MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c97771c3c9da5cec4bb033a94ac643eab26d44c4e58e9e073465799244ca4a57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c97771c3c9da5cec4bb033a94ac643eab26d44c4e58e9e073465799244ca4a57
SHA3-384 hash: 336440486c76925b9484d45f5502982b5d1fca5d3f4a85e3633809cf331cb301f08f95bf4c64723edf7adac4ed42fc44
SHA1 hash: a81242531f9dd095edce3a0147445c30bf321cf3
MD5 hash: 4d624a352c28ce4c34314ccbe132d66e
humanhash: pip-fillet-pasta-cold
File name:Maerskline New Shipment-SOL10123127.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:914'944 bytes
First seen:2023-03-28 07:03:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:O74X1DgHnkOZ23YOPM7mn0NMWeopAJ2rgVR:vNGkb3YO90NMW1ASg
Threatray 1'861 similar samples on MalwareBazaar
TLSH T16D15D088F640B19FC717CD758AA44C20D6AC60E7470BF60F914B19EBD5EDAD69E022E3
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 6820f4ccd4d4e868 (11 x AgentTesla, 8 x SnakeKeylogger, 4 x Loki)
Reporter abuse_ch
Tags:AgentTesla exe Maersk

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Maerskline New Shipment-SOL10123127.exe
Verdict:
Malicious activity
Analysis date:
2023-03-28 07:08:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ecf33640-bfbb-4140-8ff1-90b5e6aa0e28

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/378095/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook packed remcos
Link:
https://www.filescan.io/uploads/64229167318b503355a8cab5/reports/619f3f13-3ad4-4545-b9fe-a75f36452cee/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c97771c3c9da5cec4bb033a94ac643eab26d44c4e58e9e073465799244ca4a57
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6053723-5718-4993-ae13-e70bfc870872
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1203202
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c97771c3c9da5cec4bb033a94ac643eab26d44c4e58e9e073465799244ca4a57/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-27 20:19:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zf3xdq6j3jooys5qgouuvrsd5kzg2rge4whj4bzumv4zergkjjlq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
14dc4992e993f0b0b7b176ee8dd0314ab77e1512e6319f0369b6f9fe45369297
AgentTesla
2c5117280800871fbceb13a571a8d602c17f3c08247c8ccf546bb9dc8adda73e
AgentTesla
2e88105d979bfbe65b2ed9322114fc21ef9e1fdb324a63d6198defd1e976d36e
AgentTesla
462b121f72bc42fcefcfc67174e4de53083b977458c7ed3d4009eec6bddd3f1b
AgentTesla
493781dc1d845e09f96742dfdc2edaef673ac5d4b2139875929166f2627dc161
AgentTesla
918057f4d236bf49e9efaceb3c4aaab580baf9960ac45d2fe8d97c5d98111f73
AgentTesla
b05548e7921f293f59a8fa99b2eba03957daa2ae01275e48d94a75a3ca941288
AgentTesla
c0cbab8b9504e2575456d0f902b264123362665031999a3f780c2a5c2f0b9512
AgentTesla
e31e0251690d0da33289eff6d43dafb913314b28637667b2017bae3d99e95119
AgentTesla
f3341ea77e5c8f5e57ee22b1842656ff8225d0fef647bef19d0b0fcc6b87200d
AgentTesla
+ 1'851 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230328-hvy35sbc6x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla
Unpacked files
SH256 hash:
38e97ddc0ca7a206e064f91fdc023fc748fb6889bd832c3bf512473837d140d2
MD5 hash:
20e31082df4a79d9ef567dc1bb715fe4
SHA1 hash:
b075b150ab406a24c68ed90911265659fc052e6a
Link:
https://www.unpac.me/results/bb3326ac-796e-4430-a27f-7d262a431aed/
SH256 hash:
0f3faa2f6bfada02764e62ee83de0a3b03d47b5bca274b8d8a02e61f9e586dd3
MD5 hash:
9a19a2fa07f942f98ca2a5bd82b205f8
SHA1 hash:
a04880a42b6bb838ef8c3a1da3d2e7fbd9537c01
Link:
https://www.unpac.me/results/bb3326ac-796e-4430-a27f-7d262a431aed/
SH256 hash:
e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29
MD5 hash:
d170ab8c03b9c37d5be449454db131d2
SHA1 hash:
2031b6754a65d21b47dd11a34fee86f048d6048d
Link:
https://www.unpac.me/results/bb3326ac-796e-4430-a27f-7d262a431aed/
SH256 hash:
b99ffd8e1c7f6d3c4b5ae81334ef99f72bc3a1dc37e3bbea4c5a490055bf470b
MD5 hash:
6a26b8fb6d34c8c4f50d97708cdf97b6
SHA1 hash:
1bfd623cb34163346ea2e1cf77f866c2e322816a
Link:
https://www.unpac.me/results/bb3326ac-796e-4430-a27f-7d262a431aed/
SH256 hash:
6bf9d07d639521837124af321555cbcdc5997fead136195aed97e2744e4120b6
MD5 hash:
acfbc6c59006cabeaa982c5cf3b2975c
SHA1 hash:
03ef87ee97fb810723f8cf284c09755c08822eb0
Link:
https://www.unpac.me/results/bb3326ac-796e-4430-a27f-7d262a431aed/
SH256 hash:
c97771c3c9da5cec4bb033a94ac643eab26d44c4e58e9e073465799244ca4a57
MD5 hash:
4d624a352c28ce4c34314ccbe132d66e
SHA1 hash:
a81242531f9dd095edce3a0147445c30bf321cf3
Link:
https://www.unpac.me/results/bb3326ac-796e-4430-a27f-7d262a431aed/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c97771c3c9da/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c97771c3c9da5cec4bb033a94ac643eab26d44c4e58e9e073465799244ca4a57

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe c97771c3c9da5cec4bb033a94ac643eab26d44c4e58e9e073465799244ca4a57

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/378095/

Comments