MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d33467dba0945d2a0dab179b6d5a38c9e936f3c51a12dbefdaf361df2a62562. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d33467dba0945d2a0dab179b6d5a38c9e936f3c51a12dbefdaf361df2a62562
SHA3-384 hash: edc539d1067628f3dbfc6686a98dd1fec2232c67b84768ce37c0ae00b11f0c8903611f9852549aed636631355e675217
SHA1 hash: 64cf8c5f16b8adaba37146a85f1910dbcceb8d08
MD5 hash: dfec1dd8875c667ce7305084a3583a42
humanhash: delaware-zebra-eleven-jig
File name:Payment Slip_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:574'976 bytes
First seen:2023-04-11 08:03:39 UTC
Last seen:2023-04-11 12:29:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:ezk2w1wjVviTsFSS+DTU5Vb/5CzT7uE6Hwx4K6Id:eQ2w1wjVvia0TU5Vb/5CaE6Hw+K6
Threatray 1'931 similar samples on MalwareBazaar
TLSH T143C4019E6275EFA4F45C0BF41090684517BCE349E1A0ED6C9C9223E38E77FA211993E7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
300
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Slip_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-04-11 08:04:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e96f905f-2177-46e2-9d4a-ad4a5113fda1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381357/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/64351473c41e8bc6a3b0dd39/reports/3bd455a2-e45a-478c-be99-607f6dd51f41/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/1d33467dba0945d2a0dab179b6d5a38c9e936f3c51a12dbefdaf361df2a62562
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c487f612-ffa5-432d-a442-4544851450fc
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1211534
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d33467dba0945d2a0dab179b6d5a38c9e936f3c51a12dbefdaf361df2a62562/
Threat name:
ByteCode-MSIL.Trojan.DarkStealerLoader
Create hunting rule
Status:
Malicious
First seen:
2023-04-11 07:46:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=duzum7n2bfc5fig2wf43nvndrspjg3z4kgqs3px5v43b34vgevra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
296985e566c978fc095ae09686f69f8ddc80a2b6f6b26dfab6ce11ddf7daab02
AgentTesla
4250c2787cb484a030495a28dfbe00899b8a18f0ab1aa8550ac8317e3dd9f44e
AgentTesla
578873c16060e04fcfe43f9c9c04d2779a09a7566b3b4e97c1b18d87ac381057
AgentTesla
7e1c405ac07788e439b2e98c3d95a6ac49046e031f808893a47770e340668cad
AgentTesla
9b2b9f8f70057a1d60700f490e59ae93972ce2fdfb852770ae08fdfff72a0611
AgentTesla
a6ffd66b9b3aa45638bee7e9a43b1110d2ae5b42fd10d0ff316a454ed3ef1d49
AgentTesla
d3cbeafcefe0aa050926d93155a7b57664103941038a9bbeecd67d9668083a12
AgentTesla
d9714cc1bedd6d2bc845fe08c8328c5f3d20fd4280339e8135309fa3e7958b95
AgentTesla
e92efa61a4ae7376c52f323abae88f5303a217b58966e4a71042fbebd0cba60a
AgentTesla
+ 1'921 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230411-jx87kach7y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
bcaef0e069cb2cbe0fc9b4283907d54ee6473010d7d4f4f0631d21e9e0b8b990
MD5 hash:
598a72b6432aae3aece3da8eda0043f3
SHA1 hash:
f8f975cca6872dc971cf1ac0497bd6446428c9b5
Link:
https://www.unpac.me/results/b95fb1c7-05cb-47dd-9793-691b231f0d5a/
Parent samples :
721cd7be724330f00dce933ea88b8a6abda0f2e83543a6c0f5bf0ce3754ccdbd
ec2832608abf213a2a622dba1ec894e80b2adfc3d0eb03ee783fa2df47dc6bf0
fb2945c4344dbf6a9de214dcb4fcc52ab7b039b17b2ab924558eb08f8fd13c71
05220984bed944b5743d4a9b640a42788d53ef523a8f9dc81c983b9da74eb6da
8573f0b0ca38799192fa3c6d6bfc928a2f1383f529e65c43f8c324b825735bd5
fe0dc5415b9e4a0aaab85349ca18704f10b02a3f5fe6de959b3e39d12a9a07a2
d6497995d3f65551d193a651e10534d71d249b8e722290bc3c1f0fd4f7156c72
74184f7d76c799408c51a411c56eaaeab7adbf28a16cc3729bb0e96f11b55488
SH256 hash:
992a978269f1d6698f19b4e002628e53fc6374da35882cc9cb058b078aaa7d83
MD5 hash:
973cd47d054336f602dc0b19d6ffe3ca
SHA1 hash:
d8f9b94700a4ad8b95d431208489b097e1dba9b4
Link:
https://www.unpac.me/results/b95fb1c7-05cb-47dd-9793-691b231f0d5a/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/b95fb1c7-05cb-47dd-9793-691b231f0d5a/
SH256 hash:
9192aaefb797666d7bc18a96c317960dc459f76550a59cc5be84ac1cd3d0de90
MD5 hash:
5fdb1cdd1f79785f09e454be8897a089
SHA1 hash:
58e002783a046941850e8f57da1e5e6eab71b332
Link:
https://www.unpac.me/results/b95fb1c7-05cb-47dd-9793-691b231f0d5a/
SH256 hash:
6413c60502ba771163bb96527a5b8fdf5d765cd19f89bca13c6442bbd8bdb4bd
MD5 hash:
d52609f7faa0c91840a49a848a476000
SHA1 hash:
268d289f07cd7f58d0c4db7d785fa350a3ed431a
Link:
https://www.unpac.me/results/b95fb1c7-05cb-47dd-9793-691b231f0d5a/
SH256 hash:
1d33467dba0945d2a0dab179b6d5a38c9e936f3c51a12dbefdaf361df2a62562
MD5 hash:
dfec1dd8875c667ce7305084a3583a42
SHA1 hash:
64cf8c5f16b8adaba37146a85f1910dbcceb8d08
Link:
https://www.unpac.me/results/b95fb1c7-05cb-47dd-9793-691b231f0d5a/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1d33467dba09/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d33467dba0945d2a0dab179b6d5a38c9e936f3c51a12dbefdaf361df2a62562

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 1d33467dba0945d2a0dab179b6d5a38c9e936f3c51a12dbefdaf361df2a62562

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/381357/

Comments