MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34c24059b49ba7aeb7738a40c2ce6f405a641646bfa6899f1a3199fac5ca89ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34c24059b49ba7aeb7738a40c2ce6f405a641646bfa6899f1a3199fac5ca89ec
SHA3-384 hash: a8cb4cf258367fc5c8b35912aeb00741300f2110b405b702492e0ab3122d5c8e810707e78b16ac9be3c5f5a7c63805ed
SHA1 hash: 52b2bfb4003974293666aa4d1be7e2c24e274cdc
MD5 hash: 35b63311ab0480977b15337b8ff85d04
humanhash: sixteen-crazy-idaho-carpet
File name:35b63311ab0480977b15337b8ff85d04
Download: download sample
Signature AgentTesla
Create hunting rule
File size:459'776 bytes
First seen:2021-11-17 22:03:56 UTC
Last seen:2021-11-18 00:00:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:LlvSPNmMvATUwCxOf4eSSusc21u1u+5eRaS0F2IK2bH31JW22v8PlcwsbAe+tC:LlvSPNmMvAufzH1IaLJ352v8PmwB4
Threatray 15'007 similar samples on MalwareBazaar
TLSH T166A4E03036EAD209C97B4F325C7690C047BA7A667F04D66F2CD8124C9D63B974B21BA7
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
35b63311ab0480977b15337b8ff85d04
Verdict:
Suspicious activity
Analysis date:
2021-11-17 22:14:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/83ccc4dc-430f-4a85-8345-8d0af6dcf214

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.31940.20088.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61957c552695a62af9f27c9d/reports/3a1dbb1e-b8ec-4e84-b5cb-fd89155ca2c7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/edae410a-165b-4747-9ec1-357812e93c23
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/891574
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/34c24059b49ba7aeb7738a40c2ce6f405a641646bfa6899f1a3199fac5ca89ec/
Threat name:
ByteCode-MSIL.Trojan.Darkstealer
Create hunting rule
Status:
Malicious
First seen:
2021-11-16 13:09:47 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1e445903c2ad292aee910f3551e9ca0feca04c4b44497e27fa3cdf5c0f15c0cb
AgentTesla
431bfd160719c61566690f962efbbd9614d0083c258afab14184b185805373a9
AgentTesla
5a5e7d1340f7f0df55e3b9bd4e32a550a7ca937e240d9a3a4e7226fdbfd7b6a1
AgentTesla
a1076d68048c3fdc3c09248407a6fa1e4a7e28c23a6b45d8c3ac58e537771a8a
AgentTesla
a5f17f4bfb15b8d739c235665d26edfb38cf54e860848de6fc08067bfe7ce865
AgentTesla
b091935387e34aeb39e80d1172bd83417a3e11bb78a3d1ff2fed2151386b1cdd
AgentTesla
d305689297d694f0f9402450523a468608f35d4f9058cfcaef63230a54d65f59
AgentTesla
+ 14'997 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211117-1yx95abbap/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
86fe170cc6dd3a576807c1192a06ead68bf210f9ccd14f1a81d4f44c2dbcc25f
MD5 hash:
bf5c170790a9378101dbc312303925e3
SHA1 hash:
bddaf21c02ba5cec7c4dfd1b1f289e23714a8ba8
Link:
https://www.unpac.me/results/6e3b1018-2196-4e5c-8c47-13e51ac53bf4/
SH256 hash:
f81fc1e6e8483efe230f3f06700d54c6865e70dfeea04be0c5bdc69f35af0427
MD5 hash:
15ef35c10b35a9c66147b06cf42a580a
SHA1 hash:
9f38c69439c4238de8ccac1cbb909dfe19cabab6
Link:
https://www.unpac.me/results/6e3b1018-2196-4e5c-8c47-13e51ac53bf4/
SH256 hash:
9ba2a103f994818d3363e01e3e29ff7fd922b66a14d175bb111c8e89734ed140
MD5 hash:
aa05ca969547ded1ebc5a04d94b1f803
SHA1 hash:
7f5bf122de60e716fe52bca12b7bd8c0c45fc320
Link:
https://www.unpac.me/results/6e3b1018-2196-4e5c-8c47-13e51ac53bf4/
SH256 hash:
34c24059b49ba7aeb7738a40c2ce6f405a641646bfa6899f1a3199fac5ca89ec
MD5 hash:
35b63311ab0480977b15337b8ff85d04
SHA1 hash:
52b2bfb4003974293666aa4d1be7e2c24e274cdc
Link:
https://www.unpac.me/results/6e3b1018-2196-4e5c-8c47-13e51ac53bf4/
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/34c24059b49b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/34c24059b49ba7aeb7738a40c2ce6f405a641646bfa6899f1a3199fac5ca89ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 34c24059b49ba7aeb7738a40c2ce6f405a641646bfa6899f1a3199fac5ca89ec

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1776930/
Cape
Cape
https://www.capesandbox.com/analysis/207010/

Comments


Avatar
zbet commented on 2021-11-17 22:03:59 UTC

url : hxxp://samsung-tv.tk/kdotzx.exe