MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3cbeafcefe0aa050926d93155a7b57664103941038a9bbeecd67d9668083a12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3cbeafcefe0aa050926d93155a7b57664103941038a9bbeecd67d9668083a12
SHA3-384 hash: 781ca7882f66b839372a240dcfcefabcda2a6fd71dad32fff025781be1d0270b98d97573e00512a702adbc5b45f1c542
SHA1 hash: 9c6068beda6210d80f8d1a3476a668d16a9a6f71
MD5 hash: 44c07bd69a021683184f99dc3f68e9b2
humanhash: pennsylvania-winner-nuts-network
File name:Swift.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:822'272 bytes
First seen:2023-03-28 17:59:18 UTC
Last seen:2023-04-03 05:55:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:if1Mv+YA3SmR6JPBOPZXIgaFHI/lpbxgyEtwCbxD:eMv+3SmR+chXT/lpbKyEtTx
Threatray 1'097 similar samples on MalwareBazaar
TLSH T18005122BE650A711C7798BF527C88544C37D68F617A2EE09EE4D30E306FAB558E13A07
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Swift.scr
Verdict:
Malicious activity
Analysis date:
2023-03-28 18:01:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/efd32557-1e6c-4acd-b3d2-57fc2e85f639

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/378278/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/64232b248f3f4544f6cc7f77/reports/476f5a60-7056-46a4-bc4a-dd3fd302aa32/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d3cbeafcefe0aa050926d93155a7b57664103941038a9bbeecd67d9668083a12
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8cc13cf2-8c25-4f14-b46e-3c252e30072e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1203731
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 836645 Sample: Swift.scr.exe Startdate: 28/03/2023 Architecture: WINDOWS Score: 100 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected AgentTesla 2->57 59 2 other signatures 2->59 7 Swift.scr.exe 7 2->7         started        11 nZmqoCkyaDrKjn.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\nZmqoCkyaDrKjn.exe, PE32 7->35 dropped 37 C:\...\nZmqoCkyaDrKjn.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmpB6A7.tmp, XML 7->39 dropped 41 C:\Users\user\AppData\...\Swift.scr.exe.log, ASCII 7->41 dropped 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->61 63 May check the online IP address of the machine 7->63 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->65 73 2 other signatures 7->73 13 Swift.scr.exe 15 7 7->13         started        17 powershell.exe 20 7->17         started        19 schtasks.exe 1 7->19         started        67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 71 Injects a PE file into a foreign processes 11->71 21 nZmqoCkyaDrKjn.exe 7 11->21         started        23 schtasks.exe 1 11->23         started        25 nZmqoCkyaDrKjn.exe 11->25         started        27 nZmqoCkyaDrKjn.exe 11->27         started        signatures5 process6 dnsIp7 43 mail.binex.com.my 13->43 45 api.ipify.org 13->45 47 api4.ipify.org 13->47 75 Installs a global keyboard hook 13->75 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        49 api.ipify.org 21->49 51 mail.binex.com.my 21->51 77 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->77 79 Tries to steal Mail credentials (via file / registry access) 21->79 81 Tries to harvest and steal browser information (history, passwords, etc) 21->81 33 conhost.exe 23->33         started        signatures8 83 May check the online IP address of the machine 49->83 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d3cbeafcefe0aa050926d93155a7b57664103941038a9bbeecd67d9668083a12/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-27 12:30:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
16 of 37 (43.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2pf6v7hp4cvakcjg3eyvlj5vozsbaokbaofjxpxm2z6zm2aihija._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
003c6607c3deee0f0c458c18220403e1eb2ae5469814756e551faf5bf3fc9f5a
AgentTesla
1ece69250479067fb51414e7c01b699b5db1e7459c8e640c2ef6d431dfa9f280
AgentTesla
2b86bdceef870318c399cae840a7a41f7d267264c8e91e96566dee5ebda4d12e
AgentTesla
5d6b5d750a9deb1407a0d3953dfbee824ed6544255a78ff027627feb1d589744
AgentTesla
6c8b93bdd0153dfe2c4ff9e4c758ec44f3e01fbb77cb54b51e7ed07efa734a44
AgentTesla
76f94696cfc03fbdfa120a515db6ee17f543a3bf0e4079496ebc04df0bbdcb97
AgentTesla
c37ea62810a7699e45c8793aabdcb2d9204ef642085d9fc73195c69f573cca6a
AgentTesla
d9c078eee29bbf1fa6676ddad6c290a903d4485a56c8a31c50e4c639680a1a00
AgentTesla
f3424ac427ed5b40cc9c83da5caa42f12e2868fad4baa2184ae1d84fc626e523
AgentTesla
+ 1'087 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230328-wlbhdaea5s/
Behaviour
outlook_win_path
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
a8ee2cb785e16da225795fe036b5a3c7b72ae9759e69d24a4a6ca02bd435513a
MD5 hash:
acb08810a6594e658d7c0c9785d3a631
SHA1 hash:
b6151cc79275fb4353daa79f29d15bebb08524ae
Link:
https://www.unpac.me/results/1b37a252-cef1-43b8-9c47-78f17a74ba5e/
SH256 hash:
25403da01bf9b1c714d708d4c24054d017ee35f7bc8f1737449affaa2a7870bd
MD5 hash:
61bb9ee37b16775fb2e527e228c66e90
SHA1 hash:
b3beb4745e3d3df116a4f666a1cd3814dfc74e31
Link:
https://www.unpac.me/results/1b37a252-cef1-43b8-9c47-78f17a74ba5e/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/1b37a252-cef1-43b8-9c47-78f17a74ba5e/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
1c2f438aa031e5b8a0dea27e2b3f86c7b0dcea225cd52299a24582cc52714e65
MD5 hash:
a0d2f6cd5f33c192017089093bd0e224
SHA1 hash:
5adea11424e86ec4a15c4bac545447eefd2037f6
Link:
https://www.unpac.me/results/1b37a252-cef1-43b8-9c47-78f17a74ba5e/
SH256 hash:
6bf9d07d639521837124af321555cbcdc5997fead136195aed97e2744e4120b6
MD5 hash:
acfbc6c59006cabeaa982c5cf3b2975c
SHA1 hash:
03ef87ee97fb810723f8cf284c09755c08822eb0
Link:
https://www.unpac.me/results/1b37a252-cef1-43b8-9c47-78f17a74ba5e/
SH256 hash:
d3cbeafcefe0aa050926d93155a7b57664103941038a9bbeecd67d9668083a12
MD5 hash:
44c07bd69a021683184f99dc3f68e9b2
SHA1 hash:
9c6068beda6210d80f8d1a3476a668d16a9a6f71
Link:
https://www.unpac.me/results/1b37a252-cef1-43b8-9c47-78f17a74ba5e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3cbeafcefe0aa050926d93155a7b57664103941038a9bbeecd67d9668083a12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe d3cbeafcefe0aa050926d93155a7b57664103941038a9bbeecd67d9668083a12

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/378278/

Comments