MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da316c99baf4e8e8e2df0d6d52a77774edb23a7375393a7b0b9414e8cb7b04a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da316c99baf4e8e8e2df0d6d52a77774edb23a7375393a7b0b9414e8cb7b04a7
SHA3-384 hash: 72e346254401dd636a173110439f535e6d792791673d5143ba625cba91c29261db3c67548fd7ee6ad69763becb7b59e1
SHA1 hash: bb1c65c007eaa34eb7d27606197f27876feec294
MD5 hash: bfc21585d9c68ae4992a1f6f75b64e84
humanhash: friend-papa-bulldog-kentucky
File name:DHL 최종 선하증권 175955...exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:633'856 bytes
First seen:2023-10-03 06:14:40 UTC
Last seen:2023-10-04 15:37:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:svwDL7mMBsePbzk6CTvLWFK0xMIgC6XuNDmWaQzyX:waLlBs2YFvaFBMfPeNkQu
Threatray 5'727 similar samples on MalwareBazaar
TLSH T132D4AD1827885927C25F1A34D1F7614CEFB5CA378B8AA78E5C8076B99C533C9D9834E3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
300
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.63.5327.6479.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/651bb16d426c8727d6e90ea6/reports/99e5ea33-ff56-45e2-81ed-e2588bb854aa/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/da316c99baf4e8e8e2df0d6d52a77774edb23a7375393a7b0b9414e8cb7b04a7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f376e1c2-7feb-4567-b769-c105bfdf5149
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1318470
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/da316c99baf4e8e8e2df0d6d52a77774edb23a7375393a7b0b9414e8cb7b04a7/
Threat name:
ByteCode-MSIL.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2023-10-03 03:51:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3iywzgn26tuoryw7bvwvfj3xotw3eottou4tu6ylsqkors33astq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2628313da5e34653481666207066dd34c810d7285cebf4b1ecea700ba8aed211
AgentTesla
3729e3e8097e540c9acea07301ef89b51e25f08a5907ca09c3483ae02440b3ae
AgentTesla
3ca46cbfdb8930e476e9452091a56cf37a28f848a88435463c6b08c787ea59ad
AgentTesla
51750c80c00e61d2d5017c6b82a935000ac8ba5d38b7bc37b4ed98f193785148
AgentTesla
63b53c9f93e262d689fd45a2e2117e374e5ea602d27a9cb2e8d10b289a4d46d5
AgentTesla
75c3496ee243be07930a47bd8b2a34bec9fb5f956f60d3dbfcc798753c6a9421
AgentTesla
cd024d5e9533b28abd95f67a9c4fe4813e179ad4bbb7c70cfaba546eaf21a73f
AgentTesla
+ 5'717 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/231003-gzxkfaae55/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
8f79103431d8226133c1846147e61eadcf620fd35f9a2434f382b136c141ff69
MD5 hash:
1d27188f2e5dd464e9676fc439b99707
SHA1 hash:
fd5d7e9053a5981c5f80b40fea3efd8efde05513
Link:
https://www.unpac.me/results/6a6e274b-7baa-4fb4-b413-67351c6e4d59/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/6a6e274b-7baa-4fb4-b413-67351c6e4d59/
SH256 hash:
f384e7e639de402be3baba07686c4ec9c75025de5e7cb98e3841a5b27f810051
MD5 hash:
d9aad1bf31fc06a5b9f183f61be1bb4b
SHA1 hash:
46671c076507556fb1fcb5a822ce514faffcf24f
Link:
https://www.unpac.me/results/6a6e274b-7baa-4fb4-b413-67351c6e4d59/
SH256 hash:
baefd0d8586f31412ded00a8670fdb066be7e7d29e0094a4b43c800dddbaa4d4
MD5 hash:
5e8f38777614353be7c4dfe434c9c774
SHA1 hash:
1090d992eceaa06be642ce657bcb30e0e44a3a7c
Detections:
win_agent_tesla_g2
Create hunting rule
Link:
https://www.unpac.me/results/6a6e274b-7baa-4fb4-b413-67351c6e4d59/
SH256 hash:
da316c99baf4e8e8e2df0d6d52a77774edb23a7375393a7b0b9414e8cb7b04a7
MD5 hash:
bfc21585d9c68ae4992a1f6f75b64e84
SHA1 hash:
bb1c65c007eaa34eb7d27606197f27876feec294
Link:
https://www.unpac.me/results/6a6e274b-7baa-4fb4-b413-67351c6e4d59/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/da316c99baf4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/da316c99baf4e8e8e2df0d6d52a77774edb23a7375393a7b0b9414e8cb7b04a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Discord_APIs
Create hunting rule
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe da316c99baf4e8e8e2df0d6d52a77774edb23a7375393a7b0b9414e8cb7b04a7

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments