MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 737c793ff39777794be91be5faf14ea810f01dc76947f8154accab53c5567904. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 737c793ff39777794be91be5faf14ea810f01dc76947f8154accab53c5567904
SHA3-384 hash: 418738043e46e301a6803d9ec30faaf7cfe569b2f9bef4a97bc9e70407e81c03572bbf90246af619d98e44f6340b0494
SHA1 hash: 97212b4219438896ce6c8b128535c78a16d73e9a
MD5 hash: a13af10c28c2b345dfef80962e84ce7a
humanhash: cat-pluto-wolfram-mockingbird
File name:AWD_Notification_of_shipment_679837419.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:875'520 bytes
First seen:2022-01-25 05:10:40 UTC
Last seen:2022-01-25 06:51:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:qi1S/1wAW0/mmnshojJhcyA54keVdgnB2:9S/80m5GjJiyA54kd
Threatray 14'243 similar samples on MalwareBazaar
TLSH T184150123769DC920C62903BA40CFC11803B97A56EA33E7897EC977DE4F027965D8C95B
File icon (PE):PE icon
dhash icon 136d455d6d4d550b (25 x AgentTesla, 9 x Formbook, 5 x Loki)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/222160/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.28756.11604.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/61ef8668f81da814afa235cc/reports/ff28bb58-1f62-44e4-840c-7d601d04a8a2/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a4790b51-1b91-4765-8d0e-1d5da5af0aa2
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/926774
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Double Extension
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/737c793ff39777794be91be5faf14ea810f01dc76947f8154accab53c5567904/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-25 05:11:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03ef8714bc60d14808b9d17373c5e34198a4e7a60cdebab1e18f9e49c394f7d1
AgentTesla
05d2cc58039f7d736dcaea7fc43415966758d7befeabf4be9d15ec4f0bb4431e
AgentTesla
10bc2e408693bfa36e2d6cb6831609f80a5d1466990bbdfc75ccd22cc035c91b
AgentTesla
5bd13d385d28d048cdbec98575a445b4dedbe6224ce72a0e7cefc1fcd6d7cb7c
AgentTesla
6fe4ed3b3c7cc3cfa8ef38e74a7a2edac816629d279ea49f26cbbf9c0addeda3
AgentTesla
8e185bd58ad5131fdbe60c267f00b1e661d39eefe850543fb56243662dbac318
AgentTesla
a14532851a6cf9501f2a4f5b0ecc61d4ef8e10d220a401b220cd06ae8f83aeee
AgentTesla
aadf4a2325f03bbc80d38bc0c033e5ecc945a9b132570533f5a3fc41a6e034d6
AgentTesla
ffba8268d30163bd548364c188f6ab0b4ea3ac9b1568aa3f9eb963e8d9c1792a
AgentTesla
+ 14'233 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220125-fvadnshbg9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
e31a474ec162894f691e519e394f796f5126f01bad6ab1249329eabf69050b14
MD5 hash:
d4e67e2a4e55c497ed7e9a76b47dcad0
SHA1 hash:
b67a39576a821b5d5fe8322c5b5f160303011177
Link:
https://www.unpac.me/results/bbd82d1b-7656-4d28-8881-3d3438b98d99/
SH256 hash:
626009359ec0ac239f7eeb9cf6ad65f52317377c680e6908b280397fd8ec1774
MD5 hash:
932b10e01892f92b6d6407ed2976229e
SHA1 hash:
720021345497beaa0c15fc69bc24952886eb5609
Link:
https://www.unpac.me/results/bbd82d1b-7656-4d28-8881-3d3438b98d99/
SH256 hash:
8325a5cf7942bb46ac528c836b79180c05d71a4e7de108693d303d56bcc5def1
MD5 hash:
efdf2c54a74297c24bc73285376c432b
SHA1 hash:
564f25afb6c5599cdcd5fafaff32c1475e581af4
Link:
https://www.unpac.me/results/bbd82d1b-7656-4d28-8881-3d3438b98d99/
SH256 hash:
737c793ff39777794be91be5faf14ea810f01dc76947f8154accab53c5567904
MD5 hash:
a13af10c28c2b345dfef80962e84ce7a
SHA1 hash:
97212b4219438896ce6c8b128535c78a16d73e9a
Link:
https://www.unpac.me/results/bbd82d1b-7656-4d28-8881-3d3438b98d99/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/737c793ff397/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/737c793ff39777794be91be5faf14ea810f01dc76947f8154accab53c5567904

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/222160/

Comments