MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d68c31e1a3d21da2eb1e9bdd3cdb9e3f6c71d27e148304bb5517a1fc8b32704b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d68c31e1a3d21da2eb1e9bdd3cdb9e3f6c71d27e148304bb5517a1fc8b32704b
SHA3-384 hash: db52569f75840f21fef8b3ad998bb5e65846b8937fdaf7d85d82a61e000413f735cdd8f9d7c99f2bdae5fbf98b18e77c
SHA1 hash: 39ec64697880210c4d4c7e2f87eb506b80b16b92
MD5 hash: c121cde37ae9f4f9909c4ee8d84a7edf
humanhash: fillet-william-network-nitrogen
File name:No.783006720pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'178'112 bytes
First seen:2023-03-07 06:57:39 UTC
Last seen:2023-03-08 14:06:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:Sh4uOREBzq7zYpJJrQqLGJe4pcWmHl2A:k4uRBz3jIkWu
Threatray 1'166 similar samples on MalwareBazaar
TLSH T1B445B2303EFA502AF173EFB69AD4759ADAAFF6733707A45E109103860A13A41DD8153E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d8dc888898a898b8 (6 x AgentTesla, 1 x XWorm)
Reporter 0xToxin
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
226
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
No.783006720pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-03-07 07:03:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0b517fd1-26d3-4cb1-af06-d8bf3c984789

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372149/
Detection(s):
SecuriteInfo.com.Win32.SuspectCrc.24191.8182.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Сreating synchronization primitives
Reading critical registry keys
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6406e080e96aa01651233c0a/reports/6ecf8dcf-fd2f-460e-aea2-fa24a029ac11/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/d68c31e1a3d21da2eb1e9bdd3cdb9e3f6c71d27e148304bb5517a1fc8b32704b
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9294e8f7-3e48-4a12-97cd-0f65cc0c019b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1188381
Signature
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: RegAsm connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d68c31e1a3d21da2eb1e9bdd3cdb9e3f6c71d27e148304bb5517a1fc8b32704b/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-06 19:25:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 39 (51.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=22gddynd2io2f2y6tpotzw46h5whdut6csbqjo2vc6q7zczsobfq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
15852a249bf70514a6c961426ec261dff37d2a6bf8588d6f9775b8107a8c973f
AgentTesla
24055d43a09021ce0a445076e9b729b335a726937080337752854f2883103f67
AgentTesla
3221b60a97d6becffd25f5aadc1679400a41f91e2538f203761809f9dd65039d
AgentTesla
4097ec9b7e47872f529451d84c79c68d22016553e63c95162306354a1b15a9d1
AgentTesla
60d1370a6be9757d7c17dde38c1b092d70fa3bfc4d26a2f9548b095a2c714fb7
AgentTesla
769d0e9720bbc74f76e295710fbc77d8cb3998353ca7084bc121e780c9b1f3ef
AgentTesla
d03b8c0fcbbdc16e4c7d5794c037ad639ce4c55aa42fc1905c179c4213d0b04f
AgentTesla
e1332c9ff034ded7f31b405f082cba3f67c5bf23f679e08643907ff26679cbfb
AgentTesla
f07e48ea979743c38e1531d1b9b66585956d3d204546958b45fb7aeba189ba96
AgentTesla
+ 1'156 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230307-hrhlzsge6v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
bd9e8cb0b7aeef6196afe16a903a77dd3ab537ae08797800b41cbd3113e4e6a3
MD5 hash:
3a1772e2d5d91ea60812a40992d29744
SHA1 hash:
5fda5b4f7999cfee64a2b32d74f0ee2bebfc8c48
Link:
https://www.unpac.me/results/01a8747f-2392-4de0-90a9-459b6151decb/
SH256 hash:
340e60b197bda9d02e4311781e59f11db566f41c6621813d9e481e340aba8894
MD5 hash:
b6047af3a3fce62216cabd491bda1890
SHA1 hash:
1c334bc50b9e94689f417b9bfb23fd13e3d6b2a6
Link:
https://www.unpac.me/results/01a8747f-2392-4de0-90a9-459b6151decb/
SH256 hash:
d68c31e1a3d21da2eb1e9bdd3cdb9e3f6c71d27e148304bb5517a1fc8b32704b
MD5 hash:
c121cde37ae9f4f9909c4ee8d84a7edf
SHA1 hash:
39ec64697880210c4d4c7e2f87eb506b80b16b92
Link:
https://www.unpac.me/results/01a8747f-2392-4de0-90a9-459b6151decb/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d68c31e1a3d2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d68c31e1a3d21da2eb1e9bdd3cdb9e3f6c71d27e148304bb5517a1fc8b32704b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/372149/

Comments