MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81278e61b365975c3ba6eb47c4734c4831e2488dfd3357cf8d0d018b4a57123f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81278e61b365975c3ba6eb47c4734c4831e2488dfd3357cf8d0d018b4a57123f
SHA3-384 hash: 151fd24c784d482067e0667880ffb4ee4f0d51b5f646271cff3754af28c76be6f762cde75406efcc4b5a23daf0e4872a
SHA1 hash: f14cd79d94d5edf2f9b006689f468baa25e971c4
MD5 hash: 9d97e728e9d190e4be44cd0e2b6af94e
humanhash: glucose-mango-equal-edward
File name:SHIPING DOC.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:489'984 bytes
First seen:2022-11-28 13:17:40 UTC
Last seen:2022-12-09 23:52:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:mT9ZvF2KWHeaAabCMWh+mgXlwCE9Ra6Mu2C/E:+9ZvF2zAabjJAW6Mu3/
Threatray 690 similar samples on MalwareBazaar
TLSH T138A4235EB3E69F3FC27BA33570F28765473CA0502D68670EB8ABCC78D6D51894B42960
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SHIPING DOC.exe
Verdict:
No threats detected
Analysis date:
2022-11-28 13:20:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6bdd1544-d6e4-445b-bca7-b7bf7986282b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/339433/
Detection(s):
SecuriteInfo.com.Malware.PDB-57.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6384b50b559d07a06f47f5e3/reports/56ca2179-947a-4bf2-9918-11bc0023f000/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/22066152-4c34-40e0-9393-8ac4bf900277
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1122534
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81278e61b365975c3ba6eb47c4734c4831e2488dfd3357cf8d0d018b4a57123f/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-11-28 00:36:59 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qety4yntmwlvyo5g5nd4i42mjay6esen7uzvpt4nbuaywssxci7q._file
Verdict:
malicious
Similar samples:
17fad325e9717e20c930f698f08f711320a505560e239b5de9df67c62258a3bd
AgentTesla
34607326603ce36c63cde3c1a556390d7d3430220ba5cdb3477b75d1f3b21184
AgentTesla
55cf18f4491e2db87c5612b2501dbbd3acd9c6460b1863ab56f5d9209cbecbdc
AgentTesla
ac1bbc53ec6158d8dfa191b81292c96d8fb106d4ea196a6bef55027e0702b6f9
AgentTesla
c4a2d1a93c9da2d51ae8d0ef88b1dbf6fecd931714d9a09221c4f928f6861ce3
AgentTesla
d1ca3f8fb1acd28ee6ce1227880e74fca8aa908ca373931a5180f3cb76bb8fe1
AgentTesla
dd1d02c072a5644dbbbcadc2a8b6195cd420b55a6f8ec2309d0e1682f434bdff
AgentTesla
fc4f03fc4b6d9495dfee1c7e31788915bc3d2bb25eb007f2fc4cbefaf2793491
AgentTesla
+ 680 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221128-qjybgafa65/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla
Unpacked files
SH256 hash:
81278e61b365975c3ba6eb47c4734c4831e2488dfd3357cf8d0d018b4a57123f
MD5 hash:
9d97e728e9d190e4be44cd0e2b6af94e
SHA1 hash:
f14cd79d94d5edf2f9b006689f468baa25e971c4
Link:
https://www.unpac.me/results/1fce6a7f-192e-4a67-a869-7e7aaeca1c54/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/81278e61b365975c3ba6eb47c4734c4831e2488dfd3357cf8d0d018b4a57123f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 20e8fa4689ac7f33bd5cab7f7a2714b7a666e686ac84e87bf03c4794f07406a3

AgentTesla

Executable exe 81278e61b365975c3ba6eb47c4734c4831e2488dfd3357cf8d0d018b4a57123f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/339433/
  
Dropped by
SHA256 20e8fa4689ac7f33bd5cab7f7a2714b7a666e686ac84e87bf03c4794f07406a3
  
Dropped by
MD5 8bbebab08e4fd303756125b0588b9bc2
  
Dropped by
SHA256 21a3b261641329b4b3fbb79d32476bdd05a7a4453848cd0cd41407b90b2948e8
  
Dropped by
MD5 2d2000ae7f5fe844c579d1e90f455b06

Comments