MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32cb45b7a29d11d5962d991558f0e216de55cf5882282b55c9a2bb625e01873a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32cb45b7a29d11d5962d991558f0e216de55cf5882282b55c9a2bb625e01873a
SHA3-384 hash: 969ae18585674a59a117fe6df5e7692571dbc7fc9dac67bd9b5b785903438cb3b686b1d4ac712e627728849b97487080
SHA1 hash: 803e30eb1a53acbab0c63bdaf2873b34faa3ecfe
MD5 hash: ca545aaaae6cbeb3f49bb62f712b6a1e
humanhash: virginia-johnny-six-friend
File name:Bank copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:596'992 bytes
First seen:2023-05-04 11:08:09 UTC
Last seen:2023-05-13 22:47:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:yD53A2KqnAovPHO1+O9QpiAMZfwsVA70tRz52GYvshOWI:0Qin6l92MNVA70tRz5eUhl
Threatray 729 similar samples on MalwareBazaar
TLSH T18CC47C3C29BA5627C176C3798BD19427F1609C5F3112EEA994D333BA4752B8239C327E
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon acac0001000001a2 (15 x AgentTesla, 4 x SnakeKeylogger, 1 x Formbook)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
239
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Bank copy.exe
Verdict:
Malicious activity
Analysis date:
2023-05-04 11:08:33 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/ec996692-8d7b-4b07-8fab-3a69238ceaf9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/386483/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.27447.10129.6415.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Creating a file
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/6453924f1facab193c675d29/reports/fe4ee0b5-09e1-49da-a9cd-dc6a5580f490/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/32cb45b7a29d11d5962d991558f0e216de55cf5882282b55c9a2bb625e01873a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/48edb453-fb37-4b4b-b006-2828c9dcf716
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1226041
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 859004 Sample: Bank_copy.exe Startdate: 04/05/2023 Architecture: WINDOWS Score: 100 45 mail.dmstech.in 2->45 47 dmstech.in 2->47 55 Snort IDS alert for network traffic 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 9 other signatures 2->61 8 BrguniNURCK.exe 5 2->8         started        11 Bank_copy.exe 6 2->11         started        14 zBwkauB.exe 2 2->14         started        16 zBwkauB.exe 1 2->16         started        signatures3 process4 file5 75 Antivirus detection for dropped file 8->75 77 Multi AV Scanner detection for dropped file 8->77 79 Machine Learning detection for dropped file 8->79 18 RegSvcs.exe 4 8->18         started        22 schtasks.exe 1 8->22         started        39 C:\Users\user\AppData\...\BrguniNURCK.exe, PE32 11->39 dropped 41 C:\Users\user\AppData\Local\...\tmpDBD4.tmp, XML 11->41 dropped 43 C:\Users\user\AppData\...\Bank_copy.exe.log, ASCII 11->43 dropped 81 Uses schtasks.exe or at.exe to add and modify task schedules 11->81 83 Writes to foreign memory regions 11->83 85 Injects a PE file into a foreign processes 11->85 24 RegSvcs.exe 2 5 11->24         started        27 schtasks.exe 1 11->27         started        29 conhost.exe 14->29         started        31 conhost.exe 16->31         started        signatures6 process7 dnsIp8 49 mail.dmstech.in 18->49 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->63 65 Tries to steal Mail credentials (via file / registry access) 18->65 67 Tries to harvest and steal ftp login credentials 18->67 69 Tries to harvest and steal browser information (history, passwords, etc) 18->69 33 conhost.exe 22->33         started        51 dmstech.in 208.91.199.89, 49699, 49700, 587 PUBLIC-DOMAIN-REGISTRYUS United States 24->51 53 mail.dmstech.in 24->53 37 C:\Users\user\AppData\Roaming\...\zBwkauB.exe, PE32 24->37 dropped 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->71 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->73 35 conhost.exe 27->35         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32cb45b7a29d11d5962d991558f0e216de55cf5882282b55c9a2bb625e01873a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-04-28 05:59:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
23 of 33 (69.70%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=glfuln5ctui5lfrntekvr4hcc3pflt2yqiucwvojuk5wexqbq45a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
056fefb924727f883dacfa1b86cf30fd3f62c5802d4ab3c6a0ae3493e9aaab98
AgentTesla
54983544e9fd6e0423bcd9ea883e4ff1375abcdd58876d79701e9d24882500ed
AgentTesla
97c28174a64eab003f2a1b2f4a742acbcbb8394249d136d176c19711908da21a
AgentTesla
9c08966b170f8f713f07c3be1ed598d62e1efe93ab427fe4f44a4e372454a3c1
AgentTesla
9c3660ffe5ce0c638949f25a1a1adc5d7ab366824e46d6ea3064e8c7426730f5
AgentTesla
bb43a5754a893cb89704ada5e6ab99172fcaba378a12b890b6baae58fd6d35ba
AgentTesla
ceeaf351408125592c58eb70508f0387f293210a0f8ce14cbbda70fd6ef2254c
AgentTesla
dcc60226dc95db85e94d9e78b8af2ccb0bb0b201af107999e315ea01cbe52475
AgentTesla
+ 719 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230504-m849jabh44/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
739b0d0c25dab5d69c516941cb4f370df005fc8e1a77df445358776b22c3dd52
MD5 hash:
0a3d628f3d14fecd845cc89b4fee11b0
SHA1 hash:
c072047c81115be2e2307cc85f01fe98a8079c87
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/9a2f45f6-2683-4a26-a56d-9cba5a60a5c8/
Parent samples :
dcc60226dc95db85e94d9e78b8af2ccb0bb0b201af107999e315ea01cbe52475
322a82cb52dd04f516915780a9eb9865e24bd284fedecf938e345270fa0f83b3
7de9e6cacff646823bd04add2f12f423bc654548163ac37e17860d1eb5b315f1
ea43d517a6f297bacd8199f6df1f0cfaa00acac3c3c2eb125093df80c73a87a6
056fefb924727f883dacfa1b86cf30fd3f62c5802d4ab3c6a0ae3493e9aaab98
b3e12ecdee9eacc7354a7d43ccd3ebe7e6db207e93f73b7a847ff4bee9f27f86
bb43a5754a893cb89704ada5e6ab99172fcaba378a12b890b6baae58fd6d35ba
b27f7a44bbe68d1ceb1d8d2b0a81fe4dcb9dc8047080e6a79aaca37b409cf240
97c28174a64eab003f2a1b2f4a742acbcbb8394249d136d176c19711908da21a
b188a13a9f8d13e388089ecbe4725f5c0e2a17c2f1036e0a7ab0cf5aab878549
baa6318542fec07e6a7ee6bbdccbfa99519c4b76fe6d57bf573c6d33d943db9a
21ffa6cab8603732b5f615cd0db3e5e6deef95d75fa33598815e4bcbcb1da691
36e7dd656f73069c8c78ae8f100a746a6d48df103fa11739355c09f03e45b0bd
25b6b99d864c11f150199c742850366511b9213ec5cf408ff57ced3622653143
570bb8f8e76556ba2158370d21c83415e1773c5cf25d92a84e4a066c82a61051
3ef08f39f739e970a5e143decd013ff75086300f30aea4441c33b609f4c2e9d5
f22e0e86d77e67ae822fbd78fef1108767918aec0df59bc554e0378a45a4c068
2ad2b641db99003656d22d4e31f884ebb887d3ffe7a92e8338b37a7aad60a711
5930c5866f8eed59c28ce8c986a3e44a289cfbb12a7a7197d2d6c6caad4cdb69
a6a9d25fbff8fc2d49d743951692f0f583420945d6a28393298713346c984809
67746033de06b15b8b02f5dc873f8b82696b94158c5074e8251ae1433b671c3a
a21f3e9612275b3514ddbada4ff1763efbb2cee160ea6d530d66b9f9449baa88
4f2a16d1aa218f8e423b803df72a63c2c6748d2701fe664c5eee59e096af3921
8e3410b701ab440ca72fc04705a3f8f663031f64fcf6b06b4a07d2ba3d5b4bf2
5dd95385f904bef50b5b57a7ab6427c78df4b9a93386f0ca16ee484b67ae939e
8cac9d66650d477750c772f06ca469eeff8056f6c058b1e5dfff1cea549a35ea
9431de0e7a6f14542adabb08e4a2e577d12e221913a7c08ec40aaef66658fff9
9c3660ffe5ce0c638949f25a1a1adc5d7ab366824e46d6ea3064e8c7426730f5
9c08966b170f8f713f07c3be1ed598d62e1efe93ab427fe4f44a4e372454a3c1
99adda59edc208010068f4ea20b251bce6e3f397847259d2f47b893f1c7f0a6a
54ec5ddfdaffbd07bb289eacfcdcb34cd15a36a720ad521b3b91665d54f2dfc2
9b8088bdfac6cdced72f50e8020779923a75804ffd8a8738d2373e97a097f908
b72cbdbe49d3141dfc0a63bafd35d2ae2bd6f3a213a1374d7c7e347d7cad756c
d33eea86eb7794132b9d99edf58f349f912b482cd2be5e5c63068e2700279fcd
32cb45b7a29d11d5962d991558f0e216de55cf5882282b55c9a2bb625e01873a
3c4d4ae6875508403d1c24d4422c588a14cd0515d7c11a388e8ea6403d03540d
6b0e8e6683df482c7579f4ba45e062d65af78a2eb8d310bdde706437dab53904
fcdf163e514b0aa3364e9da405c1d7bc249d7b870482392e590e8d4f37eae529
967faf62f7ca8a187e54a09b1cf77ec300cb9e2dc935a4b0d0462b498f3d004c
SH256 hash:
ea8d4c91ec5bba5e1db6c17730d7ba5cdbb5ff3c1a777f70c90e91ce599d9b5d
MD5 hash:
27f5124bf8f451bca8d8a15c73c4f521
SHA1 hash:
5fd557e109b8fd1c3b362b64f0ba9f1600c07211
Link:
https://www.unpac.me/results/9a2f45f6-2683-4a26-a56d-9cba5a60a5c8/
SH256 hash:
aa603f99faab9b085025542ed7a5377bb50c1ee1fe8a754e9c3d5bdf128e8e03
MD5 hash:
b46a05da26cd8de05fbbeffd17e96375
SHA1 hash:
194eb5ef5ada8e0d0df325b01653cd28973770a9
Link:
https://www.unpac.me/results/9a2f45f6-2683-4a26-a56d-9cba5a60a5c8/
SH256 hash:
32cb45b7a29d11d5962d991558f0e216de55cf5882282b55c9a2bb625e01873a
MD5 hash:
ca545aaaae6cbeb3f49bb62f712b6a1e
SHA1 hash:
803e30eb1a53acbab0c63bdaf2873b34faa3ecfe
Link:
https://www.unpac.me/results/9a2f45f6-2683-4a26-a56d-9cba5a60a5c8/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/32cb45b7a29d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32cb45b7a29d11d5962d991558f0e216de55cf5882282b55c9a2bb625e01873a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_d3ac2b2f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 32cb45b7a29d11d5962d991558f0e216de55cf5882282b55c9a2bb625e01873a

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/386483/

Comments