MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36447ff33c2c49c8a622b7972e6b20c05884a369e8ee59ae443fa579412444a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	36447ff33c2c49c8a622b7972e6b20c05884a369e8ee59ae443fa579412444a0
SHA3-384 hash:	86235d049b851633cdebb3b6b8dc850b0c02d968e666cbdb341a7be95a2fe46b723200c061c2095d1e074f52fa6bfbd9
SHA1 hash:	00c599f278f9ef9fbe6ca78fe4b29aafafe4508f
MD5 hash:	8462489e89954ef26d90cf96da39714a
humanhash:	kansas-alabama-uniform-chicken
File name:	Zamówienie.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'025'024 bytes
First seen:	2021-07-30 10:18:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:Kat4jKXpaN9o5m5/d3XhLbez46kFXzTIaCVK/6AY3zaZtAWxW2mt9/5eHEugX0:4h5/d3NT1zTIn8xWfRugX0
Threatray	8'118 similar samples on MalwareBazaar
TLSH	T17825BF11B984DF45C87D43728FDE41244BF8A882F1B1CB193EB523B89461BA6EE3935D
Reporter	Anonymous
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

587

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Zamówienie.exe

Verdict:

Suspicious activity

Analysis date:

2021-07-30 10:18:30 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/17aba660-130d-470e-b80d-30205b0059cf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.967-1.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b2acc1ad-7b5a-4065-a995-161e1fdcb184

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/824399

Signature

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/36447ff33c2c49c8a622b7972e6b20c05884a369e8ee59ae443fa579412444a0/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-30 08:40:04 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gzch74z4fre4rjrcw6ls42zaybmiji3j5dxftlseh6sxsqjeisqa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

10c6a742e567562542935546814cc76b828aab283eddc43a5d1a09d9c128a6b6

AgentTesla

310b0037e8395eafa4f15bf3c09983052f68fa5490bb0670562f71f426002bb4

AgentTesla

4f6160e4c934ebea2ec7628b06c97b7995d0b4378f817adfadb15c90c3edb202

AgentTesla

50f90f15051f6b67b24f50b1f339e8eb40a513ce175f5ce12f6f2a7341d1785b

AgentTesla

5776326232f8948c3e3bbbbb80ff0b1f50fc12df854c6eec11af2d4a0a9666f2

AgentTesla

6c838b83ecff0d930f544dc8b10c9e856e2d601bb2552f01cc6c8dd57c2f99ce

AgentTesla

e8ac3ec1635db76942a09b304a3588e68a54211bc87409d836d52c2d7ad4cd98

AgentTesla

eaafd1f5bbc5cc71afd88af3e8cad44b766210283b8e2e376ed3b829de4c4ba7

AgentTesla

fc166af65772a1d1402c921cd81c5711d1e49abdd78e08ecf546626974d57314

AgentTesla

+ 8'108 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210730-661sr3pc52/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

CustAttr .NET packer

AgentTesla

Unpacked files

SH256 hash:

302535ead98b19f9990d4380a409cd4785c2e2cea5f5490cc50b136d0c668ced

MD5 hash:

30b6d52aee675a24f4b64ffbe0169899

SHA1 hash:

96f5b009ce08fb654079b3e31f9aedd25f680bf6

Link:

https://www.unpac.me/results/da4f5353-0478-48a3-8897-5ada123dc6a9/

SH256 hash:

97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438

MD5 hash:

68463851c0e6fe7a254c99fae763d454

SHA1 hash:

4587a5371d88c296a0184fe47ee0c5245b187127

Link:

https://www.unpac.me/results/da4f5353-0478-48a3-8897-5ada123dc6a9/

SH256 hash:

a66ee633114f494b1ad66c086d26068e42e2cfd67cfb58490f618946774c3450

MD5 hash:

6967bbc834e4e48ca67f7c3695e2a1f2

SHA1 hash:

1ca662578e1f9f8b16c699a229746d8c4c57157e

Link:

https://www.unpac.me/results/da4f5353-0478-48a3-8897-5ada123dc6a9/

SH256 hash:

36447ff33c2c49c8a622b7972e6b20c05884a369e8ee59ae443fa579412444a0

MD5 hash:

8462489e89954ef26d90cf96da39714a

SHA1 hash:

00c599f278f9ef9fbe6ca78fe4b29aafafe4508f

Link:

https://www.unpac.me/results/da4f5353-0478-48a3-8897-5ada123dc6a9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/36447ff33c2c49c8a622b7972e6b20c05884a369e8ee59ae443fa579412444a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample