MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32d4a99f7d8c0ce353f152cc8e0112d03b1f4d55fe0a51711f8d926c115e6006. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32d4a99f7d8c0ce353f152cc8e0112d03b1f4d55fe0a51711f8d926c115e6006
SHA3-384 hash: f5caf3dca8754aeb30f5d9d0eb1c12102ea47c334ab2a09a6663a4f83b8f0b38d63215a05492e3af02bc31f4a9a8f97e
SHA1 hash: 6355bd99e5620fb8ddfed8d8ca1edb931d231718
MD5 hash: 07bb6e8d8fd85eb6cabc7a435a602656
humanhash: solar-kilo-uranus-finch
File name:07bb6e8d8fd85eb6cabc7a435a602656.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:494'592 bytes
First seen:2021-02-10 13:21:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:1O/wv1PcU7S0YNMWTG9dGa2MfrGXI45U5BmyynH9S+wiZxxf:1v6U58yGHnZZxx
Threatray 2'545 similar samples on MalwareBazaar
TLSH DFB4AEDD326072EFC867D4728AA81CA8FA5174BB871F5203901715EDAE4C99BCF254F2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.adcomhitech.com:587

AgentTesla SMTP exfil email address:
support@adcomhitech.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
07bb6e8d8fd85eb6cabc7a435a602656.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-10 13:30:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8fb5d4d2-44bb-4b01-b059-3e527c2dc864

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116552/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42845.31793.30222.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/604516
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/32d4a99f7d8c0ce353f152cc8e0112d03b1f4d55fe0a51711f8d926c115e6006/
Threat name:
ByteCode-MSIL.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-02-10 11:52:11 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=glkkth35rqgogu7rklgi4ais2a5r6tkv7yffc4i7rwjgyek6mada._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
102cc9a141c36c895d867ab6a432085ad0b4f5e1da01add23c26e6de5526c854
AgentTesla
3fd2c91007c4b1429d70710853232018e8da2528d375af5d64b79901254e52f0
AgentTesla
54086875834b1244c63b639f4c7225d611a5f48bd564fdb50ea3e5eb5dde2041
AgentTesla
567e0aa34b26e04924a723b478d32771494b759419e40f00b919167af194c039
AgentTesla
6b090efc032911140a9b027ae65b205eb4b6aef2ab0dec995e473470f6706240
AgentTesla
708833adb2ee812262f329d04431f369c1e5046aa5030362c521c828af756ec2
AgentTesla
ac9a33415eb6ec83ead8f10e2f749b5d5c53f7fb9e758d686e1b01819b44c86a
AgentTesla
b093aa405373bf5f37eb5b10379ab1e10add9aaf66471e299162b60d32f98b1a
AgentTesla
c8b97cffe50d47dbbd7b9b1d13f0155709130a76bb87db3eb1fba12d3dc24705
AgentTesla
feac2864dd0dde4d9fa58c93930c21c8a0786de9f1260e742b61447c826f7fb9
AgentTesla
+ 2'535 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/210210-g8fbtftgqj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
1133ee7d8c15494928b7eceeeea55ec3e9a0d928c35bf0d60a955b9869230fd5
MD5 hash:
db4d81ce3d659e55b5bd5307e87c0386
SHA1 hash:
e77d2f929a11120e3001eee7000b65f2aa30ff64
Link:
https://www.unpac.me/results/27b09f91-493c-43ec-8e4a-e425d5b78449/
SH256 hash:
2ec41720b412f91f91daaefea38007449491b2c016238aa8f23b6866c89bc788
MD5 hash:
987ce346069cf47535e5ac57265c7228
SHA1 hash:
d0085325ed78fcac6d1f605753237abd1c40db22
Link:
https://www.unpac.me/results/27b09f91-493c-43ec-8e4a-e425d5b78449/
SH256 hash:
197d98fd80fc786fe8f49a083a5e4aeadca1c58e345297af8b07798bf7d6e354
MD5 hash:
acb67333fc590aa8f9be5e60f5e39148
SHA1 hash:
134c2665ad426ee223aa625304e5e8a8235e9e45
Link:
https://www.unpac.me/results/27b09f91-493c-43ec-8e4a-e425d5b78449/
SH256 hash:
32d4a99f7d8c0ce353f152cc8e0112d03b1f4d55fe0a51711f8d926c115e6006
MD5 hash:
07bb6e8d8fd85eb6cabc7a435a602656
SHA1 hash:
6355bd99e5620fb8ddfed8d8ca1edb931d231718
Link:
https://www.unpac.me/results/27b09f91-493c-43ec-8e4a-e425d5b78449/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/32d4a99f7d8c0ce353f152cc8e0112d03b1f4d55fe0a51711f8d926c115e6006

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 32d4a99f7d8c0ce353f152cc8e0112d03b1f4d55fe0a51711f8d926c115e6006

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/998794/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/998797/
  
URLhaus
https://urlhaus.abuse.ch/url/998898/
  
URLhaus
https://urlhaus.abuse.ch/url/998914/
Cape
Cape
https://www.capesandbox.com/analysis/116552/

Comments