MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42715639c8e8557bba09d97271da711e53773311b354b802bd3136870ca2098c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42715639c8e8557bba09d97271da711e53773311b354b802bd3136870ca2098c
SHA3-384 hash: fca51f5a9fb86a8633b0563a7275a6293978bf6f98344328c29d5c76cdfe90c82d9f810df9b97d807d3c4b3c2d4c06dd
SHA1 hash: bc644fae9847f659080458aaaf9aba77b121891d
MD5 hash: 579399cb1adae16232fc27d50b4c639b
humanhash: gee-tennis-hawaii-black
File name:Akbank Hesap Özetiniz_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:728'060 bytes
First seen:2023-08-24 09:43:51 UTC
Last seen:2023-08-29 08:36:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b78ecf47c0a3e24a6f4af114e2d1f5de (301 x GuLoader, 23 x Formbook, 21 x RemcosRAT)
ssdeep 12288:8ZFpdY/RmisyiZlelPeQIQ6I21IgIHfRj0QB38MKup9UQbFrd7:oasyel2PfIQpOIgpu38MKuEQbFrR
Threatray 5'615 similar samples on MalwareBazaar
TLSH T182F4F0D2BFCB4D13C0630A764BE29B24F239DE406A1357076B54BA7E5E723916B072C6
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 04f2e1c49ab0500a (3 x AgentTesla, 2 x GuLoader)
Reporter abuse_ch
Tags:AgentTesla Akbank exe geo TUR


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.eprl.pt:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
275
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
Akbank Hesap Özetiniz_PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-08-24 09:52:31 UTC
Tags:
guloader
Link:
https://app.any.run/tasks/d5dadaed-928c-4439-8124-6fb623ec11e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444444/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file
Delayed reading of the file
Creating a file in the %temp% subdirectories
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/108454/overview
Behaviour
MalwareBazaar
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/42715639c8e8557bba09d97271da711e53773311b354b802bd3136870ca2098c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d7bcad4b-bdae-48c9-adea-5586d4da361f
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1296532
Signature
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42715639c8e8557bba09d97271da711e53773311b354b802bd3136870ca2098c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-08-23 08:00:06 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
18 of 36 (50.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ijyvmooi5bkxxoqj3fzhdwtrdzjxomyrwnklqav5ge3iodfcbgga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
129f85ae2da5c30f9439ef123d09d75e2930f1c025e9913a91c212bbe5758c0b
AgentTesla
236c73a241d229cc820b4fa2aa914403151deb84b90939ac4760460fc107dda4
AgentTesla
2ee41490283fad1457d4870ff08f65cf2a6fd2ff0632fae5e365170824111f36
AgentTesla
485b45513f839ff3c972cbd2434273388b87c070c8c6125a8462aeabe2fb96d5
AgentTesla
68d7bd6dc7ce2ada6af865682185e9f2c33c897ec3191f0d6127d3654e69b4a1
AgentTesla
6a43a145806aa6aeef3f5c73d915281a6ea092e254ffa4fa8c2d14b0133eb603
AgentTesla
b14b4179a3ba7ec52b1c8b1eacc7ebb341b62424a3fff50c3c491da3c2b631cd
AgentTesla
bd8c4eb8ae0047367c1d20d2132d3a2fe2bdf0d197001ea4ecaa3816d59c84e9
AgentTesla
+ 5'605 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader downloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230824-lqhgdabe78/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks QEMU agent file
Loads dropped DLL
AgentTesla
Guloader,Cloudeye
Unpacked files
SH256 hash:
98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b
MD5 hash:
b8992e497d57001ddf100f9c397fcef5
SHA1 hash:
e26ddf101a2ec5027975d2909306457c6f61cfbd
Link:
https://www.unpac.me/results/3bc432d0-24d6-4be8-9e54-4873ac19bd6b/
SH256 hash:
42715639c8e8557bba09d97271da711e53773311b354b802bd3136870ca2098c
MD5 hash:
579399cb1adae16232fc27d50b4c639b
SHA1 hash:
bc644fae9847f659080458aaaf9aba77b121891d
Link:
https://www.unpac.me/results/3bc432d0-24d6-4be8-9e54-4873ac19bd6b/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/42715639c8e8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42715639c8e8557bba09d97271da711e53773311b354b802bd3136870ca2098c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 42715639c8e8557bba09d97271da711e53773311b354b802bd3136870ca2098c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/444444/

Comments