MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33bf5c7e008702144c8ec88d5e22c80609463864658612f818d43ca963a5d156. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	33bf5c7e008702144c8ec88d5e22c80609463864658612f818d43ca963a5d156
SHA3-384 hash:	e77d2323d368d25ababcf4d137363457360a17d4233f23413a64938e0a5d3b068c5bda76ad2b6796cc6b3cabe4610332
SHA1 hash:	3658dc9da9210ff233934bdeed28071529949b60
MD5 hash:	b82e8e3462f15ef46218fe27db93fd8b
humanhash:	enemy-double-bravo-blue
File name:	Al Jaber Dubai.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	892'416 bytes
First seen:	2020-12-03 06:42:52 UTC
Last seen:	2020-12-03 23:49:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:/F3pfzgzs0Fs2qPVGNbTuMuKBD7hpvATZElP/Pn1mV5fEAFZTBI/t44tdQ+d0dIz:/YsST0sDd8+3NmoAFZTGtndPt/d7V
Threatray	1'614 similar samples on MalwareBazaar
TLSH	9F158D366F58163AF13AAB3CD1B0215157EEBBA3B707D8DC28B531C90B63A4289D153D
Reporter	GovCERT_CH
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

111

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/106484/

Detection(s):

SecuriteInfo.com.Trojan.MSIL.Agent.ERG.21730.32615.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Result

Gathering data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/554267

Signature

.NET source code contains very large strings

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/33bf5c7e008702144c8ec88d5e22c80609463864658612f818d43ca963a5d156/

Threat name:

ByteCode-MSIL.Trojan.Ymacco

Status:

Malicious

First seen:

2020-12-03 02:16:51 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=go7vy7qaq4bbiteozcgv4iwiayeumodemwdbf6ay2q6ksy5f2fla._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

4afc70d7e08f66f587fd37ce1848989853a7405435e92a3d25652781dec66348

AgentTesla

6fe5e475ec18550353f2e1e2affdbeb8ea72603f9059af42c36ee24f4ce08c32

AgentTesla

8a21b943ea85a94fb89a4222be1b22222b71447cc16fe9b1ef58957029210a8f

AgentTesla

a51bd84d3facb55aaa7d351f79a6383f50b362c48a7abf373675aedd13aa9770

AgentTesla

bb21a5f1607c110559ca73cc8106f61313687e304b3c609b718580f647345fcc

AgentTesla

bb5655ed407d25d54cefaf7d9834192b007ea351bfd0237ea1d59f63333a9aef

AgentTesla

c2df8e72382149481c403e6a2d52dbb93daeb046e8ce23247ec763f50490be96

AgentTesla

ced74986e807f1b4dd969d4811e20b516b11b39d0d8681ebadf9123a6de30b7c

AgentTesla

e694eadb2f24bf7de44a2cc1d1fbc3d2e84d83d6cac2be444aef377bea95cc29

AgentTesla

+ 1'604 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201203-l4r4am7egn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

9584f6d01e6452371cc9b4828030a13045d99c243c497b63628828e66aabe26f

MD5 hash:

7476e403eef14ac403c63c7279831780

SHA1 hash:

8387f558e30dc115987ac2b5c174a41302471abf

Link:

https://www.unpac.me/results/9ce8d163-4274-47ed-aa3e-ec4489746586/

SH256 hash:

33bf5c7e008702144c8ec88d5e22c80609463864658612f818d43ca963a5d156

MD5 hash:

b82e8e3462f15ef46218fe27db93fd8b

SHA1 hash:

3658dc9da9210ff233934bdeed28071529949b60

Link:

https://www.unpac.me/results/9ce8d163-4274-47ed-aa3e-ec4489746586/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.75

Link:

https://yomi.yoroi.company/submissions/33bf5c7e008702144c8ec88d5e22c80609463864658612f818d43ca963a5d156

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.