MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3b08f5a5ac2dd9136da86cf6baea1179e5998f153cd1f29284ae2ba4c337639. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3b08f5a5ac2dd9136da86cf6baea1179e5998f153cd1f29284ae2ba4c337639
SHA3-384 hash: cc983ec7a721fd21305053e7bf990dbc8cf8e56f48133f0fa5b86c32affcc8821f2f031b1674574f0d2153d0477ad016
SHA1 hash: 5e72f67a00d3146a7153613c4320aa78a91a4c7f
MD5 hash: bc4ea0de831e420a531c7cebd18ab131
humanhash: illinois-summer-apart-artist
File name:Sipariş Hk,.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:236'032 bytes
First seen:2024-06-25 08:50:29 UTC
Last seen:2024-06-25 09:22:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 3072:9r9IGyFzvYZ+zj3FG+9wqY+mhhhmitqOv:rGjYZSQKi
Threatray 10 similar samples on MalwareBazaar
TLSH T1F8340EE1317C8383E0A18DB14FDB467076F136ADA8F0560C75F99B2E93D2361588DAE9
TrID 66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.0% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon d4a6a494a48484a4 (65 x AgentTesla, 39 x Formbook, 8 x RemcosRAT)
Reporter abuse_ch
Tags:AgentTesla exe geo TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
365
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d3b08f5a5ac2dd9136da86cf6baea1179e5998f153cd1f29284ae2ba4c337639.exe
Verdict:
Malicious activity
Analysis date:
2024-06-25 09:00:27 UTC
Tags:
upx darkcloud
Link:
https://app.any.run/tasks/77002742-a0da-468f-8191-000f3dc124c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.50.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=667a84fe8bee61523c5d2458win7simulatehigh_evasion
Tags:
Generic Network Static Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Launching a process
Creating a file
Creating a window
Searching for the window
Сreating synchronization primitives
DNS request
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d3b08f5a5ac2dd9136da86cf6baea1179e5998f153cd1f29284ae2ba4c337639
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b3d2fea6-6baf-45f8-9296-52dbdfb0c8d4
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1462381
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Writes to foreign memory regions
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d3b08f5a5ac2dd9136da86cf6baea1179e5998f153cd1f29284ae2ba4c337639
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3b08f5a5ac2dd9136da86cf6baea1179e5998f153cd1f29284ae2ba4c337639/
Threat name:
Win32.Trojan.InjectorX
Create hunting rule
Status:
Malicious
First seen:
2024-06-25 08:40:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2oyi6ws2ylozcnw2q3hwxlvbc6pftghrkpgr6kjijlrlutbtoy4q._file
Verdict:
suspicious
Similar samples:
08d40f912315a3b900bff66c2b47c3c85950bcf35ef60b651cb9bf63a116777a
AgentTesla
64b63793d096661c6c406b8944c179baac0ac3481941ed233132b1e69c8afec3
AgentTesla
b3d2974e884a55f91e356067b1b03ee2f3772254df4cba83e64b84570ba7bfe0
AgentTesla
bbbea2ab5d8c908df9c8446f86f5bdda283f4f4d01fff24f3f49cebb494f44da
AgentTesla
e70e1bd882581b134cb393096ef6121439018a1cbcac26010527ae5093d3d4ed
AgentTesla
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240625-kr7l8azcrb/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
d3b08f5a5ac2dd9136da86cf6baea1179e5998f153cd1f29284ae2ba4c337639
MD5 hash:
bc4ea0de831e420a531c7cebd18ab131
SHA1 hash:
5e72f67a00d3146a7153613c4320aa78a91a4c7f
Link:
https://www.unpac.me/results/1afe59ce-fe0f-43c5-9ed4-0c4018d91a30/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3b08f5a5ac2dd9136da86cf6baea1179e5998f153cd1f29284ae2ba4c337639

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments