MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27c778ddd5fc52f6b2d3950b409b9d0eae0aa20efc48c29b6aea24c3735a979d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27c778ddd5fc52f6b2d3950b409b9d0eae0aa20efc48c29b6aea24c3735a979d
SHA3-384 hash: eb8dea0e84c8c93221962c825adf435f313b1e120bf4332029a47752339540ae4c7de6c3f4122c81feae0efe82241e96
SHA1 hash: 11ebf4d5684ebca973e6a7b91345f6820256c9d7
MD5 hash: 0c60f7258b05528fedfb993f2b27a6c7
humanhash: six-quiet-uncle-fillet
File name:SHIPPING DOCUMENT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:619'008 bytes
First seen:2023-07-17 16:03:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:pqTrQaSejL8ZyCUUsXj8T03cidXD8c6FMmHSsHVT8gbtrIAVu2MNFb7E:pqTrQaSejL8ZuUOjR3cmXlwSMVrI4
Threatray 5'323 similar samples on MalwareBazaar
TLSH T1E4D4AEBC7138A3EFDA07CA32D8642C5161E0226757E7838E8877159FBE2D466DB141F2
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
US US
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SHIPPING DOCUMENT.exe
Verdict:
Malicious activity
Analysis date:
2023-07-17 16:06:51 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/f78106cf-c93b-4eba-982d-1ab38a28d610

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/422714/
Detection(s):
Sanesecurity.Rogue.0hr.20230717-0537.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64b566738ca71f19e088d100/reports/3e651648-6634-41d5-a61b-b6e6cdd3d3c9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/27c778ddd5fc52f6b2d3950b409b9d0eae0aa20efc48c29b6aea24c3735a979d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/238fe164-f9fa-457d-92fc-1956bfb6c17c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1274562
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/27c778ddd5fc52f6b2d3950b409b9d0eae0aa20efc48c29b6aea24c3735a979d/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-17 02:18:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e7dxrxov7rjpnmwtsufubg45b2xaviqo7remfg3k5ismg422s6oq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0792e51bf75ef3e84e9d67abfefde373c2a068c28fb03c7fc1cf4c980b1a1df6
AgentTesla
0a8f6e16fbacee3c0e929af360aab8f396937f31ebd07344f0ac295465071b45
AgentTesla
1c4912d724ce2c46bef48e510e3203d1b460c77cc16f3fc2eaec561499b37302
AgentTesla
7b4cf761f6d81b2808e88bd6239a3b15909c828ea709cf6f975f5caa6be7e472
AgentTesla
a029d8c0575a9eea5fb42ec03d36b3bc1443775d1500274c97aee32b8a666505
AgentTesla
eca38d03cfa86717e86a3deab218a3c4125a6b10a36825d178ac263731288d37
AgentTesla
+ 5'313 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230717-thxv4adb72/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla
Unpacked files
SH256 hash:
809ab5b6922feb18d2a840a0edd6b50f4568f22f9092aa1d32660b09e260d106
MD5 hash:
9d2a8e26363dbbb84279b5973e76a187
SHA1 hash:
e2d00014471dc943c6fdafb2971e0c421784e1e2
Link:
https://www.unpac.me/results/50335e59-db95-43c6-8c59-ee104a5ebb05/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/50335e59-db95-43c6-8c59-ee104a5ebb05/
SH256 hash:
2c0b40c383647cf634091e3c251867c3964816385fd922647bd5cd7d68dcf1e7
MD5 hash:
33e7c619f430ddedd93b7a58939f695d
SHA1 hash:
478024d08406a51a2958b2f02fc7b3f4af0f91d3
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/50335e59-db95-43c6-8c59-ee104a5ebb05/
Parent samples :
a029d8c0575a9eea5fb42ec03d36b3bc1443775d1500274c97aee32b8a666505
eca38d03cfa86717e86a3deab218a3c4125a6b10a36825d178ac263731288d37
27c778ddd5fc52f6b2d3950b409b9d0eae0aa20efc48c29b6aea24c3735a979d
SH256 hash:
3e24c77fe108059f14fe61b8400c5fe023dc2b0ec7c4fe23fa9911681086f7a9
MD5 hash:
a5228b97b33467ac41fac5cac2718252
SHA1 hash:
28bb020c8a53b046fc8e8106f2913e62c5941a0d
Link:
https://www.unpac.me/results/50335e59-db95-43c6-8c59-ee104a5ebb05/
SH256 hash:
27c778ddd5fc52f6b2d3950b409b9d0eae0aa20efc48c29b6aea24c3735a979d
MD5 hash:
0c60f7258b05528fedfb993f2b27a6c7
SHA1 hash:
11ebf4d5684ebca973e6a7b91345f6820256c9d7
Link:
https://www.unpac.me/results/50335e59-db95-43c6-8c59-ee104a5ebb05/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/27c778ddd5fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/27c778ddd5fc52f6b2d3950b409b9d0eae0aa20efc48c29b6aea24c3735a979d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/422714/

Comments