MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 321bcda7d38de0888c3bfe28e8f3488689ea9a7005645739a59cf5c66a72d00a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 321bcda7d38de0888c3bfe28e8f3488689ea9a7005645739a59cf5c66a72d00a
SHA3-384 hash: afbc15f81499671859262444b52b198ec75735f5d4b22513238247bc1ec8a9293d4c21e7e822622a1c16c36ac3c44fc3
SHA1 hash: f41004a9345f1bfb502657830d1015a5b14af1fe
MD5 hash: ff48431eb8f8aae5c1c2218c2221e134
humanhash: lake-purple-massachusetts-six
File name:Order Requirement_6000025581-Pdf.com
Download: download sample
Signature AgentTesla
Create hunting rule
File size:919'040 bytes
First seen:2023-03-08 13:34:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:7JEP78/2iNJLjQSdpbD/sI8wqN4qCXb2ut1qUcRIjAPRG6w9zIzLO+P82JLgH:NEP78/1rFfsIeN4qCXb27npGT0zLEcL
Threatray 1'244 similar samples on MalwareBazaar
TLSH T1B515CF99B2714177EC8F81794A27C1DF3C00F98B7211E237677B7A42E6591BF7988222
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order Requirement_6000025581-Pdf.com
Verdict:
Malicious activity
Analysis date:
2023-03-08 13:35:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2f91eefa-c0e3-4bb6-9ad4-3e16dd92ae6f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BumbleBeeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/372592/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64088f08ed3d33698044bf68/reports/56002bd3-f1bc-4bc1-9bf4-1cb31280c958/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/321bcda7d38de0888c3bfe28e8f3488689ea9a7005645739a59cf5c66a72d00a
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97beecb1-a79d-41fd-8736-ab4e1a8c05a6
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1189735
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 822607 Sample: Order_Requirement_600002558... Startdate: 08/03/2023 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected AgentTesla 2->57 59 2 other signatures 2->59 6 Order_Requirement_6000025581-Pdf.com.exe 3 2->6         started        10 Skype.exe 3 2->10         started        12 Skype.exe 2 2->12         started        process3 file4 25 Order_Requirement_...581-Pdf.com.exe.log, ASCII 6->25 dropped 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->61 63 May check the online IP address of the machine 6->63 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->65 14 Order_Requirement_6000025581-Pdf.com.exe 17 5 6->14         started        19 Order_Requirement_6000025581-Pdf.com.exe 6->19         started        67 Multi AV Scanner detection for dropped file 10->67 69 Machine Learning detection for dropped file 10->69 21 Skype.exe 14 2 10->21         started        71 Injects a PE file into a foreign processes 12->71 23 Skype.exe 2 12->23         started        signatures5 process6 dnsIp7 31 discord.com 162.159.136.232, 443, 49713, 49729 CLOUDFLARENETUS United States 14->31 33 api4.ipify.org 104.237.62.211, 443, 49711, 49716 WEBNXUS United States 14->33 35 api.ipify.org 14->35 27 C:\Users\user\AppData\Roaming\...\Skype.exe, PE32 14->27 dropped 29 C:\Users\user\...\Skype.exe:Zone.Identifier, ASCII 14->29 dropped 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->45 47 Tries to steal Mail credentials (via file / registry access) 14->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->49 37 162.159.138.232, 443, 49720 CLOUDFLARENETUS United States 21->37 39 192.168.2.1 unknown unknown 21->39 41 api.ipify.org 21->41 43 api.ipify.org 23->43 51 Tries to harvest and steal browser information (history, passwords, etc) 23->51 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/321bcda7d38de0888c3bfe28e8f3488689ea9a7005645739a59cf5c66a72d00a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-08 13:46:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gin43j6trxqirdb37yuor42iq2e6vgtqavsfoonftt24m2ts2afa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
15852a249bf70514a6c961426ec261dff37d2a6bf8588d6f9775b8107a8c973f
AgentTesla
29efaf03dee08b4e3f4e23e41b9581513da070dc49e746e91aee2022fef12088
AgentTesla
6dbd277a53e2c621a778a18ed9fc38ed556afc145683481aeb55301d1a574961
AgentTesla
769d0e9720bbc74f76e295710fbc77d8cb3998353ca7084bc121e780c9b1f3ef
AgentTesla
9d8720d03350b0737e0a315bdf24d79a1344d87c1027a7f01b9971a3e000d01c
AgentTesla
ae773800646505a74d624672b6a3bf5d74c92dc78d7d1fdb9df1842d692c21ab
AgentTesla
c0d69c07096000d15184964499d68e91874da06fc8d461ae8b4bc376ea72fd30
AgentTesla
d03b8c0fcbbdc16e4c7d5794c037ad639ce4c55aa42fc1905c179c4213d0b04f
AgentTesla
e1332c9ff034ded7f31b405f082cba3f67c5bf23f679e08643907ff26679cbfb
AgentTesla
f9b3b368ead42e40cc95eec1086d998fef8248e47985c15c45458c6415ffdca1
AgentTesla
+ 1'234 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230308-qvnw6sdf21/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1075944673488678912/m3aVABA-5kWSgJX1nrMHl_ck2c58BoYiuMGOUVHnCCcMvDbI5WYqrNmerT3M0lXHddFH
Unpacked files
SH256 hash:
bbd301a98b6b62c6dfa95c0219b19c32b587a205f01f452afd1586120c522dcc
MD5 hash:
fa735b89e801f45cb2df495a3356b3bd
SHA1 hash:
c215368a8abd2a83e98db4039fba9bee72acd0af
Link:
https://www.unpac.me/results/4b6016c6-9943-418e-9386-37ee1770df83/
SH256 hash:
dd49948e0b3393a8b53084075ec2f2a8c36813d1ba1ca538697eb62ec4b4deae
MD5 hash:
538dab51e58b7dd3809664982f4d0746
SHA1 hash:
4e7f9615f1d96b087c453a72217662f867e0520d
Link:
https://www.unpac.me/results/4b6016c6-9943-418e-9386-37ee1770df83/
SH256 hash:
e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29
MD5 hash:
d170ab8c03b9c37d5be449454db131d2
SHA1 hash:
2031b6754a65d21b47dd11a34fee86f048d6048d
Link:
https://www.unpac.me/results/4b6016c6-9943-418e-9386-37ee1770df83/
SH256 hash:
36ff8d416e059305701a9e6f45238331c2174780a3d0253f523bba0fb9e7c447
MD5 hash:
9c6820911cb1e3f0537285c0ec7a028a
SHA1 hash:
0ffc4ad70c86ba47de71e82b5d5fba5854aa0dd6
Link:
https://www.unpac.me/results/4b6016c6-9943-418e-9386-37ee1770df83/
SH256 hash:
a509f81d3357c868de45864c9710824ee9539b1132eab2c3a14adb6994d881ed
MD5 hash:
4a1c823b9faacef2d12e9c05c38f9245
SHA1 hash:
09d8cb24629a02e96a61de0620865b5feb914652
Link:
https://www.unpac.me/results/4b6016c6-9943-418e-9386-37ee1770df83/
SH256 hash:
321bcda7d38de0888c3bfe28e8f3488689ea9a7005645739a59cf5c66a72d00a
MD5 hash:
ff48431eb8f8aae5c1c2218c2221e134
SHA1 hash:
f41004a9345f1bfb502657830d1015a5b14af1fe
Link:
https://www.unpac.me/results/4b6016c6-9943-418e-9386-37ee1770df83/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/321bcda7d38d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/321bcda7d38de0888c3bfe28e8f3488689ea9a7005645739a59cf5c66a72d00a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 321bcda7d38de0888c3bfe28e8f3488689ea9a7005645739a59cf5c66a72d00a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/372592/

Comments