MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 326032825841da4be49637c2d5f0f15049c281f31d4178ac9246c543af96d1ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 326032825841da4be49637c2d5f0f15049c281f31d4178ac9246c543af96d1ec
SHA3-384 hash: 02687f8409ea31fa0bc8bf7a6556ab51749438e4cfcc37f4ccf8fac482455685777896e6d84e48fb768cf0421325241e
SHA1 hash: c4022461400b1bd736b941e01efd4f88a2f3fc1f
MD5 hash: 721723e02b3cfd83bf46ff1abfbe9c7e
humanhash: jig-alaska-kilo-green
File name:326032825841da4be49637c2d5f0f15049c281f31d4178ac9246c543af96d1ec
Download: download sample
Signature AgentTesla
Create hunting rule
File size:648'192 bytes
First seen:2023-05-10 10:39:09 UTC
Last seen:2023-05-13 22:42:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:Qmo4Vu00mClQwO5YuCWtpL5YcLXoqkvw04/gPzjF8fHOegQVtj:QmlVuWClPOauCOLicDoRSoPXF8vl
Threatray 1'081 similar samples on MalwareBazaar
TLSH T193D4AE525065CD4FFE2ADBB0D1B4FF55A6F1F07364E190242BB921C9CAA9F021E8C52E
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
248
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
326032825841da4be49637c2d5f0f15049c281f31d4178ac9246c543af96d1ec
Verdict:
Malicious activity
Analysis date:
2023-05-10 10:41:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/82fa60e5-27f8-4972-a818-24bf58096af9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/388129/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/645b7483d054a0b0ef848317/reports/81c40cdf-4cc7-480d-806f-df2d21f4412b/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/326032825841da4be49637c2d5f0f15049c281f31d4178ac9246c543af96d1ec
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/91808c61-160b-4b3b-a100-5304bb4ba2cd
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1229933
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 862915 Sample: kH43ETenZ3.exe Startdate: 10/05/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 5 other signatures 2->55 7 kH43ETenZ3.exe 7 2->7         started        11 TejDzhESjQ.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\TejDzhESjQ.exe, PE32 7->31 dropped 33 C:\Users\...\TejDzhESjQ.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmpF6BA.tmp, XML 7->35 dropped 37 C:\Users\user\AppData\...\kH43ETenZ3.exe.log, ASCII 7->37 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->57 59 May check the online IP address of the machine 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Adds a directory exclusion to Windows Defender 7->63 13 kH43ETenZ3.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 69 Injects a PE file into a foreign processes 11->69 21 TejDzhESjQ.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 masarusering.com 68.66.248.44, 49709, 49711, 587 A2HOSTINGUS United States 13->39 41 mail.masarusering.com 13->41 47 3 other IPs or domains 13->47 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        43 mail.masarusering.com 21->43 45 api.ipify.org 21->45 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->71 73 Tries to steal Mail credentials (via file / registry access) 21->73 75 Tries to harvest and steal browser information (history, passwords, etc) 21->75 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/326032825841da4be49637c2d5f0f15049c281f31d4178ac9246c543af96d1ec/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-04-28 14:56:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gjqdfasyihnexzewg7bnl4hrkbe4faptdvaxrlesi3cuhl4w2hwa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
310cca45875cb77640bd15ff405af55de5a00828088722da1681aaa2cc90c931
AgentTesla
326bfca24194b50bc52e6059290e9167fff08d742e07b6bee5209cbee4e87c50
AgentTesla
33b5ccf1b3b48e22ab607320e0bb143ad0ac2a9770b0e385c0365366de472ceb
AgentTesla
390c232ef961f72ca0a624dba0adf69ab2ad5480accb3c8c0b4f475299e4c9f7
AgentTesla
42a1b1333505c88f790a7fbc5c39856f94cbddaeeffa5be29ae38fb5f567350d
AgentTesla
4d05e5393501f1ad0b8ef7afae8f786dd464cb527f541e2f7a4aec03ff7af34c
AgentTesla
8d41a5c262bd9bcdde87d6ee9322abebe831a18a143089576b7be05b985aff0e
AgentTesla
eabf4231e0b5fbe98a97c140a691b79076ac1c4f9663181567301cc307771025
AgentTesla
eed1e8c36a418b60ba36641bb30f7bab473e20421b8875eff0dd790a666f8825
AgentTesla
+ 1'071 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230510-mqh9cafe54/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
21f0154b51a09767f94922b81f5fcd15cf4a6390ab7314e40d0e17b2dcdfe6ba
MD5 hash:
c926563698de3a89ad20474c85122f73
SHA1 hash:
ed1a3b2527ace111e6f39880c7ee3965f301330d
Link:
https://www.unpac.me/results/68be9824-2274-4548-9130-592ab9285e99/
SH256 hash:
af0925e4c632166ff87032bc43ea4f85a3805db3782a49724d125f44c0731114
MD5 hash:
b9897ba5e468e516e162fd3790a9ddbc
SHA1 hash:
db264c796e4a36a45af11e8a7bf71cf0dadce0f0
Link:
https://www.unpac.me/results/68be9824-2274-4548-9130-592ab9285e99/
SH256 hash:
287a3541321106fa3002f274719a1145e8b266f3ca1ffe811b49ab6aeaef321b
MD5 hash:
5df56ad989271909e96c83c7edf2bbcb
SHA1 hash:
3a8dfd6d885fc64230210fbc2dd16cfe6c5c9872
Link:
https://www.unpac.me/results/68be9824-2274-4548-9130-592ab9285e99/
SH256 hash:
f019cbfed9a48d21b57620e9e9fe44139a49d8f6ad72e1db96e13485a79684b3
MD5 hash:
9145a823fd2d38c9e827c932c0e1a688
SHA1 hash:
0fd71390162822b2571c34a0ed5289d9e09662d1
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/68be9824-2274-4548-9130-592ab9285e99/
Parent samples :
02169571891ab7333002f983d3544b2a78a775d1d55f594c5ce49883b108f3ef
9cefc5f1d6bfd34ee5e77486266a02f077a276fb2cffd1eec3b9e19c79d823c1
4f106e71463410c0880736786b987b0329cb64a441481794230890d48661c9b2
326032825841da4be49637c2d5f0f15049c281f31d4178ac9246c543af96d1ec
SH256 hash:
777b337251df34d8a474303cb0902de4a46275138e03fdce4adaf3c0d36bade5
MD5 hash:
19af40fd69bcc77a9abaec223fa80960
SHA1 hash:
0e7b63fdbe1f2da6200dc98f24ef3b8d1f18d54f
Link:
https://www.unpac.me/results/68be9824-2274-4548-9130-592ab9285e99/
SH256 hash:
326032825841da4be49637c2d5f0f15049c281f31d4178ac9246c543af96d1ec
MD5 hash:
721723e02b3cfd83bf46ff1abfbe9c7e
SHA1 hash:
c4022461400b1bd736b941e01efd4f88a2f3fc1f
Link:
https://www.unpac.me/results/68be9824-2274-4548-9130-592ab9285e99/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/326032825841/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/326032825841da4be49637c2d5f0f15049c281f31d4178ac9246c543af96d1ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/388129/

Comments