MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67d4ee9e6ff5fbe379250a946da129ed87a24d5d519d223450b7dfd885b4ab11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 19

Intelligence 19 IOCs YARA 7 File information Comments

SHA256 hash:	67d4ee9e6ff5fbe379250a946da129ed87a24d5d519d223450b7dfd885b4ab11
SHA3-384 hash:	d4bb67ee8125e36f62ecaa970c4c301eff142cc6fe79e58895b659d2cefea1b288ee80ddc9492322004d588b0240cb88
SHA1 hash:	ea45e99f1ece256147ed20bb9f342fac188646c6
MD5 hash:	a39f88ff85d6cfda6c57ac1e6fc25c3d
humanhash:	failed-skylark-violet-johnny
File name:	AWB733988905AA DHL Package 733988905AA.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	328'535 bytes
First seen:	2023-02-21 13:19:38 UTC
Last seen:	2023-02-21 14:36:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:/Ya6JmeZi5u4y5ZH4xCm5/MsuHVTU73HhB4+cQHboDDjwbEa815bK9cvCZ1/YxTw:/YTmXQpsV0sgVTU73Bu+2Eo1dKX1/U8
Threatray	2'667 similar samples on MalwareBazaar
TLSH	T1026413207BF48673D0C24B742D37936B1DE6A6262D2A928703404B697F33790EE6F795
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	lowmal3
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

210

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

AWB733988905AA DHL Package 733988905AA.exe

Verdict:

Malicious activity

Analysis date:

2023-02-21 13:20:47 UTC

Tags:

trojan rat agenttesla

Link:

https://app.any.run/tasks/fcec95b5-198e-4d89-8172-0591179a6b68

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/368635/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.23127.12939.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Searching for the window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/71962/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

mimikatz overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63f4c507d385ee58584e4806/reports/7d761e63-8846-45a4-b4d6-2e699473e256/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/67d4ee9e6ff5fbe379250a946da129ed87a24d5d519d223450b7dfd885b4ab11

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a4ad380f-63e0-43b6-b5bd-cbda20857ff3

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1179756

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/67d4ee9e6ff5fbe379250a946da129ed87a24d5d519d223450b7dfd885b4ab11/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-02-21 10:23:16 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 25 (76.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m7ko5htp6x56g6jfbkkg3ijj5wd2etk5kgosencqw7p5rbnuvmiq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

63d326378f14d1814e0a2fe7ffc08d5d770f1dc6771ee07729700535094f0997

AgentTesla

a9c29ccb259ed6f5ff5ee320b6db411965393b1214516e997b9737009e81c535

AgentTesla

c44e9ac12ce90aac4ecb72c2c2077c9d068293bfb3ce47956f12a98a6b1f8746

AgentTesla

c7859e38dac67d93a0be63264364683ce6fd6b22f9145fdf7f45294458cae5a0

AgentTesla

d9e7d9699b28022d1fd6b5ced9f32e3dd3210475d6a2b2ec770d331d6a910a53

AgentTesla

eae32b5ad9674c7bf4fd973786cae305a69b47c28f6318262fcaabbafc442836

AgentTesla

+ 2'657 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230221-qk4vmsgg3x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

e4aaf19ab58a9336085234c8064d42ab2506305d80a8738656f2f63b1b6e395b

MD5 hash:

53bafceb44f66074283ebee1a297eba9

SHA1 hash:

aa429c19fb377151b239f7db5f670aadc027ae1f

Detections:

AgentTesla

Link:

https://www.unpac.me/results/07d14819-e6e4-477a-9089-da271abc2287/

Parent samples :

c7cc9b494022ce3e0e73f9da5a6e8c1ba4541b012c0b73be4bb4a10b2eb4c801
c0d0fe7c94e5eea8895b8b3d1a82cf8030883e1e3a5404966761d08a29063d89
c496880015b8aca953669bbfefd71f7c777370e3c12b042d6556f3e8c96d886c
8fd45841fb13a3559678bffcc6aa5d583c9d38918a5657aa8fa0337821adb237
571b5a5b56217afed525b3602ef2b894650c6c419fc18e70bfe74e2973e207f2
c7859e38dac67d93a0be63264364683ce6fd6b22f9145fdf7f45294458cae5a0
31f74743aed6aabe5af121a44785c9e68b951a7d16849873d346503d79868246
67d4ee9e6ff5fbe379250a946da129ed87a24d5d519d223450b7dfd885b4ab11
5efb7a214b43bc47d505091c168ad6ef30706a7632a98b080460895845ded776

SH256 hash:

15bda5bd1e7736b7d4b611577863c8f33014804a5e4cb1cd62628fd9713242a4

MD5 hash:

b8f783786ffbd31c37dbac653d93dc1a

SHA1 hash:

6d18a01b6230920c2bc8032d0721926dad26c059

Link:

https://www.unpac.me/results/07d14819-e6e4-477a-9089-da271abc2287/

SH256 hash:

b2b210a8f796bb5809bb038b8f36391895ade5ff221a9f1a01634df0045541c6

MD5 hash:

85728023dbca4fef559186f9e13415cf

SHA1 hash:

86cc5828981b13c9e17f80383196358ed64253a7

Link:

https://www.unpac.me/results/07d14819-e6e4-477a-9089-da271abc2287/

SH256 hash:

67d4ee9e6ff5fbe379250a946da129ed87a24d5d519d223450b7dfd885b4ab11

MD5 hash:

a39f88ff85d6cfda6c57ac1e6fc25c3d

SHA1 hash:

ea45e99f1ece256147ed20bb9f342fac188646c6

Link:

https://www.unpac.me/results/07d14819-e6e4-477a-9089-da271abc2287/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/67d4ee9e6ff5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/67d4ee9e6ff5fbe379250a946da129ed87a24d5d519d223450b7dfd885b4ab11

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_AgentTesla_d3ac2b2f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 67d4ee9e6ff5fbe379250a946da129ed87a24d5d519d223450b7dfd885b4ab11

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/368635/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample