MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33479e621225b6713bfe13e84fe5f2a3f1071f32cc2410b2a34681c744896a71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	33479e621225b6713bfe13e84fe5f2a3f1071f32cc2410b2a34681c744896a71
SHA3-384 hash:	e3f2b9b5ec60c6d637f42bcd77ca8661d82607ef1d2adfb2c4987b754b5c29cd34b1e21aa85eab563ea33d3e252d7ca0
SHA1 hash:	b2fffd54b8416f53b29dfff8dcb26d870967620d
MD5 hash:	8e7f9d39e74053dd75439c6b0313021a
humanhash:	leopard-sierra-monkey-lake
File name:	Copia de Pago_ Banco Santander_pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	32'256 bytes
First seen:	2021-09-29 06:50:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	384:cYISVRVpcFiOdpihjxbQEu4uL+r4Z9IMM/wpv1vNes+A:cYIiSFiODKb1g1a4db
Threatray	10'430 similar samples on MalwareBazaar
TLSH	T1D6E2B501F5449370D7E15AF3B4DFF04CE26A9C2D022B998AE4547D9C2632B916FF962C
File icon (PE):
dhash icon	64e4c8d0f0e8d4d4 (56 x AgentTesla, 7 x RemcosRAT, 5 x NanoCore)
Reporter	abuse_ch
Tags:	AgentTesla ESP exe geo Santander

Intelligence

File Origin

# of uploads :

# of downloads :

129

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Copia de Pago_ Banco Santander_pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-09-29 07:11:31 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3ccd5e97-05e5-4d82-a717-1ae00a778ff4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/192805/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a service

Creating a window

Connection attempt to an infection source

Sending a TCP request to an infection source

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Query of malicious DNS domain

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/57072955-5d4f-4d03-a74d-cdfddf104e77

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/860956

Signature

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/33479e621225b6713bfe13e84fe5f2a3f1071f32cc2410b2a34681c744896a71/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-09-28 18:59:03 UTC

AV detection:

3 of 45 (6.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gndz4yqsew3hco76cpue7zpsupyqohzszqsbbmvdi2a4orejnjyq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

725e476d1d0194ad4b55aef56539c888c7be4d4224cef2438ec5744e230723f7

AgentTesla

7c7323889466fa08d4a797ccdc8403e10953dae98d1f413bf39d82d7d9f89e5d

AgentTesla

8065f0a8fb9f149f281c0bb9988547651d0a6c9350352cfd4b2013c65be5ccd2

AgentTesla

8586940b285a92802ff9ca77ab7fb949de2a24784d4724dc18ce6d9c1ad6f187

AgentTesla

9a44a213fb10bc7c0a49c89fd1274d80a4d90dbc328b38d7f1bd9db9c4b3dd4c

AgentTesla

e484dd89ca41783addc420ae8b28e965997644a1bd7a9af1485dc239f21e2ac6

AgentTesla

e56b6b0e8c952292ec51717b619e4570126aed99c7faca77a734dfad09a0a800

AgentTesla

+ 10'420 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/210929-hmgtwseabl/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

33479e621225b6713bfe13e84fe5f2a3f1071f32cc2410b2a34681c744896a71

MD5 hash:

8e7f9d39e74053dd75439c6b0313021a

SHA1 hash:

b2fffd54b8416f53b29dfff8dcb26d870967620d

Link:

https://www.unpac.me/results/e069b534-46a6-4064-b3d3-90bad7315e4e/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/33479e621225/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/33479e621225b6713bfe13e84fe5f2a3f1071f32cc2410b2a34681c744896a71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/192805/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample