MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 433e7f14b1114b2b401e99fcfcc04cb7bcf5e7fcf402821cea3663124dac5644. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 433e7f14b1114b2b401e99fcfcc04cb7bcf5e7fcf402821cea3663124dac5644
SHA3-384 hash: 96e3bce5f1c75353f6bc0ef2177a347e338fbef432a943309c7002f797365d3b994663fbb23e0fccfeb9e1c0cd08d53e
SHA1 hash: 1c254b13f811abc62179bb68a53c923c5d6333a3
MD5 hash: b6a332402552a1db7108a8fbb45e0e0e
humanhash: summer-yankee-edward-hot
File name:b6a332402552a1db7108a8fbb45e0e0e.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:945'152 bytes
First seen:2023-03-09 08:45:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:EEP78/1LUqAEadiidFGSse0uxBWfjrLdcU:8mlEafCyxBWfjrLdc
Threatray 1'310 similar samples on MalwareBazaar
TLSH T13B15CF89B3714173EC8F41794927C1DF2C44F98B7621E237573B7A82E6991BF7A88212
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b6a332402552a1db7108a8fbb45e0e0e.exe
Verdict:
Malicious activity
Analysis date:
2023-03-09 09:06:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e07caecf-6d34-4e53-a953-534db3ced652

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372919/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64099cceed3d33698044fe01/reports/355ae8a6-8f3e-4e0f-8615-f504f99626dd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/433e7f14b1114b2b401e99fcfcc04cb7bcf5e7fcf402821cea3663124dac5644
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/16ffc512-e1b3-46a7-b7ea-3326fcfcd279
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1190163
Signature
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/433e7f14b1114b2b401e99fcfcc04cb7bcf5e7fcf402821cea3663124dac5644/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-08 12:01:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=im7h6ffrcffswqa6th6pzqcmw66plz746qbiehhkgzrretnmkzca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b500a500c912eed51044243c54249ccd8a1f0912cae4f72764108c6bc07e7e8
AgentTesla
3047d199e9540948a25c577cc9181b77d26708c2539c660706a8fd12fec2db1b
AgentTesla
4d265e6df24188d863cd6dee6439b264c2006dd9a203a6e47d72fdb398081015
AgentTesla
5b62fd08b3a979449bc21a217e7057e710e5a66ab1f4159a935db45629e24156
AgentTesla
6dbd277a53e2c621a778a18ed9fc38ed556afc145683481aeb55301d1a574961
AgentTesla
85609c31587f7752298afe029c049ab5ead5997bfbc6cc31151bf5e90ed41072
AgentTesla
bc282c69e6f9c69b93651c0d399318577b6f9494c0b851eadb4a5b44bfef1262
AgentTesla
bd0c9e976c855ac799940806d40aaf41a214241bd303a9d3f35fe410544eb447
AgentTesla
cac42576ce1d941b30261fea52e04e229a88db712de63e283320dc63c3e13e20
AgentTesla
f246a2928ff4385319ee284a0da694797eb0329423b2ac35a5bc468d56d43263
AgentTesla
+ 1'300 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230309-kpb3jaad8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
dd49948e0b3393a8b53084075ec2f2a8c36813d1ba1ca538697eb62ec4b4deae
MD5 hash:
538dab51e58b7dd3809664982f4d0746
SHA1 hash:
4e7f9615f1d96b087c453a72217662f867e0520d
Link:
https://www.unpac.me/results/29f3a80f-affb-4c33-bb87-df16402b7d65/
SH256 hash:
8f0c7e3047346b8d6477ff6d4639fd6157602c7ebc840f3432b99263f1cb415c
MD5 hash:
e5b073b30db1b058298f5df032164e4d
SHA1 hash:
15d3ada4e7ac01b766615b9b66785e7e2ae9b0ca
Link:
https://www.unpac.me/results/29f3a80f-affb-4c33-bb87-df16402b7d65/
SH256 hash:
cb85d77cb556485e6eeefe2a1ce6d97ad85c7a44ed766246b8b72f45418ce16b
MD5 hash:
419114395634a1b160754fbe2f316f50
SHA1 hash:
109b84c5a8b8fea96c90df66cf25a664fdf92d41
Link:
https://www.unpac.me/results/29f3a80f-affb-4c33-bb87-df16402b7d65/
SH256 hash:
5ec6aff0a4bbdfb501e25a5277a41546782acb484db51b31f9792a9f6eccc121
MD5 hash:
69903a2a230a805f3fb362f18f95737f
SHA1 hash:
0ca70a4f69a4ddb24158069753706408fe47a041
Link:
https://www.unpac.me/results/29f3a80f-affb-4c33-bb87-df16402b7d65/
SH256 hash:
4bcc8bd9aed749c54ea1d9284599549cc8322e25dce4db44e5534760d4109d40
MD5 hash:
adf8eeb991ffb0445fcad046ca9a8b64
SHA1 hash:
015d5d98fc31e42debd81d57dc1edc385d129316
Link:
https://www.unpac.me/results/29f3a80f-affb-4c33-bb87-df16402b7d65/
SH256 hash:
433e7f14b1114b2b401e99fcfcc04cb7bcf5e7fcf402821cea3663124dac5644
MD5 hash:
b6a332402552a1db7108a8fbb45e0e0e
SHA1 hash:
1c254b13f811abc62179bb68a53c923c5d6333a3
Link:
https://www.unpac.me/results/29f3a80f-affb-4c33-bb87-df16402b7d65/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/433e7f14b111/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/433e7f14b1114b2b401e99fcfcc04cb7bcf5e7fcf402821cea3663124dac5644

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 433e7f14b1114b2b401e99fcfcc04cb7bcf5e7fcf402821cea3663124dac5644

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2322915/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/372919/

Comments