MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04b3ebdb8ef471ed1baaa10c91e0654037120a0642d10aad6934f52a03cf3410. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04b3ebdb8ef471ed1baaa10c91e0654037120a0642d10aad6934f52a03cf3410
SHA3-384 hash: 7cf2d62f2ee4145d428fb04dd2dc4785a187df5c0cf0fb5baac08e8b9b162238f12ef989cb28905e51f9407a1826b01e
SHA1 hash: 348f88b82e07f64740090f5357b0da891f05a583
MD5 hash: 71619a2229c053ddb34ee5df6222d6aa
humanhash: idaho-fix-butter-jig
File name:Drexel.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:471'584 bytes
First seen:2023-03-27 05:28:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ed0d71376e55d58ab36dc7d3ffda898 (133 x GuLoader, 28 x RemcosRAT, 23 x AgentTesla)
ssdeep 6144:AbUTp1kKX7AB/N0A6Sg46c0Gnh7C8t4eWnC1ow3Sz4phjLwJxJkDiKutgx57zcSl:AIFEzDgjr8t4eTTuCKJkDXxlck
Threatray 470 similar samples on MalwareBazaar
TLSH T102A4E0127719D903E25111709662E3BD1BB87F682D5A8B02B6F0BDAF3579B13EC1E780
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 64fcfebabc3c8c70 (5 x GuLoader, 1 x AgentTesla)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Drexel.exe
Verdict:
Malicious activity
Analysis date:
2023-03-27 05:30:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/009d6539-6aac-4a6e-9b0f-694f152b8fa0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/377731/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
83%
Tags:
guloader overlay packed sality shell32.dll virus
Link:
https://www.filescan.io/uploads/642129af009023b71dc30526/reports/81bca3fa-6d6a-4094-b508-10cb6bb93614/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/04b3ebdb8ef471ed1baaa10c91e0654037120a0642d10aad6934f52a03cf3410
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8c2e0faa-8021-4947-9aaf-f5a363688f22
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1202438
Signature
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04b3ebdb8ef471ed1baaa10c91e0654037120a0642d10aad6934f52a03cf3410/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-03-21 11:58:46 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=asz6xw4o6ry62g5kuegjdydfia3recqgiliqvlljgt2sua6pgqia._file
Verdict:
malicious
Similar samples:
0a80ba418f561098477e18cc42ddfc31796b2be3166ff6c99967b98388fe4826
AgentTesla
3e924b372c019c41e9995a276ce5c1b1487d14ceb9fbc8d606a09a83df5989b8
AgentTesla
4db943d3621a557370a3585cd61db3f9835c65f350a2284c9d5f3024adb0ff07
AgentTesla
5a70453a6b4f6a5dfd956507dcb364fa07bd6517f87ee23ed6d703f7ec1f6599
AgentTesla
629156764548d3bdbc062de11f6ad819bb0d7d166aac339b04674861df522206
AgentTesla
723ff97e6559f6558c288ca693898592a21aab28c003883ca13b81667d7e3aef
AgentTesla
c627b8bb6c4ea0cf03aa2d209d0ecc53ff9784283328dabd44c1675aef0939c2
AgentTesla
d03b9ead3cfc79c7495986f26b97dbe24b0558314a4993f595c80f8817295c48
AgentTesla
dc5da53a5e93a588335b6561258d1540ac7d696c633d03de92e72d8e53254234
AgentTesla
+ 460 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230327-f6lk3sbh49/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks QEMU agent file
Loads dropped DLL
AgentTesla
Unpacked files
SH256 hash:
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3
MD5 hash:
7399323923e3946fe9140132ac388132
SHA1 hash:
728257d06c452449b1241769b459f091aabcffc5
Link:
https://www.unpac.me/results/357f218e-e178-4554-9402-92fd1b097094/
SH256 hash:
04b3ebdb8ef471ed1baaa10c91e0654037120a0642d10aad6934f52a03cf3410
MD5 hash:
71619a2229c053ddb34ee5df6222d6aa
SHA1 hash:
348f88b82e07f64740090f5357b0da891f05a583
Link:
https://www.unpac.me/results/357f218e-e178-4554-9402-92fd1b097094/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/04b3ebdb8ef4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.28
Link:
https://yomi.yoroi.company/submissions/04b3ebdb8ef471ed1baaa10c91e0654037120a0642d10aad6934f52a03cf3410

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 04b3ebdb8ef471ed1baaa10c91e0654037120a0642d10aad6934f52a03cf3410

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/377731/

Comments