MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 033451832cfb18365bc3d30b297f33a36e9d9f9a23ff6d1ba692503b5ef84ffa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 033451832cfb18365bc3d30b297f33a36e9d9f9a23ff6d1ba692503b5ef84ffa
SHA3-384 hash: f626674fe2b0c00e3d2b7e4710815014f665febb802729cd48c8f146225bac4545f242c25a6ebd217d5b4b0bc73f510f
SHA1 hash: 4cbffb75985d6a70e0d4d9adf32ad79312b8b2e3
MD5 hash: 3b85fa5897e1653aa5129ef93e5a6f8f
humanhash: burger-massachusetts-helium-four
File name:3b85fa5897e1653aa5129ef93e5a6f8f.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:886'272 bytes
First seen:2022-02-10 18:53:23 UTC
Last seen:2022-02-10 20:56:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:MUxG5SdpbosvyI0c5PQK3HQp4L3qu1nRP:MUsabLD0zKo4L33ZRP
Threatray 15'072 similar samples on MalwareBazaar
TLSH T19315012273EC9D29E56657F016BE923443F42C46A122EA0B7CE1BECF3972BC11801B57
File icon (PE):PE icon
dhash icon 68686cdcc6a6d2e1 (13 x AgentTesla, 5 x Formbook, 4 x AZORult)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla FTP exfil server:
ftp.mgcpakistan.com:21

Intelligence

File Origin
# of uploads :
2
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7AD508D1D36FD65595B6305310992F1ACA3C3CC1
Verdict:
Malicious activity
Analysis date:
2022-02-10 12:35:47 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/9f77058b-ab88-438e-9fe7-c103143e3bcc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/240731/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1194.15442.24799.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/62055f5245ddfa2e18bcab95/reports/87a43ad0-bb6a-4645-b849-079d8dd6b8a5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c297228c-e0b7-4b8d-b4eb-382ae4f757ce
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/937921
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/033451832cfb18365bc3d30b297f33a36e9d9f9a23ff6d1ba692503b5ef84ffa/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-10 15:32:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=am2fdazm7mmdmw6d2mfss7ztunxj3h42ep7w2g5gsjidwxxyj75a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
23b769e1449f47cb7eebacc0381f9f3c2ecd7df18e77a4e8c3ef384dda10fb44
AgentTesla
41cba03f4c6ce7e24b6f2d9f146a8cb82e9a43236859e82f14b225c2232adc5b
AgentTesla
4babd6fa58cd93ab9f6c80717a8dc1330443f437bce73e4f9299ff1d30b431dc
AgentTesla
6c9b3cb473eafac739743f9f3c8be5bf671eeee602781a05c64fe7ff9b6e93fa
AgentTesla
8866780810cd65684ba4c903d896da0760dfb0b85f2b9965d9d60bbfc60c94f6
AgentTesla
c604aca88130354a1cf9209f45898fc867ea3f178d36de173a36db383eb5e42e
AgentTesla
cadf8b35e70d4c8b4fdadf65f6cbfddce7ad4e0319ceff8bd68101db962f9395
AgentTesla
d61623b9915cd46b51b99358c8d7fcbff16d1fed253dfba5372ffc7300f2577f
AgentTesla
dc53b80d7a0646e4b0106838a2b288abb782a7d51fc6a9f212f15a8bd3674c59
AgentTesla
+ 15'062 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220210-xj7ngaagal/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
f365b92b11041eed57b6f7534e83e04167fce1cfacc570e79335292f3c0ea8aa
MD5 hash:
9147a2ef317fe384182d1281e5af8110
SHA1 hash:
bbe360e6eca29a32e1f787e1416ddad4d35dcf1a
Link:
https://www.unpac.me/results/bca2f373-2ea4-4a4f-a695-bc78ad72f412/
SH256 hash:
70a259ca1e2fced170b880c6cb9e087a6d36c65df86e74228baeff5f2080386f
MD5 hash:
cc59179390ff9cefc730d237ad245a91
SHA1 hash:
99a9e1f999ce0f4ffcad30c12da83efafaf6897b
Link:
https://www.unpac.me/results/bca2f373-2ea4-4a4f-a695-bc78ad72f412/
SH256 hash:
93b763cc79cbb7754a028003e6914491da5898c5861ac0de550e2237b53f12c1
MD5 hash:
dab5b8de2b73187d3edb5b149fc49252
SHA1 hash:
692281e6daedad26e9eae9c19acd17779089f17d
Link:
https://www.unpac.me/results/bca2f373-2ea4-4a4f-a695-bc78ad72f412/
Parent samples :
256e56ffdee9c01af0bcc8b98eec7db32002cbd03adab70e47c79d63cdeb32ba
588f2a7d8c7000fe6b8b2db410b51d0178c3129cc31ea448aa31ee4d25f5bf19
2eeab86f3dd887a83b5a84d5d92d0442777b057ce256706c33c570360d9207a7
0a5dfd2ea65587c41b17a2d29a316c769fb79835a6f02a885b9ed7efb2924e45
SH256 hash:
5be8420f89f535510280c4be963c6921f6af6eaef4bf442acec31acb5280a0b7
MD5 hash:
995a052ef8886297af8a8511aed4d29d
SHA1 hash:
193ac6f60e6c72d51d6681dc1d6a1a439c3b9ecb
Link:
https://www.unpac.me/results/bca2f373-2ea4-4a4f-a695-bc78ad72f412/
SH256 hash:
033451832cfb18365bc3d30b297f33a36e9d9f9a23ff6d1ba692503b5ef84ffa
MD5 hash:
3b85fa5897e1653aa5129ef93e5a6f8f
SHA1 hash:
4cbffb75985d6a70e0d4d9adf32ad79312b8b2e3
Link:
https://www.unpac.me/results/bca2f373-2ea4-4a4f-a695-bc78ad72f412/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/033451832cfb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:exec_macros
Create hunting rule
Author:ddvvmmzz
Description:exec macros
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 033451832cfb18365bc3d30b297f33a36e9d9f9a23ff6d1ba692503b5ef84ffa

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1991760/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/240731/

Comments