MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 330a2e6dcb89bc9d54e8535dc95b1bbea5cddfedcb148f62e2214b46911a9f91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	330a2e6dcb89bc9d54e8535dc95b1bbea5cddfedcb148f62e2214b46911a9f91
SHA3-384 hash:	caca107953cccb2bb42f47c044a804c7a0111df6ca51405c46a97ce181d0441c713b1bd7eb22f50af7a3da77d455db56
SHA1 hash:	b19acb9bee395ab9a4cf86628add68d907a0ecc6
MD5 hash:	9adbad9f2191d616614d9af6ffe517ad
humanhash:	bluebird-maryland-item-football
File name:	SecuriteInfo.com.Trojan.Agent.31335.24477
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	195'584 bytes
First seen:	2022-11-22 03:36:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	3072:0yz/ZPQB2qicxzveomPTg8OSs7F/yormBdjYC0y6KbU+Fu6au0wCfBJK20p:3RPPqJ5eo+g8OP7FxrmBdrZUw/ER
Threatray	305 similar samples on MalwareBazaar
TLSH	T1D714022E3348A2EFC125C535F9946D80A735F97A471F8A0F947B960D6E0E993CF22171
TrID	28.5% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 13.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.2% (.EXE) Win32 Executable (generic) (4505/5/1) 5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

196

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Trojan.Agent.31335.24477

Verdict:

Malicious activity

Analysis date:

2022-11-22 03:39:29 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/76a7943e-c1f0-4054-b6ee-572e852469a0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/337029/

Detection(s):

SecuriteInfo.com.Trojan.Agent.31335.24477.UNOFFICIAL

PUA.Win.Packed.ConfuserEx-6391397-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/637c43dfa0efd596b82f14e0/reports/7e0697f8-c1bd-4fad-92b0-7a24dfb27f7e/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c63a258d-8769-49c2-bb99-b7c02f92e626

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1118627

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has nameless sections

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/330a2e6dcb89bc9d54e8535dc95b1bbea5cddfedcb148f62e2214b46911a9f91/

Threat name:

Win32.Hacktool.Mimikatz

Status:

Malicious

First seen:

2022-11-22 01:24:22 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gmfc43olrg6j2vhikno4swy3x2s43x7nzmki6yxceffunei2t6iq._file

Verdict:

malicious

AgentTesla

3a61280726d90b185f70884c4f7ff84af52be06f7fa2ceebf16065e8aee4feb6

AgentTesla

3d20a0367451fd840a120186bd5ff7db7ba12221741964dd8cd15322e7c05760

AgentTesla

435d0e10242410c1f8513df632eac9966534480a2a211fdc2914ad9181b87007

AgentTesla

b3a4fc59536593e4170dd23622983b34be695387fa853eca0532edf8863166f6

AgentTesla

b8445a1f01f0a7175eb9c8521b92223f989b844de32e852102c3fe5824c48097

AgentTesla

cb526159a3186694b746856ab53ea28e2f847a1623f5caf8cfe73021bc1a9196

AgentTesla

db7c8a5a46d62bd318bbe44a2aad834839f33af3883f7d8bf0d3f19cda616a39

AgentTesla

+ 295 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221122-d6gk1shb68/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla

Unpacked files

SH256 hash:

a4e8315c48c26253d7a1ee2bf3d9406a27cc68326af85334d276eb4d956389db

MD5 hash:

b420fcf7f57aed04aa5898b83622d6c9

SHA1 hash:

d5e9300ee765047b75a259ff75bb7f961cfa18fb

Detections:

AgentTesla

Link:

https://www.unpac.me/results/479c7a1b-3a6c-4043-8e33-703950cc4162/

Parent samples :

330a2e6dcb89bc9d54e8535dc95b1bbea5cddfedcb148f62e2214b46911a9f91
435ce1e9404ae789d2a1a33e57f602f4bdfd6bb08c49826699ca23da5a117c70
58873f3b0e839c017a4ae835787ad4c1f821e905184d168be6250d368f793fbb
feb004eece446b55f9084f8eb1ef78f3629943b6978a7fcd1179a64d14477255

SH256 hash:

be2d09c9cf576ed228d13ffe498e2be05b7b6989e7b86e932d8b82f40a85e056

MD5 hash:

35bad8fa189f3eed5ce0b7035522bf3d

SHA1 hash:

9abec95a9d55243a646ed44791d1f0808c4f8dd0

Link:

https://www.unpac.me/results/479c7a1b-3a6c-4043-8e33-703950cc4162/

SH256 hash:

330a2e6dcb89bc9d54e8535dc95b1bbea5cddfedcb148f62e2214b46911a9f91

MD5 hash:

9adbad9f2191d616614d9af6ffe517ad

SHA1 hash:

b19acb9bee395ab9a4cf86628add68d907a0ecc6

Link:

https://www.unpac.me/results/479c7a1b-3a6c-4043-8e33-703950cc4162/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/330a2e6dcb89/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/330a2e6dcb89bc9d54e8535dc95b1bbea5cddfedcb148f62e2214b46911a9f91

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/337029/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample