MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35337110a81aaaa8660ee719de14b8831bceaa93800631a2163018731754b62d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	35337110a81aaaa8660ee719de14b8831bceaa93800631a2163018731754b62d
SHA3-384 hash:	70d0d1ba05ff1ff221feb3e06acc0a7576585d71be8a3e98923740721b590994989af658e7697d9e209206020c0d706d
SHA1 hash:	3018defd6bc955528e653beed1b7cf38298aeca7
MD5 hash:	bc1d78b42ed6b483d19324dffe964e66
humanhash:	sweet-island-wolfram-muppet
File name:	SecuriteInfo.com.Win32.RATX-gen.31212.27702
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	925'184 bytes
First seen:	2022-12-13 10:46:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:V/KOMpLebpdqhzrIIvKpx8AcdKPdgRw+yi:EPp2LuzrIIvKpSGCR
Threatray	21'218 similar samples on MalwareBazaar
TLSH	T1E61501CD9085B092EC656BB9C0311E0401737E99363BFA6EDD9BB462CBB33DE2119953
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	7964c6093566696f (2 x AgentTesla, 1 x Formbook)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

190

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Win32.RATX-gen.31212.27702

Verdict:

Malicious activity

Analysis date:

2022-12-13 10:50:48 UTC

Tags:

agenttesla trojan rat

Link:

https://app.any.run/tasks/237ae0ee-6dfa-4478-8014-33a1e04596a6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/345795/

Detection(s):

SecuriteInfo.com.Win32.RATX-gen.31212.27702.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Sending a custom TCP request

Unauthorized injection to a recently created process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6398582c9a505ad9423f7c5d/reports/e3f1211e-aaa3-4f12-9262-58db2d6d90e4/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a7f4e989-02c9-4e1c-b11b-277c1ef71269

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1133329

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/35337110a81aaaa8660ee719de14b8831bceaa93800631a2163018731754b62d/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-12-13 10:47:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 25 (76.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=guzxcefidkvkqzqo44m54ffyqmn45kutqadddiqwgamhgf2uwywq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

15afda627d45b60188820d0bddba8fd8334a98dc86742eb3339834be2d4a1b96

AgentTesla

17dcdda9a73e754b3d6a9ef75c6182abd1b0e6f09aa7100cd49c34d7497887d7

AgentTesla

1c458dbab474aa55c42e465e34a64faae2b567910490621aeda7ffb51b7b29dc

AgentTesla

3e8e2a2868f0e729a298541b51105ca23c60b0ffaa2c7b7c89e8a1edc0b2eab7

AgentTesla

66e8893d8742feb4cf59cba5705d0ed26ec79f7287c873e56b4216b71903af81

AgentTesla

6edf2090f396f8b0fe0846194add30c81ff740e21599fb660a5f6433474de8c7

AgentTesla

91ad5e288cc86d88bb3189716581fcd1bc5d0f13b2be3a471c8758fd97bfda69

AgentTesla

+ 21'208 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221213-mvjexaed97/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/8169e625-7f2f-4fda-a10c-344f15f25b1c

Unpacked files

SH256 hash:

db8f6fda92e5f0fc4a4732e5e512865e6e5ec77d8ec2d4e3e30061ccb84a0446

MD5 hash:

7ec762f782247b6df1f840e468d81f16

SHA1 hash:

f77dd83bca75c260d136daa26d71c441d30e85ba

Link:

https://www.unpac.me/results/7a871d8d-b469-4a60-8bd8-485acd0903c9/

SH256 hash:

35cad145efd0b5b6396491150d2e307d4cb5e06d4f1b41aa310393c6dce520b9

MD5 hash:

56f8354a2e307e73243ff0056295fedd

SHA1 hash:

ed3257769ea438e1b5e86c3ef033e2deca86e239

Link:

https://www.unpac.me/results/7a871d8d-b469-4a60-8bd8-485acd0903c9/

SH256 hash:

6d258a12b1967d29134a0656cd8a7830ddd705228036dcbf38cd40fb7a80cb29

MD5 hash:

951560f1359bec687a3f2051a716d3f3

SHA1 hash:

ebc87aae5add8f5bfe238f1c17101d7ccb046bf8

Link:

https://www.unpac.me/results/7a871d8d-b469-4a60-8bd8-485acd0903c9/

SH256 hash:

4ee60523f3c5539d03eddfc2e17cbd4dbf19a18e8909d0d588ad103d6edf035b

MD5 hash:

bff6f69f0462353c9d308ccb4177a957

SHA1 hash:

7cd553cb3f39bd241ac315627c486759299fc218

Link:

https://www.unpac.me/results/7a871d8d-b469-4a60-8bd8-485acd0903c9/

SH256 hash:

5f8c22a382a0ca38d0a3f92f514cf4b1b5658d96d54df78012fa3adb22d9a8ea

MD5 hash:

1a60a78adb8356f0e6385048b03e60a0

SHA1 hash:

3ab589436c02c263fdb335ef6c3f78114b43dff3

Link:

https://www.unpac.me/results/7a871d8d-b469-4a60-8bd8-485acd0903c9/

SH256 hash:

35337110a81aaaa8660ee719de14b8831bceaa93800631a2163018731754b62d

MD5 hash:

bc1d78b42ed6b483d19324dffe964e66

SHA1 hash:

3018defd6bc955528e653beed1b7cf38298aeca7

Link:

https://www.unpac.me/results/7a871d8d-b469-4a60-8bd8-485acd0903c9/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/35337110a81a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/35337110a81aaaa8660ee719de14b8831bceaa93800631a2163018731754b62d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/345795/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample