MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03381e78e8dfffea1168eda8f21c09a499efba59bdccec61388345b01040706b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03381e78e8dfffea1168eda8f21c09a499efba59bdccec61388345b01040706b
SHA3-384 hash: 4380711f1bbfec07dd13e1a06bc241e2b8f43ce6a52f62b20ed67eefa79aa5cd82f65385bf82bb466a70d01416eb13e8
SHA1 hash: d5c92fe2e80b6a9af1e44ec367ddc017c67f943c
MD5 hash: 8953081b1114749f581eb849497552a9
humanhash: magazine-magazine-jersey-angel
File name:8953081b1114749f581eb849497552a9
Download: download sample
Signature AgentTesla
Create hunting rule
File size:592'896 bytes
First seen:2023-01-30 10:54:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'616 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:gSkOvbnR8ey/ZhY1XDKzFqIGmDhbvE4PvYs362Vc/bShg:CvZXGmpI2Yeh
Threatray 11'267 similar samples on MalwareBazaar
TLSH T1A9C48C1023ED5F44F6BE4B7886B9405217B77C827532E21D8ED230DE4EB2B50AB46B67
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 7eeceeccd6c2f2f2 (14 x Formbook, 9 x AgentTesla, 8 x RemcosRAT)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://23.146.242.108/88/vbc.exe
Verdict:
Malicious activity
Analysis date:
2023-01-29 23:13:55 UTC
Tags:
trojan snake keylogger evasion
Link:
https://app.any.run/tasks/4e1218c2-6783-4510-ae2c-adc64210d513

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/358249/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Reading critical registry keys
Verdict:
No Threat
Threat level:
  2/10
Confidence:
80%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d7a20f416d38777a7a57fa/reports/b63a273f-eac1-4df2-b263-05fce2540e0e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5d281c76-6615-49b6-93b9-d8b2b04167ea
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1161498
Signature
.NET source code references suspicious native API functions
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03381e78e8dfffea1168eda8f21c09a499efba59bdccec61388345b01040706b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-28 09:50:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
25 of 39 (64.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=am4b46hi3776ueli5wupehajusm67oszxxgoyyjyqnc3aecaobvq._file
Verdict:
malicious
Similar samples:
0c2bfa1c8975deb05bc6fe48971ddf533e6649f27a34c34b4f42637e4ec8bc5e
AgentTesla
1d6f78537aeeb8602bad208171c8c40dfc99cf86ae4d2743f20ca8fbe2f2cec9
AgentTesla
1d815d0d8666918b92ba9ad7d998b096401ca509258d8526ac80289cb0c009a0
AgentTesla
876f6337c556e06671a3e9afb7dc6a7b008ff3e88205d67111a9a89f8fc3e0b0
AgentTesla
c94fc73c5fcad1ab614fba37d9cc9c21f328c4787e39f3e3d673e1c408691434
AgentTesla
d21c653f7179ec7a9cc3444b95de606d4ec76538c3023748cf265f0468f741c6
AgentTesla
e31c608e7f7c15f3783ce3a0f60de2df28ac15195aa873d74feacfac98d2b0fb
AgentTesla
+ 11'257 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230130-mz5hyabg3v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
bac403b77a2f6a9eceeb3e2b284737a97dbe89e54849ad307a97b4c550a28047
MD5 hash:
e124dccca54cebef5d6b70695cf5254d
SHA1 hash:
ed5d519fd824fcaa1e6716888b173d4d2b186fbd
Link:
https://www.unpac.me/results/8c962e12-29f5-4407-80e3-416d94196fe3/
SH256 hash:
54d781f0dee6692c47390edf1ada295fb17a7e80ed5ccd58ab14c6ddf80a0ad8
MD5 hash:
4f6caebd865502f7c8046fbae3284c61
SHA1 hash:
be357e832bf6f61454875b37a1759cf1c5fa5ca4
Link:
https://www.unpac.me/results/8c962e12-29f5-4407-80e3-416d94196fe3/
SH256 hash:
e33431aede67b98aa7b1e54842acf9e26b9c3b037d8527d8a683e3f357b35021
MD5 hash:
c3c460b4992020d470bd569d735b199b
SHA1 hash:
be123f541d74a6a03580c191145b281e8163d04c
Link:
https://www.unpac.me/results/8c962e12-29f5-4407-80e3-416d94196fe3/
SH256 hash:
411569f9f0b865c651adc1234d23f86cd98fe5cd641704702276e9882be113b6
MD5 hash:
7648892096f37af50468509c5b051180
SHA1 hash:
a56a074c2770152761f6c4975db0e9f7d57f8cda
Link:
https://www.unpac.me/results/8c962e12-29f5-4407-80e3-416d94196fe3/
SH256 hash:
87bf749a0a7e68a2c95329ffc747a8f3b35d5f94565e4ff243ec53deeef3f28a
MD5 hash:
b09557efe1d4c1450dda4e5d74d8c2d2
SHA1 hash:
953a734b8f171494caf19c77db8d41e376f85465
Link:
https://www.unpac.me/results/8c962e12-29f5-4407-80e3-416d94196fe3/
SH256 hash:
03381e78e8dfffea1168eda8f21c09a499efba59bdccec61388345b01040706b
MD5 hash:
8953081b1114749f581eb849497552a9
SHA1 hash:
d5c92fe2e80b6a9af1e44ec367ddc017c67f943c
Link:
https://www.unpac.me/results/8c962e12-29f5-4407-80e3-416d94196fe3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/03381e78e8df/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/03381e78e8dfffea1168eda8f21c09a499efba59bdccec61388345b01040706b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 03381e78e8dfffea1168eda8f21c09a499efba59bdccec61388345b01040706b

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/358249/
  
URLhaus
https://urlhaus.abuse.ch/url/2522477/

Comments


Avatar
zbet commented on 2023-01-30 10:55:00 UTC

url : hxxp://23.146.242.108/88/vbc.exe