MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d380b2b195438594810d722c0bae32ec23ae83382750b778f2caf54d90b69734. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d380b2b195438594810d722c0bae32ec23ae83382750b778f2caf54d90b69734
SHA3-384 hash: fad95944969b504d87764e7d08a4592ffdbeda861bbdeadb4b9ad3c9cdc377de06919447c2d1e9828dc67219f732e25c
SHA1 hash: 79ebf5b85a00c56b15caa780ecde18f16d8cdeca
MD5 hash: bc94f6f27b7ebedaa128d1e9a5434b80
humanhash: nebraska-oven-missouri-angel
File name:ROZ MARINE - OUTSENDING.pdf.gz.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:415'232 bytes
First seen:2021-05-26 12:41:43 UTC
Last seen:2021-05-26 20:07:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:lWgyWZt6S2K3HNhQ51ti/6LcZg6KT+cijrgAB0nWqY0Pb3VW83jpc7a0:DozEthQ51OQ7t5gMAB0nWwjzzpIa
Threatray 262 similar samples on MalwareBazaar
TLSH 2E9401157790A9E5E8A906B34D86D3400FA27D736D711B5F328E73AE1F773028A07B98
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/162360/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36973520.12831.13364.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a service
Deleting a recently created file
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/792512
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 424908 Sample: ROZ MARINE - OUTSENDING.pdf... Startdate: 26/05/2021 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Multi AV Scanner detection for dropped file 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 8 other signatures 2->41 7 ROZ MARINE - OUTSENDING.pdf.gz.exe 6 2->7         started        process3 file4 25 C:\...\ROZ MARINE - OUTSENDING.pdf.gz.exe, PE32 7->25 dropped 27 ROZ MARINE - OUTSE...exe:Zone.Identifier, ASCII 7->27 dropped 29 C:\...\ROZ MARINE - OUTSENDING.pdf.gz.exe.log, ASCII 7->29 dropped 31 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->31 dropped 43 Writes to foreign memory regions 7->43 45 Allocates memory in foreign processes 7->45 47 Injects a PE file into a foreign processes 7->47 11 svchost.exe 7->11         started        14 AdvancedRun.exe 1 7->14         started        17 AdvancedRun.exe 1 7->17         started        19 ROZ MARINE - OUTSENDING.pdf.gz.exe 2 7->19         started        signatures5 process6 dnsIp7 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->51 33 192.168.2.1 unknown unknown 14->33 21 AdvancedRun.exe 14->21         started        23 AdvancedRun.exe 17->23         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d380b2b195438594810d722c0bae32ec23ae83382750b778f2caf54d90b69734/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-05-26 06:47:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
42
AV detection:
18 of 29 (62.07%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2oalfmmvioczjainoiwaxlrs5qr25azye5ilo6hszl2u3efws42a._file
Verdict:
malicious
Similar samples:
0db50b639d859d3ddf9aa74f96d12f7ecb189a0b3006a7ed1cfd73edbc34d220
AgentTesla
2e10edfbe7c4a7c9220db55d3c6f921262366908277a5483ff0faf5579e194f4
AgentTesla
78baec19444d923fde30977dacb85fada9247b9e3ae150f32a1137e7fc0b8dfb
AgentTesla
8d21ef3f623863b5fb9ace77bdbd5adfc9422e3e76780832df62de7ce561cbde
AgentTesla
ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8
AgentTesla
c3528956666ac901c406c13e9b265cb805424e91919db91a1fe2227ffbc15c7a
AgentTesla
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
AgentTesla
ca146513d9ec6ec60b81b20fd9aa2f262c54d447e8361417c3c4b7678e51e6a5
AgentTesla
e9573722d616d444c71e82f1ac6973921f3c942af4403760e0292b3ebf9159b0
AgentTesla
fc4db22fc8828f0edf477bac989a58df7b4dc5f9fcc957dc906e3682e14f6e0f
AgentTesla
+ 252 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210526-3ka4nmed8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Executes dropped EXE
AgentTesla Payload
Nirsoft
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d380b2b195438594810d722c0bae32ec23ae83382750b778f2caf54d90b69734

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz cfc67f0a38726e534f32b73acfd190886d7eedc4e9853dbd351e4bd296593266

AgentTesla

Executable exe d380b2b195438594810d722c0bae32ec23ae83382750b778f2caf54d90b69734

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 cfc67f0a38726e534f32b73acfd190886d7eedc4e9853dbd351e4bd296593266
Cape
Cape
https://www.capesandbox.com/analysis/162360/

Comments