MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 337ce11e758631b9327321060bea40342ee175113d93e8d293a6e6d08d008509. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 337ce11e758631b9327321060bea40342ee175113d93e8d293a6e6d08d008509
SHA3-384 hash: 9a95d73a8649ef3872ca612a87250333416728b2bf83173064cbc6a3e1e04ca92fc9787a76f62f1ed6b2da5fc0c4136b
SHA1 hash: 7255dff14fae119677ca2976900bdde79316a5f0
MD5 hash: a20b5ad1e3f78ab76c922c4108ae8729
humanhash: snake-whiskey-enemy-alanine
File name:DHL AWB # 2343881396.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:745'984 bytes
First seen:2023-09-20 16:57:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:adEUY2iNtyYpQgBpVlaW/n2KvtHWjX+4mhh8GeZ7qNTHsZsdaNH3vHw5K9iE:JUY1+IPDjOKtWjXuk30pMZs0x3vQ5KME
Threatray 5'628 similar samples on MalwareBazaar
TLSH T1A9F4F0203A6CAFE3E67A13F54294884513F6611A603EE7451DC778CF3AA1F908F52B97
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
DHL AWB # 2343881396.exe
Verdict:
Malicious activity
Analysis date:
2023-09-20 17:10:31 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/58fb3fb6-37f2-4274-a4e9-cb2f632549e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/450110/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/650b249b86207ed6281f8ae6/reports/99cbc2a2-9eb7-4bb0-ae25-a9a0e9c1071b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/337ce11e758631b9327321060bea40342ee175113d93e8d293a6e6d08d008509
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/801ae773-d880-45a9-a381-7119e6c1ab3b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1311760
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/337ce11e758631b9327321060bea40342ee175113d93e8d293a6e6d08d008509/
Threat name:
ByteCode-MSIL.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2023-09-20 09:16:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gn6ochtvqyy3smtteedax2sagqxoc5irhwj6ruutu3tnbdiaqueq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1464482f2d705d8813e983c4ee8582bde6f1d515c5e2c9406f13146fcf3f2687
AgentTesla
35b8d05a657c4ec7fd846203a5bbce27d1c9458a2f42e99bd3e72987f49c0e80
AgentTesla
5167b917426b8435d81522f885966f00cbf7f5b896e2a6b18696bb0f1194756c
AgentTesla
83e202c299d139b909d80f39e81487515d2f21a9a0b6546f42dbd194088e07e7
AgentTesla
99e76ca97c74ea9e8fe112a45a88f4fd6a684cda8d8666dfe20dc2eef4d61455
AgentTesla
cc2556dc4dd2e1f164c1919338bd557f16b157a1ec0cce9d27f16698f64c6ec0
AgentTesla
d8ab425ae58e676d7575eab5fc65601ac4851045ccd781d592af8342857c6c6b
AgentTesla
d9ed92176c4ea379d85fcdf39c820721212b2493558c466b680058836e379b54
AgentTesla
de74104e75bbf713beee96aa5831a4dd2a94b106d5cfc9b43a598fe858f5aa56
AgentTesla
+ 5'618 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230920-vgtmqahe7v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
fd8f7fbcd58cba8813012800dd13b009bc9374c47aac2314443ee447baf978e6
MD5 hash:
7af421cdab45954d53c0abadc6cea17e
SHA1 hash:
e619ba9324753ea06ed2360d454b243d46b122c6
Link:
https://www.unpac.me/results/ff031238-d763-439b-a649-cade527e07fb/
SH256 hash:
0045e55af6e5f421eda0a778147b55ca1a0abbd0d0dc508476ae45cb4d8dfd42
MD5 hash:
12612af5ec3789645f7febcd2c34bb3a
SHA1 hash:
8133fc604a15ba2219bd1f82569ec822f443e46a
Link:
https://www.unpac.me/results/ff031238-d763-439b-a649-cade527e07fb/
SH256 hash:
1496d4ac542650a1c6137a567328694f898301ad42d6cd637efe3b512ec77745
MD5 hash:
f8d0cfacbe30d8f3388f6f49efca2f5e
SHA1 hash:
73924864021786ab450db60efc910d8132d63ace
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/ff031238-d763-439b-a649-cade527e07fb/
Parent samples :
1464482f2d705d8813e983c4ee8582bde6f1d515c5e2c9406f13146fcf3f2687
35b8d05a657c4ec7fd846203a5bbce27d1c9458a2f42e99bd3e72987f49c0e80
337ce11e758631b9327321060bea40342ee175113d93e8d293a6e6d08d008509
6d8070624c9a9acdd20093644d4baa5481bb5a3e9ccc113e6a140bd721808585
6ec1cae8efacab8646e516e51f70d62b737eb5e33ac0432ed208b4fe3accfcad
SH256 hash:
722286fcc6cc31c96a8923b7eaa70ffd821745f11d8598d86bc9c5e900a66a55
MD5 hash:
02a8a28c663cda88ac46466952096f66
SHA1 hash:
72981ef59fe1d7923632bca9397a361e9bc295e0
Link:
https://www.unpac.me/results/ff031238-d763-439b-a649-cade527e07fb/
SH256 hash:
337ce11e758631b9327321060bea40342ee175113d93e8d293a6e6d08d008509
MD5 hash:
a20b5ad1e3f78ab76c922c4108ae8729
SHA1 hash:
7255dff14fae119677ca2976900bdde79316a5f0
Link:
https://www.unpac.me/results/ff031238-d763-439b-a649-cade527e07fb/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/337ce11e7586/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/337ce11e758631b9327321060bea40342ee175113d93e8d293a6e6d08d008509

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/450110/

Comments