MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34ecca4a7e5a01eb8382e6695c9478b1906e1874d3922aad852c32716fa05902. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	34ecca4a7e5a01eb8382e6695c9478b1906e1874d3922aad852c32716fa05902
SHA3-384 hash:	767aa36ff4d440b72c0ca2f7ac15b1ba5cde63f9753369c7440fe7fc0388860b803585fbd7fa7c552a885be852583e41
SHA1 hash:	bbb25c5c464052db37d9eeed70ef14df2abf7581
MD5 hash:	2890e8c5716be6b434dd42f71868daa2
humanhash:	music-mobile-glucose-low
File name:	Lista de embalaje 94367.pdf.exe
Download:	download sample
Signature	AgentTesla Alert Create hunting rule
File size:	709'120 bytes
First seen:	2023-05-11 19:10:27 UTC
Last seen:	2023-05-13 22:53:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:O6mNvVeyNsjny8SJvwVThcW9ZWh/Dq+rFp527SN3RqQhRSy9tOH+89UHr+cp4:xmxVeCApSAgh/Dq+rFvbNBqQhRSwOe8D
Threatray	3'416 similar samples on MalwareBazaar
TLSH	T173E4E085437BADD2DA581B70321439534E3DA11B78F8B4FC7C1FB888C99A9215BE4B72
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

259

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

Lista de embalaje 94367.pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-05-11 19:18:56 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6f6b9710-53b7-4565-9471-a832195ff90f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox XorStringsNET

Detection:

XorStringsNET

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/388514/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.66982832.1168.18315.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/645d3dccc895be5a6e069a65/reports/b29e57dd-9d7f-4c3f-a7a2-e2928acc1d9d/overview

Hybrid Analysis Trojan.Generic

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/34ecca4a7e5a01eb8382e6695c9478b1906e1874d3922aad852c32716fa05902

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Agent Tesla

Malware family:

Agent Tesla

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/337220d8-f070-45c9-8c96-5580cb084929

Joe Sandbox AgentTesla

Result

Threat name:

AgentTesla

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1231072

Signature

.NET source code contains potential unpacker

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/34ecca4a7e5a01eb8382e6695c9478b1906e1874d3922aad852c32716fa05902/

ReversingLabs TitaniumCloud Win32.Spyware.Negasteal

Threat name:

Win32.Spyware.Negasteal

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-05-10 19:28:31 UTC

File Type:

PE (.Net Exe)

Extracted files:

8

AV detection:

18 of 24 (75.00%)

Threat level:

  2/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gtwmust6lia6xa4c4zuvzfdywgig4gdu2ojcvlmffqzhc35aleba._file

Threatray agenttesla

Verdict:

malicious

Label(s):

agenttesla

Alert

Create hunting rule

Similar samples:

1c0216850dbb0c54ac0530096791d93e6b2309a72171c933c2f633d49a5eabc4

AgentTesla

32606aec367ff7a71d0af223af5d22075a6cebc9fb967e4f2b5903fdee682bf6

AgentTesla

333b4a89730feb420bc1a76bed5c75943e663abd60eaf91c1bafd8417ccab76d

AgentTesla

5c55eec6f12aa60ac02540ebb2af7b7780d148d76a07ad27bfad0d4f3bc1a067

AgentTesla

784074560889770845788ca5875ff3660a30fb85d27823c017b209b101be3499

AgentTesla

b56529131600b58462657106380f4ec863397c8a51f52dba1ea33ec0cfccefdc

AgentTesla

bdfd3a90007f6305a48bf0297b5e0f9015cda1d82b1cb90ce6627bd9e7bc16cd

AgentTesla

c5b618054d855fffed65dc372080cdc5de39ca31edd513e7765a02c64f9b9e1b

AgentTesla

f1d17b3eaebacbc4bb2bbbd958910c39391ba63cf9ff0bc7ecbc8875dded84b7

AgentTesla

f4987dacf72e39e82c79a98402f44f83e364f4e1a96c808dbdcfd232c276fa09

AgentTesla

+ 3'406 additional samples on MalwareBazaar

Hatching Triage agenttesla

Result

Malware family:

agenttesla

Alert

Create hunting rule

Score:

  10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230511-xvyjyaab53/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

UnpacMe AgentTeslaXorStringsNet

Unpacked files

SH256 hash:

3ab1dcc37e7c5c643bf41e9f0f81f816f24974fbddde95e2af52426e3374dd35

MD5 hash:

8a2c496875c0871aecc16aae768b323f

SHA1 hash:

f5423a32125c70b512de301c5616c7b75477e2e7

Link:

https://www.unpac.me/results/9438aca5-6aa9-4134-8730-1dccd25ae025/

SH256 hash:

bdfd3a90007f6305a48bf0297b5e0f9015cda1d82b1cb90ce6627bd9e7bc16cd

MD5 hash:

52c7540741d5e17d69e652ae8313bff4

SHA1 hash:

686cb503c1c90414566dbd1796b46ef0acfb231a

Detections:

AgentTeslaXorStringsNet

Alert

Create hunting rule

Link:

https://www.unpac.me/results/9438aca5-6aa9-4134-8730-1dccd25ae025/

Parent samples :

784074560889770845788ca5875ff3660a30fb85d27823c017b209b101be3499
f4987dacf72e39e82c79a98402f44f83e364f4e1a96c808dbdcfd232c276fa09
1c0216850dbb0c54ac0530096791d93e6b2309a72171c933c2f633d49a5eabc4
bdfd3a90007f6305a48bf0297b5e0f9015cda1d82b1cb90ce6627bd9e7bc16cd
f1d17b3eaebacbc4bb2bbbd958910c39391ba63cf9ff0bc7ecbc8875dded84b7
32606aec367ff7a71d0af223af5d22075a6cebc9fb967e4f2b5903fdee682bf6
34ecca4a7e5a01eb8382e6695c9478b1906e1874d3922aad852c32716fa05902
6603e18a8253f8d08941d0c458c8fc3baf185b5f2bdf9cd6854d83761f4267dc
ca6a6aecce39ebda2e107fbe004eabd01987ef49bc04078d42a566cc517be270
48fbad14bfadc210fb83d8281d7001bf056f5b96698ae2b3b27f4845045c02a8
4eff9b9fcfb59f8402b524565f92e905dbec8c610ec6dadaf9c3cb1fd5c3e5e0
a9cdb9cfeb1c1056c0db558d54cfa61d9f3dac179e934d2869f4bd829fe20819
b4e06eb03f2595cab0b744c37290c3641f8ceff3970fc4ebefae073e0b1fa780
5241d93369ff133d1aa4381a074806b10d37f414261f89f2198ef76d238b5ec1
9748fc497d427eb41191ea495d907cd5d2dd9455ed20bf08df947bdb15d84baf

SH256 hash:

5f3731f037b747b7d183a6811e44205040993c500a9fe122139de1878342a9fb

MD5 hash:

3ea0f5a10f9af9e8599a4235e4a7a916

SHA1 hash:

649c9aa81043cfa7a3fa3c8e79d0ea124d8282ae

Link:

https://www.unpac.me/results/9438aca5-6aa9-4134-8730-1dccd25ae025/

SH256 hash:

3fa6b1a4a98493ce2b5f76440697f26b6f7e31f158105078d0867e9f6ce2be2e

MD5 hash:

8b99e238c25bc4b805e6f990a9dad58a

SHA1 hash:

512fa1e1daf2cc06200f87e1e1216a5d6ff291b1

Link:

https://www.unpac.me/results/9438aca5-6aa9-4134-8730-1dccd25ae025/

SH256 hash:

6f67d90a2d6ccf126fd5412a7ffc993bbd28556a9fe5f95a7980d6dcba108588

MD5 hash:

6df331a32d1fb83288f32cc7be5b9e4a

SHA1 hash:

406d642858e97e50be74e7ddbd75fcb496641483

Link:

https://www.unpac.me/results/9438aca5-6aa9-4134-8730-1dccd25ae025/

SH256 hash:

34ecca4a7e5a01eb8382e6695c9478b1906e1874d3922aad852c32716fa05902

MD5 hash:

2890e8c5716be6b434dd42f71868daa2

SHA1 hash:

bbb25c5c464052db37d9eeed70ef14df2abf7581

Link:

https://www.unpac.me/results/9438aca5-6aa9-4134-8730-1dccd25ae025/

VMRay AgentTesla

Malware family:

AgentTesla

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/34ecca4a7e5a/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/34ecca4a7e5a01eb8382e6695c9478b1906e1874d3922aad852c32716fa05902

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 34ecca4a7e5a01eb8382e6695c9478b1906e1874d3922aad852c32716fa05902

(this sample)

  

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/388514/