MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 324b84d54292eab83c188003dfa1d3f5854402e185a6a103d8b9c1fa73afc92e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 18

Intelligence 18 IOCs YARA 2 File information Comments

SHA256 hash:	324b84d54292eab83c188003dfa1d3f5854402e185a6a103d8b9c1fa73afc92e
SHA3-384 hash:	e5a3d416ce6167b26bf837be46adecf1087981392f2e75504e60b5970879ea44f72ec7916ff706b9ff134a3cb006ead4
SHA1 hash:	8eddcc4613eae21e5a5d275429a1530fcaba8c65
MD5 hash:	80b9a255678ea839a292060286175104
humanhash:	oxygen-zulu-oklahoma-idaho
File name:	MV Nea Tyhi- pda quotation_pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	565'760 bytes
First seen:	2023-08-01 21:04:22 UTC
Last seen:	2023-08-02 16:21:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:yn2iN8JJ42yOza/x2fENLOOgCwfUdxVBqIw5zYROw3Lq9R:yn1uJ9zkNLONCgUnjqIGF9R
Threatray	5'693 similar samples on MalwareBazaar
TLSH	T15CC42235217D8BF8E23DD7B26856424003B6250E5320E66D8DEB78EF3FB6BD40151BA6
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

292

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

MV Nea Tyhi- pda quotation_pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-08-01 21:05:21 UTC

Tags:

stealer agenttesla

Link:

https://app.any.run/tasks/b57fc69e-5205-4b32-ba90-e0a8f73058bf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/439694/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

Sending a custom TCP request

Restart of the analyzed sample

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/64c97381c7115fded3683083/reports/7cc9bd5a-83e4-4a23-a9b5-4055c1be36e5/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/324b84d54292eab83c188003dfa1d3f5854402e185a6a103d8b9c1fa73afc92e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/11a6bfb6-db8f-45e2-96ed-054d403b6388

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1284050

Signature

.NET source code contains potential unpacker

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/324b84d54292eab83c188003dfa1d3f5854402e185a6a103d8b9c1fa73afc92e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-08-01 14:53:22 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 37 (67.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gjfyjvkcslvlqpayqab57iot6wcuiaxbqwtkca6yxha7u45pzexa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

5590cb2801075c18a490b2d65789e7d668dd7d81313bf685487105e72329cc71

AgentTesla

65672bd232f4652dfb914a74e9510ad383a8f8fe9884873cc885a61160610965

AgentTesla

6d23d4a7bee5819466b76d973037dbce4838f887a5333210f1cce118c2a4cd4b

AgentTesla

72415d85437a9ce23c1b6e7379c4d68673f0fd4a4612877bb625db9b5dfd6785

AgentTesla

9cced70d2cf7353bd50e98b2dcaa0337a9c74a23874c69452b82cfae70aa3463

AgentTesla

ba7f9aa187f2834a0e730911db8e70b035a93c5bfd1d98306a1b8841ee63d9a8

AgentTesla

+ 5'683 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230801-zw6caacc5z/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

d14712a305ec79e9c6ed52fa6ccf8b959094f1fae760da28246a4363ecbcac38

MD5 hash:

43a7e123db2e202559328d698e9c8bcf

SHA1 hash:

82b5350b3921ca1b509c9210512d844882a5eba2

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/397d0626-6d5b-41ac-9ab7-958f946eb864/

Parent samples :

5590cb2801075c18a490b2d65789e7d668dd7d81313bf685487105e72329cc71
324b84d54292eab83c188003dfa1d3f5854402e185a6a103d8b9c1fa73afc92e

SH256 hash:

cef945054fc7a10b7c2b742a7ee2a4fcc9c5a8005a1098ca502398b685f1311d

MD5 hash:

e7d6e9a6661960bb5e44758e8edc7960

SHA1 hash:

8086fb369901ac0cabded577e033f9c2527632e3

Link:

https://www.unpac.me/results/397d0626-6d5b-41ac-9ab7-958f946eb864/

SH256 hash:

72b0178ece936995d0b16fe755f043037253930128b3db78bce2691bf4e45936

MD5 hash:

aad01354844bcf45059177ad31739782

SHA1 hash:

6dda25002853f2bf0ff1d1b7a203dacd3268a738

Link:

https://www.unpac.me/results/397d0626-6d5b-41ac-9ab7-958f946eb864/

SH256 hash:

dcbd8442762f90cd583050546d2eb8ce4d06dc1c786d16e93651cff0827b6312

MD5 hash:

145ffe28b2e53f9ab5cf7a21e43157fa

SHA1 hash:

639421307a16f0bec62a15f3ce46535faed8babe

Link:

https://www.unpac.me/results/397d0626-6d5b-41ac-9ab7-958f946eb864/

SH256 hash:

324b84d54292eab83c188003dfa1d3f5854402e185a6a103d8b9c1fa73afc92e

MD5 hash:

80b9a255678ea839a292060286175104

SHA1 hash:

8eddcc4613eae21e5a5d275429a1530fcaba8c65

Link:

https://www.unpac.me/results/397d0626-6d5b-41ac-9ab7-958f946eb864/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/324b84d54292/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/324b84d54292eab83c188003dfa1d3f5854402e185a6a103d8b9c1fa73afc92e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.