MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2434b60331e372fc347f46ac1ede21a078fc11ddea75c52679ab4c49cd3c12c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	2434b60331e372fc347f46ac1ede21a078fc11ddea75c52679ab4c49cd3c12c7
SHA3-384 hash:	ba5545583c7f2bbf2d5f020848aeab81423eb20df9eb49bc218e5246e98eeb19bdf6ec9ddc8457d5f4b2616c700acf51
SHA1 hash:	0c214f6f4d78c3366d91acd70b5dced8bf5ae27d
MD5 hash:	48fbf3b3e6c295d69f79f7efbe62cacc
humanhash:	wolfram-timing-don-whiskey
File name:	NOAH SEPTEMBER_crypted.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	549'888 bytes
First seen:	2020-09-17 05:09:28 UTC
Last seen:	2020-09-17 06:04:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'448 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:svj9v2zv1ghpQBITcQFlU+HWtCzrkQxC:svo2zQVQFlU+2Azrr
Threatray	68 similar samples on MalwareBazaar
TLSH	00C4CF233318EFA1E13C977D9005152053F6D08BE33BEB9AFD9A00DBB899F524666752
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/62646/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.424.29870.2349.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a file

Unauthorized injection to a system process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/468751

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2434b60331e372fc347f46ac1ede21a078fc11ddea75c52679ab4c49cd3c12c7/

Threat name:

ByteCode-MSIL.Infostealer.Stelega

Status:

Malicious

First seen:

2020-09-17 00:27:56 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eq2lmazr4nzpynd7i2wb5xrbub4pyeo55j24kjtzvngettj4cldq._file

Verdict:

suspicious

AgentTesla

33c726715e4918afc273ac194038d0bafc1bea5b9429fc8798ed8e16eec9140b

AgentTesla

37a4202e64f88ef928f46cdb05653527a1201aaffd431022eececff19348515b

AgentTesla

3a8afa181b83a479c7c476791061dd4a7df56a59e21bcb72f0c8a32d76b66d5b

AgentTesla

6400a7dde7bc06a67fb024815767d03b203a608e9e976c998ddd4d10fab34667

AgentTesla

a1164f44afc2ceee90a833e950f23a3bb69c4557331cadb35e4f95bf335f1b27

AgentTesla

ad32cadc3a75e969c0e8c25dfec398378aceb406017050763ce3c5d482998f42

AgentTesla

b98ed6a71c93bc3722112643bea2bbe8767e016d807e0463266ee2fd47ad9e80

AgentTesla

d18b49a5a492666909ad1d1d9f17b538d4c7da9c804fd5f694170ba46a05c708

AgentTesla

dde5198a36a325023e0381c7102067145700653585666a5dcbd5e1c4362d35d8

AgentTesla

+ 58 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/200917-5747kbzjfs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2434b60331e372fc347f46ac1ede21a078fc11ddea75c52679ab4c49cd3c12c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 369a7731de6cd9b19a81591905150186097c002237a6d4c3c966ad449ff4ab30

AgentTesla

exe 2434b60331e372fc347f46ac1ede21a078fc11ddea75c52679ab4c49cd3c12c7

(this sample)

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/62646/

Dropped by

SHA256 369a7731de6cd9b19a81591905150186097c002237a6d4c3c966ad449ff4ab30

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample