MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24bd41c8fc07f033063d6819f9b2ee788502332dccea8dacf1e944e5445e11b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24bd41c8fc07f033063d6819f9b2ee788502332dccea8dacf1e944e5445e11b1
SHA3-384 hash: 9071cb35ac57a8a9048e166b76677b745fae1624d3355ad97d8d8d9d6598663b2af206117232da391ab4dfbb72e5df74
SHA1 hash: 48d2d67ab6837c8601fb18cdd2d08adc11a731b2
MD5 hash: 2d3dde9676f824c437acd029df7b2d2d
humanhash: cola-nebraska-north-alaska
File name:Ziraat Bankası Swift Mesajı (8).exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'117'696 bytes
First seen:2023-03-09 13:08:51 UTC
Last seen:2023-03-09 14:29:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 24576:MuOZ6wGkB+e9uf8mS4WJOcfJcg3nsIXHXus2wnd8O:X+OcfJcg3RXHW+8O
Threatray 1'516 similar samples on MalwareBazaar
TLSH T1BF355A92E9995D5FE613CB3A5333580D21671D25F23DACE92C78F1A62AF26830721C37
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe geo TUR ZiraatBank

Intelligence

File Origin
# of uploads :
2
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ziraat Bankası Swift Mesajı (8).exe
Verdict:
No threats detected
Analysis date:
2023-03-09 13:21:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/687b44dd-3f9b-49b6-8b41-560394ffe2f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372993/
Detection(s):
SecuriteInfo.com.Trojan.Siggen20.144.5535.797.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6409da70f0b8f72099e88c3d/reports/d8c11940-426f-469d-a664-ca30cf15ad40/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/24bd41c8fc07f033063d6819f9b2ee788502332dccea8dacf1e944e5445e11b1
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/01cc8c7b-8a9e-4d3b-9266-8ec2840d6cea
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1190349
Signature
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24bd41c8fc07f033063d6819f9b2ee788502332dccea8dacf1e944e5445e11b1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-09 08:08:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=es6udsh4a7ydgbr5nam7tmxopccqemznztvi3lhr5fcokrc6cgyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
29efaf03dee08b4e3f4e23e41b9581513da070dc49e746e91aee2022fef12088
AgentTesla
4c3086c7b54ad80ad5fc64db138390fed0936764f882ff2ef7aad23656e8897a
AgentTesla
685009598ad43caf98a36998b832e2e0b68bc79701837afc5911e8816cfe8b41
AgentTesla
8da7ef055878488998112d74e8df94b2051d03a87d562d580c56fbc839e16a46
AgentTesla
8f5f10e8c6a4972440bdd3613161c4a48b9e7deea15acf6891d2de6251947c95
AgentTesla
a905a0785d3fa357974e3f94754c6bad02bdbfb4083fb5509161523c5b2ffb56
AgentTesla
b8812397545808ecf86c5dc5202ca5d05fedd2ee21090808f51fb5d315910851
AgentTesla
c3bbe889607ea65e9e9310509d927ba4f08630b5738d35c76937ba978bd5ecea
AgentTesla
c50e616b405db7270d7834339e74dfafbb495ce8e36d0feef6ccd488b704671b
AgentTesla
dcfec13b68c930722cf2697095a378e65f6733107001f090ad3dec72d678ec83
AgentTesla
+ 1'506 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230309-qdt2vsbd6w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
b0b056b8e456d1a056bde5f134d8d2ec176949a0c3842488fa297ab8fa319c05
MD5 hash:
5c4afd35e8b7167fdade6c881bf1a04f
SHA1 hash:
df2de52b922c35beba2f8d15d9c09634af99dfab
Link:
https://www.unpac.me/results/ead635ca-a615-4108-a1d2-4ce72808c7dd/
SH256 hash:
6b739fd75d1fc59a528641bdf04fca35ca991627ffae39f0e2ef7304784ce13d
MD5 hash:
caf44fd31119d2a82a18878415e80645
SHA1 hash:
b96b7d3fe86cae362767addc380e7160aacadb70
Link:
https://www.unpac.me/results/ead635ca-a615-4108-a1d2-4ce72808c7dd/
SH256 hash:
57c9f486be687ebc08a756e5fd750fc63f3f3b8892b46508589ecfd2b69c9eca
MD5 hash:
cd7051e0594ee4d89521baffc7693b41
SHA1 hash:
9b7ee6f1bc68f29807b96c7487b12c751cff427b
Link:
https://www.unpac.me/results/ead635ca-a615-4108-a1d2-4ce72808c7dd/
SH256 hash:
1b257dab19deabeb2a99e6224f2394583fa2312f953555b461b25a7f66cd8c25
MD5 hash:
7c8f8352545a4f0de805d0afe3c30ad8
SHA1 hash:
46a998032407f5f7347a7da34eebebc41cf9b6ff
Link:
https://www.unpac.me/results/ead635ca-a615-4108-a1d2-4ce72808c7dd/
SH256 hash:
d01aa596af9a689f52bbf59da8d637833d796884047c12be54d0c00c65d72eae
MD5 hash:
1a9718c6fc99c0f80404a70acfafca61
SHA1 hash:
2449529452f01ce1f1998b4817463212e17b73e2
Link:
https://www.unpac.me/results/ead635ca-a615-4108-a1d2-4ce72808c7dd/
SH256 hash:
24bd41c8fc07f033063d6819f9b2ee788502332dccea8dacf1e944e5445e11b1
MD5 hash:
2d3dde9676f824c437acd029df7b2d2d
SHA1 hash:
48d2d67ab6837c8601fb18cdd2d08adc11a731b2
Link:
https://www.unpac.me/results/ead635ca-a615-4108-a1d2-4ce72808c7dd/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/24bd41c8fc07/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/24bd41c8fc07f033063d6819f9b2ee788502332dccea8dacf1e944e5445e11b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/372993/

Comments