MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33843fcda40d7d884e286bdb789c712752b07db42804ce805869dadaddaeba16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33843fcda40d7d884e286bdb789c712752b07db42804ce805869dadaddaeba16
SHA3-384 hash: ba06dbbeefce0d160cadbac9b6e44940952332016a30f12306cb300e34959fa3b4be0ebfef410a5035a58db143611fbc
SHA1 hash: dc6b31ea3d1348c23bdba7717176e9b60dc146fa
MD5 hash: 46b284bbaec1beaccf6c0f250bee6c82
humanhash: bluebird-indigo-floor-video
File name:46b284bbaec1beaccf6c0f250bee6c82
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'650'688 bytes
First seen:2022-05-02 19:11:08 UTC
Last seen:2022-05-02 19:39:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:T8WRLOb5fA6xNOigR+pdf8TSHOb+zjB6TAvney6cCDmg3:TRBcggPkqjB6TAvney6f
TLSH T198758D9D711072DFC857E0B6DAA81C64EA217CB6530B4603903739BE9B7D987CF190BA
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
634
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
MAY ORDER.xlsx
Verdict:
Malicious activity
Analysis date:
2022-05-02 18:14:15 UTC
Tags:
encrypted exploit CVE-2017-11882 loader agenttesla
Link:
https://app.any.run/tasks/ab496db1-425f-4c3d-9ca4-61a9c934bd04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/268275/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.50237500.28772.13574.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/62702d0a43389532771e8909/reports/7d615555-5606-4cc5-bca5-00cbb81cd3ab/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2362a0f8-e65a-4b61-8622-abdca9db5582
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/986717
Signature
.NET source code contains very large array initializations
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 619208 Sample: 7cDaDkNe7J Startdate: 02/05/2022 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 7 other signatures 2->55 6 7cDaDkNe7J.exe 3 2->6         started        10 HSpMzoJ.exe 3 2->10         started        12 HSpMzoJ.exe 2 2->12         started        process3 file4 23 C:\Users\user\AppData\...\7cDaDkNe7J.exe.log, ASCII 6->23 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->57 59 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->59 61 Injects a PE file into a foreign processes 6->61 63 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 6->63 14 7cDaDkNe7J.exe 2 5 6->14         started        65 Multi AV Scanner detection for dropped file 10->65 67 Machine Learning detection for dropped file 10->67 19 HSpMzoJ.exe 2 10->19         started        21 HSpMzoJ.exe 10->21         started        signatures5 process6 dnsIp7 29 us2.smtp.mailhostbox.com 208.91.198.38, 49772, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->29 25 C:\Users\user\AppData\Roaming\...\HSpMzoJ.exe, PE32 14->25 dropped 27 C:\Users\user\...\HSpMzoJ.exe:Zone.Identifier, ASCII 14->27 dropped 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->35 37 Moves itself to temp directory 14->37 39 Tries to steal Mail credentials (via file / registry access) 14->39 41 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->41 31 208.91.198.46, 49797, 587 PUBLIC-DOMAIN-REGISTRYUS United States 19->31 33 192.168.2.1 unknown unknown 19->33 43 Tries to harvest and steal ftp login credentials 19->43 45 Tries to harvest and steal browser information (history, passwords, etc) 19->45 47 Installs a global keyboard hook 19->47 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/33843fcda40d7d884e286bdb789c712752b07db42804ce805869dadaddaeba16/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-02 19:12:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
62
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220502-xwgyksebb9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
4dd62a174b54eff529fa0303bd05b85324915e43ac0ab07ee6d11871fa050414
MD5 hash:
e8e23d5f3055e358b897b3180e09562d
SHA1 hash:
1eb030490e0110465175e571ada267ea9acac6b8
Link:
https://www.unpac.me/results/ff47ad6b-ce19-4738-a7ab-7cbe2af9b3f2/
SH256 hash:
338e29a6b4ad47cc207ccec75aa8d144bd638f2f8fb05750883489f7476ba4c7
MD5 hash:
17f8feaff48fce4fc518b83afea16651
SHA1 hash:
70477523115ed9e8e984d5743711d290c2a0f46e
Link:
https://www.unpac.me/results/ff47ad6b-ce19-4738-a7ab-7cbe2af9b3f2/
SH256 hash:
b8849e75e319a601f1340397174467f922dc2ba49db464ac2dae34d74ada56c2
MD5 hash:
b95586c0706897c711a13b15cb44f306
SHA1 hash:
9c272019fb4a026f3f8d611ba4e9c39e61d94b17
Link:
https://www.unpac.me/results/ff47ad6b-ce19-4738-a7ab-7cbe2af9b3f2/
SH256 hash:
85a03a8706e1c8a784b35055848ce999e633f508d9fb0ac65ea7cf5b462a858b
MD5 hash:
d21c5d016579e5896105a6db43148248
SHA1 hash:
bf238b70f8c9d7920ed8a08bd36c5d1a6920508b
Link:
https://www.unpac.me/results/ff47ad6b-ce19-4738-a7ab-7cbe2af9b3f2/
SH256 hash:
33843fcda40d7d884e286bdb789c712752b07db42804ce805869dadaddaeba16
MD5 hash:
46b284bbaec1beaccf6c0f250bee6c82
SHA1 hash:
dc6b31ea3d1348c23bdba7717176e9b60dc146fa
Link:
https://www.unpac.me/results/ff47ad6b-ce19-4738-a7ab-7cbe2af9b3f2/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/33843fcda40d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/33843fcda40d7d884e286bdb789c712752b07db42804ce805869dadaddaeba16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 33843fcda40d7d884e286bdb789c712752b07db42804ce805869dadaddaeba16

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2175040/
Cape
Cape
https://www.capesandbox.com/analysis/268275/

Comments


Avatar
zbet commented on 2022-05-02 19:11:09 UTC

url : hxxp://198.23.251.5/razi.exe