MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38d4243f8cb750a5220bbb7e0a0acfad25ff6bc1cd41e281e8f8379dcd742d7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38d4243f8cb750a5220bbb7e0a0acfad25ff6bc1cd41e281e8f8379dcd742d7c
SHA3-384 hash: 95638db0b0708e060496434b5140f51398c3e85f247825716cdfc4163ac7e030f66c069a811ce77a91ec773169f45b1f
SHA1 hash: 6c43b398cfc36471b0461ac5ad4e3b036a398add
MD5 hash: eb5ee53f92ace8c899dd75b9af7a3ee8
humanhash: echo-missouri-november-gee
File name:eb5ee53f92ace8c899dd75b9af7a3ee8
Download: download sample
Signature AgentTesla
Create hunting rule
File size:634'880 bytes
First seen:2023-05-15 15:28:30 UTC
Last seen:2023-05-15 17:11:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:qJysS7fCKAhtrRynm/N/xUY6yapbPsD2/wPEYNLF:bDCFxzYpbPsD2BS
Threatray 1'222 similar samples on MalwareBazaar
TLSH T148D4CF69A9E90E62C33B43F5855813410F75E5A2AC27CD381DFF34CAE962FD019D89A3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 7aca8abab4a4b8da (33 x AgentTesla, 32 x SnakeKeylogger, 4 x DarkCloud)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
284
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
product may.docx
Verdict:
Malicious activity
Analysis date:
2023-05-15 14:26:56 UTC
Tags:
opendir exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/454a5ba2-600d-4a4c-9114-d99723cec3d6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/390207/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1966.373.22685.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
floxif packed threat virus
Link:
https://www.filescan.io/uploads/64624fbf3fb7494b6c87a3a8/reports/66d0ccdc-f662-4648-9748-f35857cdd1b3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/38d4243f8cb750a5220bbb7e0a0acfad25ff6bc1cd41e281e8f8379dcd742d7c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/87d3e4c5-dfc6-405d-82bc-e437d6433266
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1233880
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 866862 Sample: FytnuSnOCf.exe Startdate: 15/05/2023 Architecture: WINDOWS Score: 100 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Sigma detected: Scheduled temp file as task from temp location 2->74 76 6 other signatures 2->76 7 FytnuSnOCf.exe 7 2->7         started        11 fhQKYc.exe 5 2->11         started        13 sOFvE.exe 3 2->13         started        15 sOFvE.exe 2->15         started        process3 file4 48 C:\Users\user\AppData\Roaming\fhQKYc.exe, PE32 7->48 dropped 50 C:\Users\user\...\fhQKYc.exe:Zone.Identifier, ASCII 7->50 dropped 52 C:\Users\user\AppData\Local\...\tmpDB1B.tmp, XML 7->52 dropped 54 C:\Users\user\AppData\...\FytnuSnOCf.exe.log, ASCII 7->54 dropped 86 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->86 88 May check the online IP address of the machine 7->88 90 Uses schtasks.exe or at.exe to add and modify task schedules 7->90 92 Adds a directory exclusion to Windows Defender 7->92 17 FytnuSnOCf.exe 17 5 7->17         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        94 Multi AV Scanner detection for dropped file 11->94 96 Machine Learning detection for dropped file 11->96 98 Injects a PE file into a foreign processes 11->98 26 fhQKYc.exe 11->26         started        28 schtasks.exe 11->28         started        30 fhQKYc.exe 11->30         started        32 sOFvE.exe 15->32         started        34 schtasks.exe 15->34         started        signatures5 process6 dnsIp7 56 api4.ipify.org 64.185.227.155, 443, 49687 WEBNXUS United States 17->56 68 3 other IPs or domains 17->68 44 C:\Users\user\AppData\Roaming\...\sOFvE.exe, PE32 17->44 dropped 46 C:\Users\user\...\sOFvE.exe:Zone.Identifier, ASCII 17->46 dropped 78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->78 80 Tries to steal Mail credentials (via file / registry access) 17->80 82 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->82 36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        58 173.231.16.77, 443, 49689 WEBNXUS United States 26->58 60 208.91.199.224, 49693, 587 PUBLIC-DOMAIN-REGISTRYUS United States 26->60 62 api.ipify.org 26->62 40 conhost.exe 28->40         started        64 104.237.62.211, 443, 49690 WEBNXUS United States 32->64 66 api.ipify.org 32->66 84 Tries to harvest and steal browser information (history, passwords, etc) 32->84 42 conhost.exe 34->42         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38d4243f8cb750a5220bbb7e0a0acfad25ff6bc1cd41e281e8f8379dcd742d7c/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-05-15 09:23:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
14 of 24 (58.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hdkcip4mw5ikkiqlxn7aucwpvus7626bzva6fapi7a3z3tlufv6a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
21a5e58e2fe39e481f9977f94a94d352c4c492e9bd6d79d4ae3bbf4cc4a2d751
AgentTesla
4581026ca8972214b08a22a0b621d607997da7586b828e02bfab11a5ca5de33f
AgentTesla
7d4221474c9d762be541c0a9dfe4b551b7d287f823246f7482795a9d628bbb78
AgentTesla
9ade1aaf821812d038b9bab451e0b48fad06c688e738a522e2d3d9947421209a
AgentTesla
baa855589cec9a4aeff9575393b8f2a46f5e2251dfc8f8cc009c5a6690ec9409
AgentTesla
c6dcc5ea2ef3af8a214da77f1b3d14af29cc066fbcc952b291494ae321279edd
AgentTesla
d9672edbb45fefa3ca9a12a91c8d27727f3e5262c76cac9efbf67925d6d6fb78
AgentTesla
e2e44650ba8303af8f989baa14c50855cd25249e664d3ef5039edbbd6f3ca32e
AgentTesla
fd7a04ef2040fb5bc9216fe5deebd9cf7d1190e7fbdc0e15a42a6c8b639de167
AgentTesla
+ 1'212 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230515-sww1aagb68/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
a2c1ebe70aa388ade35894bf53c8088bbd67b107d89cf555b32d60273119c4f8
MD5 hash:
70df39d0e9ff79f4b2ed130670404552
SHA1 hash:
577a3a1228d5de0859af35499e2dc982671d709e
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/7314916e-2bd6-480e-9e13-29e5de674c30/
SH256 hash:
7342e0e3016be9e6f17c6214ad36b69ae6245118f2aba753c690d65666b35ee2
MD5 hash:
9e78df360fc4d85177e22e0ddb7ef8c4
SHA1 hash:
4ef49fd744b81917874d95d2a596abeea8da3c4d
Link:
https://www.unpac.me/results/7314916e-2bd6-480e-9e13-29e5de674c30/
SH256 hash:
b52c29ba9ef8996bdf721950d900db96f1befb9883eb38c2075528e60c7aabd4
MD5 hash:
7b6143d9d94c8b80d191b77d8b6d1ba2
SHA1 hash:
1c91704ff6da2a9dd8aaa2ff2d5a5f69a445f76b
Link:
https://www.unpac.me/results/7314916e-2bd6-480e-9e13-29e5de674c30/
SH256 hash:
a022cec67b0ac527280d02bdf44b27e6874aac106f5da509fbba23ece015138a
MD5 hash:
377e53e42dc75280338a8dba058976b8
SHA1 hash:
0ef413a3ecaf33fde65ddf36ce2295b5fbd909e3
Link:
https://www.unpac.me/results/7314916e-2bd6-480e-9e13-29e5de674c30/
SH256 hash:
6722a58c81f6d11004e880bd8481acc423bf96afd46bf692f1562cfa4c5852bd
MD5 hash:
d92d2ba953be4be2d6f2bc859ec5c607
SHA1 hash:
05da51752277bd907ebcfb799524ec7655abbc3a
Link:
https://www.unpac.me/results/7314916e-2bd6-480e-9e13-29e5de674c30/
SH256 hash:
38d4243f8cb750a5220bbb7e0a0acfad25ff6bc1cd41e281e8f8379dcd742d7c
MD5 hash:
eb5ee53f92ace8c899dd75b9af7a3ee8
SHA1 hash:
6c43b398cfc36471b0461ac5ad4e3b036a398add
Link:
https://www.unpac.me/results/7314916e-2bd6-480e-9e13-29e5de674c30/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/38d4243f8cb7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 38d4243f8cb750a5220bbb7e0a0acfad25ff6bc1cd41e281e8f8379dcd742d7c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2632458/
Cape
Cape
https://www.capesandbox.com/analysis/390207/

Comments


Avatar
zbet commented on 2023-05-15 15:28:37 UTC

url : hxxp://192.227.228.120/60/vbc.exe