MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35b8d05a657c4ec7fd846203a5bbce27d1c9458a2f42e99bd3e72987f49c0e80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35b8d05a657c4ec7fd846203a5bbce27d1c9458a2f42e99bd3e72987f49c0e80
SHA3-384 hash: de6fe377006511455a7c99fe915124039ed24935ec5f012d3c9f7b78cccf028cf7e89b0c53e6fcd25697af3b0aeef478
SHA1 hash: e04e2ebc01d2dc9423beef1d3431efda673eb649
MD5 hash: acd501b65e2e7f4aafb9922f66252355
humanhash: nebraska-violet-six-london
File name:DHL AWB # 2343881396.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:764'416 bytes
First seen:2023-09-19 16:29:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:x06gIa2iNP1UvAWlPZewp92mMsCH9aMJcrWCTiNSy4CPOehoWclX1ku6:6TR1Fevl4ProMJc+NbeQcPku6
Threatray 5'618 similar samples on MalwareBazaar
TLSH T111F4E05463F42B57F4B7BBF5AC31620087B6BD6BA951C28E1D8725DAE432B444E80B33
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
DHL AWB # 2343881396.exe
Verdict:
Malicious activity
Analysis date:
2023-09-19 17:02:24 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/a65a3799-765a-4f4c-92fb-e6fcb734d589

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/449766/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6509cc8d33582f234efc4a22/reports/30fff272-cee0-4d3c-84e0-6badd5a13032/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/35b8d05a657c4ec7fd846203a5bbce27d1c9458a2f42e99bd3e72987f49c0e80
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3ac38da6-de29-4ecb-9bb2-9700b2562d5f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1310970
Signature
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/35b8d05a657c4ec7fd846203a5bbce27d1c9458a2f42e99bd3e72987f49c0e80/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-09-19 09:58:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
15 of 35 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gw4nawtfprhmp7memib2lo6oe7i4srmkf5botg6t44uyp5e4b2aa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
12e5b82532b73abb25218f602cc9df661e9f58a771631e3baf1f0145db6d74b5
AgentTesla
186e9ac371aaa85c335ee912e54c1d8d444022268dd47570a7373c6cb830ae8f
AgentTesla
5167b917426b8435d81522f885966f00cbf7f5b896e2a6b18696bb0f1194756c
AgentTesla
83e202c299d139b909d80f39e81487515d2f21a9a0b6546f42dbd194088e07e7
AgentTesla
99e76ca97c74ea9e8fe112a45a88f4fd6a684cda8d8666dfe20dc2eef4d61455
AgentTesla
cc2556dc4dd2e1f164c1919338bd557f16b157a1ec0cce9d27f16698f64c6ec0
AgentTesla
d8ab425ae58e676d7575eab5fc65601ac4851045ccd781d592af8342857c6c6b
AgentTesla
d9ed92176c4ea379d85fcdf39c820721212b2493558c466b680058836e379b54
AgentTesla
de74104e75bbf713beee96aa5831a4dd2a94b106d5cfc9b43a598fe858f5aa56
AgentTesla
+ 5'608 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230919-tztj1aae6z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
4a8d70ece798fb6955e46bdb4b4813924a3bbcf205e585fd0aef148123a44489
MD5 hash:
3bcd5e9d69da03ebe27b9c2e472d9e8d
SHA1 hash:
aa268bd00ed60a5907b4b2a669ddd21a1b8bb4da
Link:
https://www.unpac.me/results/1572b2c9-be84-4499-8e97-5e7246a0fa99/
SH256 hash:
1496d4ac542650a1c6137a567328694f898301ad42d6cd637efe3b512ec77745
MD5 hash:
f8d0cfacbe30d8f3388f6f49efca2f5e
SHA1 hash:
73924864021786ab450db60efc910d8132d63ace
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/1572b2c9-be84-4499-8e97-5e7246a0fa99/
Parent samples :
1464482f2d705d8813e983c4ee8582bde6f1d515c5e2c9406f13146fcf3f2687
35b8d05a657c4ec7fd846203a5bbce27d1c9458a2f42e99bd3e72987f49c0e80
337ce11e758631b9327321060bea40342ee175113d93e8d293a6e6d08d008509
6d8070624c9a9acdd20093644d4baa5481bb5a3e9ccc113e6a140bd721808585
6ec1cae8efacab8646e516e51f70d62b737eb5e33ac0432ed208b4fe3accfcad
SH256 hash:
ea9881889b4cc9a43f0781f83c022768e30ade889c671b5ed3ca2e0a412f47ea
MD5 hash:
c35229af469f1880c4f78b9711adbcfc
SHA1 hash:
640baebf7b9e21ed8d1d3ca8ac69ecdd61dbc736
Link:
https://www.unpac.me/results/1572b2c9-be84-4499-8e97-5e7246a0fa99/
SH256 hash:
784d4e0af30bcca58d54f86b6966e1c147bcc194a99126ebe79538e9084f6d80
MD5 hash:
5caf74e6818e40e82651781613a42425
SHA1 hash:
2a182b1552373e0907bfd03db31120596df994d0
Link:
https://www.unpac.me/results/1572b2c9-be84-4499-8e97-5e7246a0fa99/
SH256 hash:
35b8d05a657c4ec7fd846203a5bbce27d1c9458a2f42e99bd3e72987f49c0e80
MD5 hash:
acd501b65e2e7f4aafb9922f66252355
SHA1 hash:
e04e2ebc01d2dc9423beef1d3431efda673eb649
Link:
https://www.unpac.me/results/1572b2c9-be84-4499-8e97-5e7246a0fa99/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/35b8d05a657c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35b8d05a657c4ec7fd846203a5bbce27d1c9458a2f42e99bd3e72987f49c0e80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 35b8d05a657c4ec7fd846203a5bbce27d1c9458a2f42e99bd3e72987f49c0e80

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/449766/

Comments