MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38b7e813402447704258ca274ea142fc05f52da70913bbd3d31392a855287f8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38b7e813402447704258ca274ea142fc05f52da70913bbd3d31392a855287f8e
SHA3-384 hash: 01af0953db06c8dd83ea1752ef924efdb7f8631e46b159170ee4e96e9b3babad8661ab12454bfc87a7e304cdf35f0706
SHA1 hash: e153e10eab2cd19670556cbbf9574466ea5c9dc6
MD5 hash: b8fe27d56bffaa847b7ccff25ff4ea17
humanhash: coffee-oranges-arizona-lamp
File name:SWIFT 56650XXXX_0716NSMI0015024.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:312'968 bytes
First seen:2023-06-12 06:39:14 UTC
Last seen:2023-06-12 09:21:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 429 x GuLoader)
ssdeep 6144:pYa6wXxVSu2LnN8p793SrXhum1I0vw5oFNl+9hNZHAtyZIegxSs8inYYk3vCK:pYCxVSuiN8p9Mi045sIv1g8sxnYY6KK
Threatray 867 similar samples on MalwareBazaar
TLSH T19B6413096FD9D467C4621F710E76D72E7FA1EC3A2878869F13480B1F7C516A2DA25343
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 64f4d4d4ecf4d4d4 (82 x SnakeKeylogger, 34 x AgentTesla, 24 x Formbook)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
270
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SWIFT 56650XXXX_0716NSMI0015024.exe
Verdict:
Malicious activity
Analysis date:
2023-06-12 06:45:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/61df4fa0-89e6-4f49-93aa-a2b2f4eecb56

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/397842/
Detection(s):
Sanesecurity.Malware.28947.BadP.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90304/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6486bdc3aad7e2da5ce01f4f/reports/72fb7451-84a3-4a08-a332-36c9d01844ab/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/38b7e813402447704258ca274ea142fc05f52da70913bbd3d31392a855287f8e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6f3ef1f5-987c-4197-b8a9-39257f5bf7dd
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1252728
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 885748 Sample: SWIFT_56650XXXX_0716NSMI001... Startdate: 12/06/2023 Architecture: WINDOWS Score: 100 52 Found malware configuration 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 Multi AV Scanner detection for dropped file 2->56 58 4 other signatures 2->58 6 SWIFT_56650XXXX_0716NSMI0015024.exe 1 21 2->6         started        10 lhqavfbkt.exe 19 2->10         started        12 lhqavfbkt.exe 19 2->12         started        14 lhqavfbkt.exe 2->14         started        process3 file4 24 C:\Users\user\AppData\...\lhqavfbkt.exe, PE32 6->24 dropped 26 C:\Users\user\AppData\...\ngwacmnltw.dll, PE32 6->26 dropped 60 Detected unpacking (changes PE section rights) 6->60 62 Detected unpacking (creates a PE file in dynamic memory) 6->62 64 Detected unpacking (overwrites its own PE header) 6->64 76 3 other signatures 6->76 16 SWIFT_56650XXXX_0716NSMI0015024.exe 17 3 6->16         started        28 C:\Users\user\AppData\...\ngwacmnltw.dll, PE32 10->28 dropped 66 Antivirus detection for dropped file 10->66 68 Multi AV Scanner detection for dropped file 10->68 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->70 72 Machine Learning detection for dropped file 10->72 20 lhqavfbkt.exe 14 2 10->20         started        30 C:\Users\user\AppData\...\ngwacmnltw.dll, PE32 12->30 dropped 74 Maps a DLL or memory area into another process 12->74 22 lhqavfbkt.exe 2 12->22         started        signatures5 process6 dnsIp7 32 api4.ipify.org 104.237.62.211, 443, 49698, 49702 WEBNXUS United States 16->32 34 smtp.gmail.com 142.251.31.108, 25, 49699, 49701 GOOGLEUS United States 16->34 42 2 other IPs or domains 16->42 44 Creates multiple autostart registry keys 16->44 36 64.185.227.155, 443, 49700 WEBNXUS United States 20->36 38 api.ipify.org 20->38 40 api.ipify.org 22->40 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->46 48 Tries to steal Mail credentials (via file / registry access) 22->48 50 Tries to harvest and steal browser information (history, passwords, etc) 22->50 signatures8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/38b7e813402447704258ca274ea142fc05f52da70913bbd3d31392a855287f8e/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-06-12 03:27:16 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 36 (63.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hc36qe2aerdxaqsyzitu5ikc7qc7klnhbej3xu6tcojkqvjip6ha._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3ab1320757d68dbf0e5eb5d31cf81247952c244bbfbda9466cd83d112efc2c72
AgentTesla
8770f9d32f3b5b26267d6320c355f576df3d09e49d58e50ac16d044f4cf2cf54
AgentTesla
8e0884e51a92a725d4d5da82ba69173c4402d7030421d0aa65f40245c2795485
AgentTesla
9ada0ca121fe2b402b0da1728cd9f1fbb36d61a62fd40bbe8428756c329e04e8
AgentTesla
b0302231ae277b08e383cef527b093307edf552a1777b5c9a088e2e1c61ad6fe
AgentTesla
b36b113a82b932ee2081484ca969a0fc4008c80199c4c8ab1d3f66f12d9e60f7
AgentTesla
bf71631457bec8633d10c816bfa914ef51bee4acda9a37c2613697976a21decb
AgentTesla
c4ab14d93e54b2c6e70fa0f284cee729b56186894dfdff4207cbc3d0c690c80f
AgentTesla
cd5a3db769491e5e9b19fe8f2703456f82dbd128babacf54ac1c494587665f72
AgentTesla
f51bdb3c0026435904048abffb411be8b57143de59d0e66a3e2dfa3f2e5692ad
AgentTesla
+ 857 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230612-he7qcabe41/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
3f133a3f7db728d14ae7aaceacf82e72d01d49f7540a7777e284052a41e7735b
MD5 hash:
703c919865bed3b112ef8631fd9aebd1
SHA1 hash:
3acc2c52d100627b05b0649d49e62da10bc890f7
Link:
https://www.unpac.me/results/f9eb6067-12dc-44d7-894d-7796bea34886/
SH256 hash:
38b7e813402447704258ca274ea142fc05f52da70913bbd3d31392a855287f8e
MD5 hash:
b8fe27d56bffaa847b7ccff25ff4ea17
SHA1 hash:
e153e10eab2cd19670556cbbf9574466ea5c9dc6
Link:
https://www.unpac.me/results/f9eb6067-12dc-44d7-894d-7796bea34886/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/38b7e8134024/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/38b7e813402447704258ca274ea142fc05f52da70913bbd3d31392a855287f8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 18729fe07a8017475fe96cb1c3975076929c8e1c1c5226da9c43a193bddaa25c

AgentTesla

Executable exe 38b7e813402447704258ca274ea142fc05f52da70913bbd3d31392a855287f8e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/397842/
  
Dropped by
SHA256 18729fe07a8017475fe96cb1c3975076929c8e1c1c5226da9c43a193bddaa25c
  
Dropped by
MD5 36023beb5907f7fb868ac4f7364c3ea3

Comments