MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 333b4a89730feb420bc1a76bed5c75943e663abd60eaf91c1bafd8417ccab76d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	333b4a89730feb420bc1a76bed5c75943e663abd60eaf91c1bafd8417ccab76d
SHA3-384 hash:	3b4cf28101d9e88546c4fb6bc5a7c9b442258931afd7ff5b330215d3f96acabbbe38c38e9292b91280e65aa413f13e8d
SHA1 hash:	12676d2161a1a8640a555bbce0fd7dcbb1ceb903
MD5 hash:	617c28ec9403e42fbbce2915d7b9ca98
humanhash:	california-green-pizza-failed
File name:	Cotización-202002722.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	465'408 bytes
First seen:	2023-03-28 17:25:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:y/6fGJ3rRkmrrLG9oouz/rJdNOY/WrdqgYic81v:FCbRzLG+ourldNOYkdPo81v
Threatray	1'244 similar samples on MalwareBazaar
TLSH	T190A4230A73F8B71DE2CFF9BD2835501553B1AF0A6521E94C28D562E94E76F840A723E3
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	malwarelabnet
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

245

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Cotización-202002722.pdf.exe

Verdict:

No threats detected

Analysis date:

2023-03-28 17:27:53 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/df72a1db-4fd2-4075-9593-5e683eaa4b68

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/378237/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

DNS request

Sending an HTTP GET request

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6423232c9c109cf74b305f64/reports/7b387b32-0fd1-4dc3-98fe-942e6922cbb8/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/333b4a89730feb420bc1a76bed5c75943e663abd60eaf91c1bafd8417ccab76d

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8e30d821-7418-448c-947f-49b36bd5046d

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1203840

Signature

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/333b4a89730feb420bc1a76bed5c75943e663abd60eaf91c1bafd8417ccab76d/

Threat name:

Win64.Trojan.Leonem

Status:

Malicious

First seen:

2023-03-28 15:25:20 UTC

File Type:

PE+ (.Net Exe)

AV detection:

17 of 35 (48.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gm5uvcltb7vuec6bu5v62xdvsq7gmov5mdvpsha3v7mec7gkw5wq._file

Verdict:

malicious

AgentTesla

28ff484ca36b3a1f5d7f59a25e947e9a6b12ca34214f9bcfca01cee5745e6b6a

AgentTesla

35a7141973dd708723ae711b94f845d36740f2613d4f94dde3aa9c75519f0975

AgentTesla

36f8d4d85b7d03fdbd622909d93638fa20bbdcc1e832591b82dbe7f710ab0be0

AgentTesla

43d66102096b171d791582ce4ad7881c68946594a91fa9c4931e9fae6b70e806

AgentTesla

6159a8ba420cbed9d0ca9abb371cd8b1e600c0e2fd7763f32cec6917605d51d9

AgentTesla

9ef8d74a3ef84feb99d45e04e084fb628c091f8fa3b81b42faacc235ab2e753e

AgentTesla

d69974ab2591e06f55c58786be3fc436fe992c501dd37724869747e2369c909d

AgentTesla

fb8fdb08cf7984a3bac0cc7daeea3790a92306467543cf556945fc479a165dd8

AgentTesla

fbfa8f32f35e7925f320978a55f28df0c6214cefd8a93fa02a0c1d946d100715

AgentTesla

+ 1'234 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230328-vzvbzadh2v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Uses the VBS compiler for execution

AgentTesla

Unpacked files

SH256 hash:

333b4a89730feb420bc1a76bed5c75943e663abd60eaf91c1bafd8417ccab76d

MD5 hash:

617c28ec9403e42fbbce2915d7b9ca98

SHA1 hash:

12676d2161a1a8640a555bbce0fd7dcbb1ceb903

Link:

https://www.unpac.me/results/bed57b60-40e3-4623-bf56-fd128b2a1bba/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/333b4a89730feb420bc1a76bed5c75943e663abd60eaf91c1bafd8417ccab76d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/378237/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample