MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 338aa2c1775d9e5d546abd328fdf31f20638905e85e684c7470ed5de507775ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 338aa2c1775d9e5d546abd328fdf31f20638905e85e684c7470ed5de507775ab
SHA3-384 hash: 5fe9a46e1d718b4294c6bed26d73f6c6b4561d399981abba28545bd79356c61752cf6eb45268726a078e8bf9b5c63dcd
SHA1 hash: 13c008012cdc65fd248c569863ee810b791fface
MD5 hash: 678669432f8235d7563f3a8abf00143b
humanhash: diet-carpet-spaghetti-robin
File name:NEW P.O.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:716'288 bytes
First seen:2021-08-03 05:46:36 UTC
Last seen:2021-08-03 07:27:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:OJSXNgq4uZEGLBBBBBBBBBBBXBBBBBBBBBBBNWR8f/w/tduGfC9zsDNnZ1GkZLs/:cZq5Wo/mZfMcspENIGyHDC/q
Threatray 8 similar samples on MalwareBazaar
TLSH T1A7E4AD123AFA505CF3B79FF60BC8B4AE4AFAF6739909F0B939410B4147619818D11B76
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW P.O.pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-03 05:53:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ed48eb2a-d1b2-476d-9e1a-38612dae33c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175922/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/00a620ef-d494-4909-b5fd-067328d2956c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825874
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458283 Sample: NEW P.O.pdf.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 19 Found malware configuration 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected AgentTesla 2->23 25 6 other signatures 2->25 6 NEW P.O.pdf.exe 3 2->6         started        process3 file4 17 C:\Users\user\AppData\...17EW P.O.pdf.exe.log, ASCII 6->17 dropped 9 NEW P.O.pdf.exe 6->9         started        11 NEW P.O.pdf.exe 6->11         started        13 NEW P.O.pdf.exe 6->13         started        15 2 other processes 6->15 process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/338aa2c1775d9e5d546abd328fdf31f20638905e85e684c7470ed5de507775ab/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-08-03 03:12:10 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gofkfqlxlwpf2vdkxuzi7xzr6iddrec6qxtijr2hb3k54udxowvq._file
Verdict:
unknown
Similar samples:
0f330652345ef8518b898bf3f58e2fc1145e5cb4f4801bdeb77f6bc802b8e99d
AgentTesla
988ec5d9bc02691882a3180947ee76fabc3629413f79a2e4768b9adb58ba432c
AgentTesla
9ab477e23d8cf8368d35d25f4dd3dac5edb67cc75425d485706d3223dee8d875
AgentTesla
ade1520f81648e41c1d8f9c48c022fe413020959b936275dd6bb346d764090dd
AgentTesla
c0208729f67153c198d453b99e2ee4cc13354480756fa9b2ce366cfdcbbdcaf1
AgentTesla
c327c487752e223730def60d8ba802626c5c92256d4b8ccc102ec1b13475096b
AgentTesla
d4db69bade281fb989590744f1bf16e23c686dd5c878fed34b1180ab11d30b0e
AgentTesla
ec020ddc20a07b93afa94a9a3b95b8244bd9a8c8527742cd35957e4c91ca4604
AgentTesla
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210803-eddpxzn2pa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
208ff4d3507671775237a6096e54cf15988bf2dc872cd043defafbfdab2f5710
MD5 hash:
31ed7cf51de77f76c163328e0bea2e24
SHA1 hash:
a99ea37a41da52b8f2083aee90cfd53aea6e538a
Link:
https://www.unpac.me/results/d179a434-bec2-46e8-88fb-ae6ba21e8ade/
SH256 hash:
470c1e16f59b5c9c9ca509068c95ba444012ee2d96ae2c6ac73415da81ceb56c
MD5 hash:
4b42cbbea150c428b8451a6009e91726
SHA1 hash:
37e9aefb6c10f4baacc66fddd88c66b5f12e791e
Link:
https://www.unpac.me/results/d179a434-bec2-46e8-88fb-ae6ba21e8ade/
SH256 hash:
cfef97ff706312dff4edd998aeee22f1283221631ebb0cc954bebbb701c1465c
MD5 hash:
a0f625a3d3348903f3c902f588c0e4f5
SHA1 hash:
20d1f0b74abe6f500e8c21119f55281926210ac0
Link:
https://www.unpac.me/results/d179a434-bec2-46e8-88fb-ae6ba21e8ade/
SH256 hash:
338aa2c1775d9e5d546abd328fdf31f20638905e85e684c7470ed5de507775ab
MD5 hash:
678669432f8235d7563f3a8abf00143b
SHA1 hash:
13c008012cdc65fd248c569863ee810b791fface
Link:
https://www.unpac.me/results/d179a434-bec2-46e8-88fb-ae6ba21e8ade/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/338aa2c1775d9e5d546abd328fdf31f20638905e85e684c7470ed5de507775ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 338aa2c1775d9e5d546abd328fdf31f20638905e85e684c7470ed5de507775ab

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/175922/

Comments