B093BF98F7B460E3238CCB71DEEA21B004F48A17
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	obfusor
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

290

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

bfb82aaa5891e706317c355a2db9a44e.exe

Verdict:

Malicious activity

Analysis date:

2023-07-13 11:51:11 UTC

Tags:

stealer agenttesla

Link:

https://app.any.run/tasks/1987b328-9a52-4b4c-832c-8a9d3ec1ec1a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/417349/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2175.27570.27875.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook packed

Link:

https://www.filescan.io/uploads/64afe478057bff26cf236f09/reports/55972b6f-afbf-4424-b742-8db754ba50da/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/ff83137921b3eeff0d4fb13d18137b9350419d94b84e42f791251dd83af8563a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b2637cbc-8023-4fa1-a10b-dfe4b14a739c

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1272441

Signature

.NET source code contains potential unpacker

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/ff83137921b3eeff0d4fb13d18137b9350419d94b84e42f791251dd83af8563a/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-07-13 10:32:34 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 38 (60.53%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=76brg6jbwpxp6dkpwe6rqe33sniedhmuxbhef54reuo5qoxyky5a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

273af1b5521eb9976cce02519b2a6b9036347af59cc2eb63454eacc537cee331

AgentTesla

42032fb2e1a7dcd8e06876f6cb9f0fa51d82806f29ff0253ce2502b862f70981

AgentTesla

750361a8039bd9876939ca3ee37312821f8cd019eabe123ef884b30433757677

AgentTesla

966dd595fc018c22a4b99f77066d8eb60aee0af02504bb7f915457c7b2726157

AgentTesla

999c708503ca5289854b3347f0a9115d596676ba1f41b51b0bf9ff1f12ced04f

AgentTesla

c3d408d3ba7f6ea4acf913b8fd845e98c587fc8a6c67f48ef3542e3895ba7153

AgentTesla

d3c78007c8fa7de455de452208e6c3f487237162369a57f01e6a79b53cb19a9b

AgentTesla

e5b3f5c88055487475981257a3146b756a653845e01c66141d3547192805a8f3

AgentTesla

+ 5'073 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230713-nyfc4ahd8y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

e136bb341e797b383441a560a9d9f6fc3517e520eeac47295f417214c5009488

MD5 hash:

fe38bb4f067cbe5fc3472583e7a8ff9c

SHA1 hash:

afeea490875741cac6f98f536c59c0c52f5de517

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/56f5616b-3de1-4060-ae8b-f8b20ea45c52/

Parent samples :

1428623f3d2769a2f63e2e07444e0af8f334cdcc0b8d38faafc06dea97ee322c
c3d408d3ba7f6ea4acf913b8fd845e98c587fc8a6c67f48ef3542e3895ba7153
273af1b5521eb9976cce02519b2a6b9036347af59cc2eb63454eacc537cee331
d3c78007c8fa7de455de452208e6c3f487237162369a57f01e6a79b53cb19a9b
ff83137921b3eeff0d4fb13d18137b9350419d94b84e42f791251dd83af8563a

SH256 hash:

53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77

MD5 hash:

37e82d3e2864e27b34f5fbacaea759c3

SHA1 hash:

a87024a466e052bff09a170bb8c6f374f6c84c32

Link:

https://www.unpac.me/results/56f5616b-3de1-4060-ae8b-f8b20ea45c52/

SH256 hash:

3e24c77fe108059f14fe61b8400c5fe023dc2b0ec7c4fe23fa9911681086f7a9

MD5 hash:

a5228b97b33467ac41fac5cac2718252

SHA1 hash:

28bb020c8a53b046fc8e8106f2913e62c5941a0d

Link:

https://www.unpac.me/results/56f5616b-3de1-4060-ae8b-f8b20ea45c52/

SH256 hash:

226b49900cae501c24d8cf2c34cdfeafe354bafab36b0bb55f7197d889beafd4

MD5 hash:

37b856f5dfc8f510017b5ab4a7173400

SHA1 hash:

0292cb41a787e23a210d9d7031b1a74fad66fc53

Link:

https://www.unpac.me/results/56f5616b-3de1-4060-ae8b-f8b20ea45c52/

SH256 hash:

ff83137921b3eeff0d4fb13d18137b9350419d94b84e42f791251dd83af8563a

MD5 hash:

bfb82aaa5891e706317c355a2db9a44e

SHA1 hash:

ca3545f6c9a141c5e9427228583f1159156a258e

Link:

https://www.unpac.me/results/56f5616b-3de1-4060-ae8b-f8b20ea45c52/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ff83137921b3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/417349/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample