MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 362e42c3177269fc66fc65605ae7d03fe78347f9b3d9c10709d7b09e868afa87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 362e42c3177269fc66fc65605ae7d03fe78347f9b3d9c10709d7b09e868afa87
SHA3-384 hash: 39557daece3776e78f7478d1db7a4549207597162713988be7cae3703018742ff05630f7790cc91f5f68a2f738e95128
SHA1 hash: 7d5764bbb1228be1f659f12ef99156cab511d257
MD5 hash: fefd894a85f97e5e89a04e5788f84e3d
humanhash: jersey-sodium-lamp-maine
File name:fefd894a85f97e5e89a04e5788f84e3d
Download: download sample
Signature AgentTesla
Create hunting rule
File size:491'520 bytes
First seen:2022-11-09 17:47:32 UTC
Last seen:2022-11-09 20:50:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:NynC1kNBKbUkrfQsGyue0dnT49NKyKNtoUDij:snC1IiUoG5dnTPyY7ij
Threatray 546 similar samples on MalwareBazaar
TLSH T1C1A4E1FDEBE49553D960DAB2F577D2C7AC214CBB137E01FE2941498C88E582CE690392
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5360001202.xls
Verdict:
Malicious activity
Analysis date:
2022-11-09 16:45:56 UTC
Tags:
macros opendir loader
Link:
https://app.any.run/tasks/357afaac-d7c9-4cb7-8459-935e14b831b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/331388/
Detection(s):
SecuriteInfo.com.Win64.TrojanX-gen.27671.4543.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
imuler packed
Link:
https://www.filescan.io/uploads/636be7d520a0b4943a8ea106/reports/aa992edb-b851-4a76-9647-44cf62575530/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/290fd0e7-eebc-4bc6-b8ac-c7087853bf8c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1109563
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/362e42c3177269fc66fc65605ae7d03fe78347f9b3d9c10709d7b09e868afa87/
Threat name:
ByteCode-MSIL.Infostealer.DarkStealer
Create hunting rule
Status:
Malicious
First seen:
2022-11-09 09:53:33 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gyxefqyxoju7yzx4mvqfvz6qh7tygr7zwpm4cbyj26yj5buk7kdq._file
Verdict:
unknown
Similar samples:
06a71366813620e612dfc0f0e7f293712b6b10546db85bc065705d14db007a2d
AgentTesla
34259ebe24b406dd57d293d68a2d035f25e229a5f65cd9eef0215e40331a3d21
AgentTesla
4f28d606adaacc365adde510380b2d5111339ecca6fc7e996d68e6ebb66d29b8
AgentTesla
560a2b36202c7ffffb40372f390dddc776a8fb0d3deef44e7c7b4cbb02a61138
AgentTesla
79444990f14a93a2dbf9d6441c0cd28d9f1b9934e0bff5377663526c7ca85aaa
AgentTesla
87a7b708cf5f194568ce728a77c5778078720d6ff6346ea269f0a5427398ad60
AgentTesla
8aa601cbb8b4ac57f68738444ca04d146662ce65656110ae0f804baef1c242f5
AgentTesla
cc25f86e8cd330e2752c8de224da8f59d4efde286f7018a23f55334fdc2e8175
AgentTesla
ebc1c03760f08f8e264c69a6515c4dfd91698ad720f625c02b389a5081380e9b
AgentTesla
+ 536 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221109-wdevtscedn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla
Unpacked files
SH256 hash:
362e42c3177269fc66fc65605ae7d03fe78347f9b3d9c10709d7b09e868afa87
MD5 hash:
fefd894a85f97e5e89a04e5788f84e3d
SHA1 hash:
7d5764bbb1228be1f659f12ef99156cab511d257
Link:
https://www.unpac.me/results/cb3f60d7-c445-421e-8bbc-28a95a6a3880/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/362e42c3177269fc66fc65605ae7d03fe78347f9b3d9c10709d7b09e868afa87

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 362e42c3177269fc66fc65605ae7d03fe78347f9b3d9c10709d7b09e868afa87

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2406012/
Cape
Cape
https://www.capesandbox.com/analysis/331388/

Comments


Avatar
zbet commented on 2022-11-09 17:47:46 UTC

url : hxxp://103.99.2.245/dataspace/vbc.exe