MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34bebb0936e153711639007269f14bc1d49c46963b3b9f322fedd9cd9d802ea1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34bebb0936e153711639007269f14bc1d49c46963b3b9f322fedd9cd9d802ea1
SHA3-384 hash: e61eb9dc247ac50d5cc418d74504ca91291a6acac6312a44f129d4b2b65ef3cf004418cf81420df261c7d17b9d390030
SHA1 hash: c82862608467491563ec5cb212883885dc5dd4e3
MD5 hash: 2b80933e43a6fe5e1a779d0e73c6d2e6
humanhash: sodium-freddie-double-fillet
File name:F021-V18 - Transf al Exterior por Importación de Bienes - v20211029.V2.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'056'768 bytes
First seen:2021-12-15 17:06:07 UTC
Last seen:2021-12-15 18:44:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:r2KVXw69jXpgHOdcMDrW8SQg6PBjE4fx353FbGp2eABOvCBISK3:68AmjX+udJDroB6PK4fxG2eABOmK3
Threatray 13'437 similar samples on MalwareBazaar
TLSH T11E25234D5BC19369C59E0BBB0035A914A3B4AB9BFAA9E4889D94E1FA0D433C42B113D7
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
F021-V18 - Transf al Exterior por Importación de Bienes - v20211029.V2.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-15 17:09:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/34a2bfb8-16a6-4353-bae6-316a0f29b775

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214378/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.GGK.genEldorado.5819.20417.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Creating a process from a recently created file
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
greyware obfuscated packed
Link:
https://www.filescan.io/uploads/61ba20b7dbe06b75d7bec741/reports/34fe07ef-3ef2-4ec2-a355-b8d5ab64889b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a74490a2-7898-4e99-8e2e-36c81032adda
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/908021
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/34bebb0936e153711639007269f14bc1d49c46963b3b9f322fedd9cd9d802ea1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-15 17:07:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gs7lwcjw4fjxcfrzabzgt4klyhkjyruwhm5z6mrp5xm43hmaf2qq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0bde3651b28acbd70a77d6832f86a5370cba32f0f213b1062dec071112166128
AgentTesla
0f59bc5437d0205498a3dd4b45f175f8f9394a5634f3cc3a12c5f8e6f6652153
AgentTesla
2054aea7c02d7fe0631a126588030445b14af83428eb213d719400d6b80acde3
AgentTesla
3c889ae1b159235e09cca9e5ca2953ef4d7654bdf9e0a71da39a9964ebb2d236
AgentTesla
3d98af517d49b15dba615482257fd8a72f8810b0d4f18a47fce8bf06b3372fa9
AgentTesla
45dccaad934288f260355be3e0bd7d37bd1ebc48ca4aaf23321fac27482bed44
AgentTesla
86d2cfb0556b0cbf827ecd36ce781aed27e68d25c63ea17215a40f4a22fbb066
AgentTesla
b420aa90dc3b64b0c598ed76edfe8d6b0e16bbbeb3cf1f7e1623a68a673b7f0c
AgentTesla
db302733f7d15057ff2d61f51bd5c12c95d0afa31c001897fca1c9025f735167
AgentTesla
ec11b9a6145dafb16d9f1d1355b00e15171136749f5e2b59c2c8266da65be397
AgentTesla
+ 13'427 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211215-vmy5dsbabl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
2418c7476fc8276d8cd11ef7f814081928e6814b828fc16a012f2608386f9def
MD5 hash:
d14733f7145c76d64f93043f4ece5b54
SHA1 hash:
5c34eafc699f64105d522ed4d75034aa855b3217
Link:
https://www.unpac.me/results/b641c574-1e4b-4bd8-9dad-912ffa418e26/
SH256 hash:
f6b25fbe9ed2fc0d55a69117a85788bb0a0687b131278c0c3ed7d05c594060d1
MD5 hash:
b632ceec736e64eaafe0dbbebf506a92
SHA1 hash:
231553f808a055bc8a2bb643d6a366f43cd8b5ec
Link:
https://www.unpac.me/results/b641c574-1e4b-4bd8-9dad-912ffa418e26/
SH256 hash:
759f5c8a8efa46c9743f06f2827e6ee9292d77ec227abdba830e2b4e1865b7e5
MD5 hash:
5b3ff4ea65a2c44a27ef3444151106d1
SHA1 hash:
083d723a2958751fd81412dff93363e45a42ef8b
Link:
https://www.unpac.me/results/b641c574-1e4b-4bd8-9dad-912ffa418e26/
SH256 hash:
34bebb0936e153711639007269f14bc1d49c46963b3b9f322fedd9cd9d802ea1
MD5 hash:
2b80933e43a6fe5e1a779d0e73c6d2e6
SHA1 hash:
c82862608467491563ec5cb212883885dc5dd4e3
Link:
https://www.unpac.me/results/b641c574-1e4b-4bd8-9dad-912ffa418e26/
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/34bebb0936e1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/34bebb0936e153711639007269f14bc1d49c46963b3b9f322fedd9cd9d802ea1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/214378/

Comments