MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c33fa2c2e322a471fd53eeb35f72960019fe1e47f34060a5cb1600a6ce20752a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c33fa2c2e322a471fd53eeb35f72960019fe1e47f34060a5cb1600a6ce20752a
SHA3-384 hash: c3ee95a0e6a8df49d877c1f52584172aa312734a3102327c3d7c7fb4a16ac2d0a48a840e5dd2198c88ca44199c1c0a12
SHA1 hash: 098e06e79640a5f76645e240c88f075464004162
MD5 hash: 6a9b756ec8bc0c666fe77bc2a92a3fed
humanhash: mexico-fix-six-skylark
File name:6a9b756ec8bc0c666fe77bc2a92a3fed.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:449'024 bytes
First seen:2021-03-11 07:37:16 UTC
Last seen:2021-03-11 09:47:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:t+OWF7hQmhHIjGEIMzx0qwPrecdWS2pZR5EndpcjtPF2ldhHt9mZp:t+OWF7hQmhH0GEIGx1arZoBupcBNYnm
Threatray 41 similar samples on MalwareBazaar
TLSH 09A49D100A7C5556F6428F37303F3A346F962FD9190AEC01699EB0ABDAFB33811ED695
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6a9b756ec8bc0c666fe77bc2a92a3fed.exe
Verdict:
Malicious activity
Analysis date:
2021-03-11 07:39:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/56d47600-ce3b-4b81-966e-6f5ba03e28f0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123725/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.568.8540.19950.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Creating a window
Enabling the 'hidden' option for analyzed file
Creating a file in the %temp% directory
Moving a recently created file
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/636529
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Beds Obfuscator
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c33fa2c2e322a471fd53eeb35f72960019fe1e47f34060a5cb1600a6ce20752a/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2021-03-11 01:00:46 UTC
AV detection:
11 of 27 (40.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ym72fqxdekshd7kt52zv64uwaam74hsh6nagbjolcyakntraouva._file
Verdict:
suspicious
Similar samples:
0de6143e172649d2b1ce97db3e20c168545df98acf7333e82a00c9d69ced79fd
AgentTesla
1268e6e0265bdaf979d45098051a38eaf3915765e6b5ffe928101c68e0065012
AgentTesla
145d6344c2e986f5664cee8686ff5d4cdf8cbff0466f3dee20f3a51d5714fb1e
AgentTesla
48e554159e6003c59fc3cec6633e274dcd650bbd7067413b6ec8de04aed1b958
AgentTesla
7c784b2b4f0a0601c27580aedc94ceda67153748ef452c722d21726654a1677c
AgentTesla
7e3852e9aef15433ea96a868fdb0da68aa2292108c8f1b7f869573aa0145c7d3
AgentTesla
a0b5afcab56631d737decbb0378a3aa681f0d053fba8b829a039b452c0be79ed
AgentTesla
a95e4f36ae03722bd13ec37033c749143368672713fed321860a8a72a6ce0df8
AgentTesla
ab644490caafad91cfca11a9f402beabf6e32d2e5a5f9c976231148a539ae008
AgentTesla
c948dcc56b42f0d4c74f972ef4e3af6ae09083af0dbf576ee28e48a93dbd2e7e
AgentTesla
+ 31 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://tria.ge/reports/210311-fdhw5qb69j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Beds Protector Packer
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/44fc14d3-8306-450b-8b75-d35173f1d2a0/
SH256 hash:
5906131cd49d5a31a1a7822ea84b8a663cad2b0020e48548b5d61821a840bb37
MD5 hash:
66a3e859b4c5a574c5007eb78f8adc63
SHA1 hash:
50191feb0e2208f3495d0198b499e6e919cfb7e1
Link:
https://www.unpac.me/results/44fc14d3-8306-450b-8b75-d35173f1d2a0/
SH256 hash:
e4312af1a4743598fcac13107e8c234a31e48eb205e4a6ad1623b77f2f984171
MD5 hash:
b383b32618d78ff5c451e9dd526f5c33
SHA1 hash:
281d98b2524d65cb14c6a48380e7e26aae79f3c2
Link:
https://www.unpac.me/results/44fc14d3-8306-450b-8b75-d35173f1d2a0/
SH256 hash:
c33fa2c2e322a471fd53eeb35f72960019fe1e47f34060a5cb1600a6ce20752a
MD5 hash:
6a9b756ec8bc0c666fe77bc2a92a3fed
SHA1 hash:
098e06e79640a5f76645e240c88f075464004162
Link:
https://www.unpac.me/results/44fc14d3-8306-450b-8b75-d35173f1d2a0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c33fa2c2e322a471fd53eeb35f72960019fe1e47f34060a5cb1600a6ce20752a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe c33fa2c2e322a471fd53eeb35f72960019fe1e47f34060a5cb1600a6ce20752a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1058971/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/123725/

Comments