MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 338296c4afcdc67873712c300d6977a7e442437b05968c32c90909d623d1e1f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	338296c4afcdc67873712c300d6977a7e442437b05968c32c90909d623d1e1f1
SHA3-384 hash:	f3b37329b482583cf1b0364d867416d765336405d00bf0744abbd4b920b2dc5e4d611462c93d6edc24475019aef15f1b
SHA1 hash:	556cc660c68f52c423cd33475a65167864abe118
MD5 hash:	bcb4352a53d4641c9f79043596d387b3
humanhash:	enemy-oxygen-princess-yellow
File name:	Purchase Enquiry-Y97STVZCPZC12AQ-03315904351-pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	680'960 bytes
First seen:	2023-12-13 14:20:53 UTC
Last seen:	2023-12-15 20:35:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:1EfnIPGy+YYUBYqFrEqH6+DI1egAnyZpzW8ysZ2pfKK/3ySPS49Nk:YtYnCqFrVHNI1egAnyZpzpqv/3JP99
TLSH	T10BE423013B988763C32E53383CB3472143398A97BA95E71F3DDA84E9E5D3B451262B97
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	cc0f3355332b17cc (12 x AgentTesla, 6 x Formbook)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

340

Origin country :

Vendor Threat Intelligence

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/467227/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.59820.7575.1849.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Setting a keyboard event handler

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/6579bdd918cffa73b1e48540/reports/d312bf16-d09a-4bc3-835f-a65f09add3cd/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/338296c4afcdc67873712c300d6977a7e442437b05968c32c90909d623d1e1f1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e220a076-da0b-4b37-ae3f-cda8d37a6596

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1361472

Signature

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/338296c4afcdc67873712c300d6977a7e442437b05968c32c90909d623d1e1f1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/338296c4afcdc67873712c300d6977a7e442437b05968c32c90909d623d1e1f1/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-12-13 09:08:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 23 (73.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gobjnrfpzxdhq43rfqya22lxu7seeq33awliymwjbee5mi6r4hyq._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231213-rnzkrsfdd8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Malware Config

C2 Extraction:

https://discord.com/api/webhooks/1181759713713602600/iHsQ6OYa_KMNpOIA7OYiDu7j9BWVVvJ0gcEWr8VRve7tDH1TR5LRILIK1jr1NG5T-29a

Unpacked files

SH256 hash:

c5328f7af843244b56d6a208c322a9315daea139d1b255cda993b243e4394ecf

MD5 hash:

160f4669c06c6496d79a92ea9d33e89b

SHA1 hash:

baae226fdb2a9739f118db781bdc74f2efc6a585

Link:

https://www.unpac.me/results/0ee68463-b2c6-42c3-9b32-c935c2053c5a/

SH256 hash:

3f796fd1ccc930576da3852426204df4a11e7eb965104ccef7b972807b00c43d

MD5 hash:

6bed625638d94a94a4b3b72b86df7048

SHA1 hash:

6aa49fc40d8db7bd8724e6ac77482fa753b349e0

Link:

https://www.unpac.me/results/0ee68463-b2c6-42c3-9b32-c935c2053c5a/

SH256 hash:

e3fa00586a3b38a73258395fbf6d519e7d4a13a840eb233205479d149f2e6e23

MD5 hash:

730a1bb9fd9dc6a39763e3a33bdf8f92

SHA1 hash:

5cab9936a9d8fb70c38617802db10a39ebcbbbcf

Link:

https://www.unpac.me/results/0ee68463-b2c6-42c3-9b32-c935c2053c5a/

SH256 hash:

a22c7c4e354da6c2e09d8c46863c4595c9fbb11fbd7b8badfdfa11654e1b011b

MD5 hash:

bb09fe5f53e77ed0dc301785197579e8

SHA1 hash:

08244c50c693b5c07e47f3296c9376273b809f83

Detections:

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DiscordURL

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/0ee68463-b2c6-42c3-9b32-c935c2053c5a/

Parent samples :

2d631e09274afb5c231bd6d7f6a7c26922a0fa3176ba5837d3be82469fa6e6eb
338296c4afcdc67873712c300d6977a7e442437b05968c32c90909d623d1e1f1

SH256 hash:

338296c4afcdc67873712c300d6977a7e442437b05968c32c90909d623d1e1f1

MD5 hash:

bcb4352a53d4641c9f79043596d387b3

SHA1 hash:

556cc660c68f52c423cd33475a65167864abe118

Link:

https://www.unpac.me/results/0ee68463-b2c6-42c3-9b32-c935c2053c5a/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/338296c4afcd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/338296c4afcdc67873712c300d6977a7e442437b05968c32c90909d623d1e1f1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/467227/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample