MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33c613ffbd3f55b7ab66e495cd5b327e856bcea49e3ab8d2537ea8d6efca70a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33c613ffbd3f55b7ab66e495cd5b327e856bcea49e3ab8d2537ea8d6efca70a4
SHA3-384 hash: d866b6ebf1ffb1baa80d69e7730de220fb9ac7bbede15d19612504438c82d05da11ae764fe0ab4463cfda14c3363a8d5
SHA1 hash: 97aab61645d01a5c617d2c6d0a242141fee2e552
MD5 hash: 6d00caa274181747e725ece6082b0ede
humanhash: lima-iowa-florida-ohio
File name:6d00caa274181747e725ece6082b0ede
Download: download sample
Signature AgentTesla
Create hunting rule
File size:798'720 bytes
First seen:2021-08-10 08:44:36 UTC
Last seen:2021-08-10 09:12:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:bjaThvXUprT0gtSLF4H9P33eYzdbHs/CrvsRpkzPO:bihvXU98SP33
Threatray 8'132 similar samples on MalwareBazaar
TLSH T13105E0667740FB8EC17A0E75D4426800DBE0E273A707F3CB6DE319D8558E6DA0A2B356
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6d00caa274181747e725ece6082b0ede
Verdict:
Malicious activity
Analysis date:
2021-08-10 08:46:32 UTC
Tags:
keylogger stealer agenttesla
Link:
https://app.any.run/tasks/9193844b-835d-43fd-964a-ed86188987fd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177858/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.FDM.genEldorado.11653.2130.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d9d12f2-9d7f-43ee-b74a-4a194108b956
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/830018
Signature
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 462446 Sample: 2dk2VoVS7f Startdate: 10/08/2021 Architecture: WINDOWS Score: 100 62 Multi AV Scanner detection for dropped file 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 Yara detected AgentTesla 2->66 68 6 other signatures 2->68 7 2dk2VoVS7f.exe 7 2->7         started        11 newapp.exe 5 2->11         started        13 newapp.exe 4 2->13         started        process3 file4 44 C:\Users\user\AppData\...DVgkKsisu.exe, PE32 7->44 dropped 46 C:\Users\...DVgkKsisu.exe:Zone.Identifier, ASCII 7->46 dropped 48 C:\Users\user\AppData\Local\...\tmp95B7.tmp, XML 7->48 dropped 50 C:\Users\user\AppData\...\2dk2VoVS7f.exe.log, ASCII 7->50 dropped 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->70 72 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->72 74 Uses schtasks.exe or at.exe to add and modify task schedules 7->74 15 2dk2VoVS7f.exe 2 5 7->15         started        20 schtasks.exe 1 7->20         started        22 2dk2VoVS7f.exe 7->22         started        24 2dk2VoVS7f.exe 7->24         started        76 Multi AV Scanner detection for dropped file 11->76 78 Machine Learning detection for dropped file 11->78 80 Injects a PE file into a foreign processes 11->80 26 schtasks.exe 11->26         started        28 newapp.exe 11->28         started        30 schtasks.exe 13->30         started        32 newapp.exe 13->32         started        signatures5 process6 dnsIp7 52 192.168.2.1 unknown unknown 15->52 40 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 15->40 dropped 42 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 15->42 dropped 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->54 56 Moves itself to temp directory 15->56 58 Tries to steal Mail credentials (via file access) 15->58 60 3 other signatures 15->60 34 conhost.exe 20->34         started        36 conhost.exe 26->36         started        38 conhost.exe 30->38         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/33c613ffbd3f55b7ab66e495cd5b327e856bcea49e3ab8d2537ea8d6efca70a4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 00:45:26 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b8d3e355ad916bb3152fafcb6b508b8c4bcff4c654b682327af6d59dd281863
AgentTesla
31ab2bfd738bd5e28af20fbf5833b7173fffa70ffe4453a6710f73999c9516b4
AgentTesla
4955c0093c474d0052c522cd6bf1d96ca9eab8371a986f070d044a30c5c6b202
AgentTesla
6661acf762423f3241fa87250e9e8e82b270ed2c8ee891f5ca64e62c0140e6b8
AgentTesla
6bf069abd9545acb9c28ea325847c2c00cb8eaf93b6ebacf06b0d38d363573ba
AgentTesla
78ac5419d87578e87f5b0aa9e99714044cdea7632329064f467db8f95e5eaa19
AgentTesla
abe6a77fefdede7de287d151689f87a3f59eb496d94351f4085b3bc1a6b755c2
AgentTesla
e3ef14eb257c49d94dab868e5f31cc0d692b9244ec6e95157aad074400be23d5
AgentTesla
ef5bbee3204de76c05424d5b000743e94acadff8a67a97d95ff3bdb3496b3190
AgentTesla
+ 8'122 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210810-lsh1p2sf72/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
73e714fdff0e122e79375378a5651b9f0dc90cad169762c26f42c4f2d41836cc
MD5 hash:
9522979b8c61f3074a4b453bc3a325ba
SHA1 hash:
f0ed14d49ee4ba8eff000ef57cb463d23a54939e
Link:
https://www.unpac.me/results/768b425f-5b68-4cdc-8138-59a3372b1d55/
SH256 hash:
48cb98d7e0bd706131a7ba0397ad14c42c2bfa71e2d0abc1775f4d3d1242c156
MD5 hash:
c8b331a9119b26646e9c6c6457523078
SHA1 hash:
e41d4d011dfb5c2f1850562462af4f92b642526f
Link:
https://www.unpac.me/results/768b425f-5b68-4cdc-8138-59a3372b1d55/
SH256 hash:
ed0dd1e2260da7b03c8b80e0b45e8fef44be722c1e8c41e078c1a25ed0d18ecc
MD5 hash:
6057ce35bd926dd6d49dedfa9cc18372
SHA1 hash:
1f4e44e1740ffbd91129ac3a37d22845bc52c158
Link:
https://www.unpac.me/results/768b425f-5b68-4cdc-8138-59a3372b1d55/
SH256 hash:
33c613ffbd3f55b7ab66e495cd5b327e856bcea49e3ab8d2537ea8d6efca70a4
MD5 hash:
6d00caa274181747e725ece6082b0ede
SHA1 hash:
97aab61645d01a5c617d2c6d0a242141fee2e552
Link:
https://www.unpac.me/results/768b425f-5b68-4cdc-8138-59a3372b1d55/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/33c613ffbd3f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/33c613ffbd3f55b7ab66e495cd5b327e856bcea49e3ab8d2537ea8d6efca70a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 33c613ffbd3f55b7ab66e495cd5b327e856bcea49e3ab8d2537ea8d6efca70a4

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/177858/
  
URLhaus
https://urlhaus.abuse.ch/url/1521473/

Comments


Avatar
zbet commented on 2021-08-10 08:44:37 UTC

url : hxxp://bante.xyz/saveme/jasper.exe