MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36b46cc4190ce3730b7655ca7cd4ac4cb651d4bcee0bfadce918178440a75400. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36b46cc4190ce3730b7655ca7cd4ac4cb651d4bcee0bfadce918178440a75400
SHA3-384 hash: 558d2960392f7567b7a6545b5d341385d9c1eb7d91be8faf0f4528d2266f2ddef5ea11f6ce6ea98284e7647f7c88b637
SHA1 hash: 396e9b17a1469a84803673dac40d5be7244352f9
MD5 hash: d22c8ae1012d8494ad7c0a0fc7004350
humanhash: pip-oxygen-four-speaker
File name:Confirmación de facturas pagadas a su vencimiento.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:698'880 bytes
First seen:2023-08-09 16:48:48 UTC
Last seen:2023-08-09 17:46:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:NsZx4iF9yeIea4jyJgr71w3ohhj/r8QvOZyBhspkO+TwUQcK:a74i0ea4m6r7Eohhj/r8fZKhsp1UwIK
Threatray 139 similar samples on MalwareBazaar
TLSH T1B2E40102373CAF33E5F993F5257910900BF2255E2A9EDA680DE2B0DE1976F109A11F5B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
273
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Confirmación de facturas pagadas a su vencimiento.exe
Verdict:
Malicious activity
Analysis date:
2023-08-09 16:52:35 UTC
Tags:
evasion snake keylogger trojan
Link:
https://app.any.run/tasks/27800074-e8f7-49ef-a3b6-deb00551adbc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/441703/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2252.10025.13373.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Enabling the 'hidden' option for recently created files
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Trojan.GenericS
Link:
https://www.hybrid-analysis.com/sample/36b46cc4190ce3730b7655ca7cd4ac4cb651d4bcee0bfadce918178440a75400
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7bb8ba11-a018-4c7e-afaf-b9a36c4f5088
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1288768
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1288768 Sample: Confirmaci#U00f3n_de_factur... Startdate: 09/08/2023 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 6 other signatures 2->57 7 Confirmaci#U00f3n_de_facturas_pagadas_a_su_vencimiento.exe 7 2->7         started        11 wUYWeiygfn.exe 5 2->11         started        process3 file4 37 C:\Users\user\AppData\...\wUYWeiygfn.exe, PE32 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmpC8D7.tmp, XML 7->39 dropped 59 May check the online IP address of the machine 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Adds a directory exclusion to Windows Defender 7->63 13 Confirmaci#U00f3n_de_facturas_pagadas_a_su_vencimiento.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 69 Injects a PE file into a foreign processes 11->69 21 wUYWeiygfn.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        25 wUYWeiygfn.exe 11->25         started        27 2 other processes 11->27 signatures5 process6 dnsIp7 41 checkip.dyndns.org 13->41 43 checkip.dyndns.com 193.122.130.0, 49692, 80 ORACLE-BMC-31898US United States 13->43 45 192.168.2.1 unknown unknown 13->45 71 Tries to steal Mail credentials (via file / registry access) 13->71 73 Tries to harvest and steal browser information (history, passwords, etc) 13->73 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        47 checkip.dyndns.org 21->47 49 193.122.6.168, 49693, 80 ORACLE-BMC-31898US United States 21->49 33 WerFault.exe 21->33         started        35 conhost.exe 23->35         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36b46cc4190ce3730b7655ca7cd4ac4cb651d4bcee0bfadce918178440a75400/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-08-08 07:12:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g22gzrazbtrxgc3wkxfhzvfmjs3fdvf45yf7vxhjdalyiqfhkqaa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
090c4c45cf33e0c6ec59a1b61c2e9efb4326d6650b91e128bd741fc5881f51d7
AgentTesla
5273803733ac0c5735a3ce3bdca070069a39705748ca95eac2b161c8054fbb62
AgentTesla
604ee098f44bf5571e6f360dcd1995d4c96e45ee2c2aacf8fa349b62f520ee1d
AgentTesla
63b0410652da12f415ba3be83cda769bd268b83000c425f666fbefb4fddbf3be
AgentTesla
83eb06c7916703b3c45aebfc9606d4e2926d9f14220b3f970b0b4159abefcbdd
AgentTesla
8a410e64e1d936608d81d50f26a188da0640a7bfd67121dbbc4fbf705485ff25
AgentTesla
b321a1ea7cd14d6f159deef8feca34bcd4820ff2dbbf935be2003ced08a06d5e
AgentTesla
d757716097082fdcf35033613d1736f4cf02f07afb368b1381489ba8ebba3cb0
AgentTesla
e4b8b19c8c8fd39ae06ba2ec632970e7fe16f78ca1f91582461de5da1403a4ed
AgentTesla
f7428bcecf7bcdf3d3fb1a8eca5b52e15fc8fd4c90077082c538c611d5b7f97d
AgentTesla
+ 129 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/230809-vbpftadc63/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
616997399f382470ffd2e21a92fc9cdb079f055def5827e32f93def0f8dc4b94
MD5 hash:
008a405e3366acf543504224449cd65d
SHA1 hash:
e4847656bfeac2cb7b9c940d31ffaf90a63581a0
Link:
https://www.unpac.me/results/6c8332bf-827b-4ffe-b168-885957f3326e/
SH256 hash:
504410fd6158a7346f5a2e7b7714203b329d46dab5d129719410d5c325122804
MD5 hash:
74ed681a2d7aed1dae5627d4367474f8
SHA1 hash:
cad2df636d3f0710f69fdb18cbae03a332341dd3
Link:
https://www.unpac.me/results/6c8332bf-827b-4ffe-b168-885957f3326e/
SH256 hash:
89433933d94fae3138902d78fbd55849332a3ef12f0bcb9d48c53d791c291bed
MD5 hash:
f9814aed11fa195017739aed83ba29d9
SHA1 hash:
c9eb11dc4688f18fe055b6448f9bef8b85deddae
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/6c8332bf-827b-4ffe-b168-885957f3326e/
Parent samples :
5db8a4211272018122f3de2f5c87f098f125c5257f135c98e2c21a507e40dad5
36b46cc4190ce3730b7655ca7cd4ac4cb651d4bcee0bfadce918178440a75400
SH256 hash:
0a6bd230f852b0ea44610bf025b8a6388b50281a53c605782f02db246ab8423b
MD5 hash:
9f1bce530f26ae3644830b6ee8a58c07
SHA1 hash:
acafe183f3b5af3e5eba3c1160fae890e2b2a979
Link:
https://www.unpac.me/results/6c8332bf-827b-4ffe-b168-885957f3326e/
SH256 hash:
36b46cc4190ce3730b7655ca7cd4ac4cb651d4bcee0bfadce918178440a75400
MD5 hash:
d22c8ae1012d8494ad7c0a0fc7004350
SHA1 hash:
396e9b17a1469a84803673dac40d5be7244352f9
Link:
https://www.unpac.me/results/6c8332bf-827b-4ffe-b168-885957f3326e/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/36b46cc4190c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36b46cc4190ce3730b7655ca7cd4ac4cb651d4bcee0bfadce918178440a75400

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 36b46cc4190ce3730b7655ca7cd4ac4cb651d4bcee0bfadce918178440a75400

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/441703/

Comments