MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db31c43819071dc78a0fbf9eea7d924026b1894c5415b76636dc533c7cb370c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db31c43819071dc78a0fbf9eea7d924026b1894c5415b76636dc533c7cb370c9
SHA3-384 hash: 76856dce38aa108de11f6c187bad7c34df9fda1a55a26350be81731eea354d553b806a6ec9c55875cad69faf173976a5
SHA1 hash: 3e05b3ad32e36308221661290c91bba61f903a96
MD5 hash: 61193e74fab0abc860f0548ecd13dadb
humanhash: spring-triple-seven-whiskey
File name:db31c43819071dc78a0fbf9eea7d924026b1894c5415b76636dc533c7cb370c9
Download: download sample
Signature AgentTesla
Create hunting rule
File size:282'072 bytes
First seen:2023-01-06 13:06:05 UTC
Last seen:2023-01-06 14:29:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 97318da386948415d08cef4a9006d669 (71 x Formbook, 35 x SnakeKeylogger, 26 x AgentTesla)
ssdeep 6144:7kwa7Jy3GuuznsPTAqVJlKDkDpADJurrXUKgXnwp4zA7DnYX:ow3GussJ5KDkdANirEWOA3y
Threatray 11'120 similar samples on MalwareBazaar
TLSH T1BE5402DAB4B6CDA3DAD38C3058B71B21DBB7E60059A2718BE764DFBE1D230D2D520241
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon d48eb2aaaab28ed4 (1 x AveMariaRAT, 1 x AgentTesla)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
184
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
db31c43819071dc78a0fbf9eea7d924026b1894c5415b76636dc533c7cb370c9
Verdict:
Malicious activity
Analysis date:
2023-01-06 13:06:20 UTC
Tags:
installer agenttesla
Link:
https://app.any.run/tasks/6bb2e4c5-950f-4cec-a038-422b6852a0aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/350054/
Detection(s):
SecuriteInfo.com.Variant.Jaik.110210.16297.14846.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Setting a keyboard event handler
Reading critical registry keys
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63b81cf6bf1064ac5b2ddab8/reports/eac6c659-05fc-44f4-a8e5-99a967d16b68/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3df8138-720c-4de5-aaff-e473e50ec972
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1146307
Signature
.NET source code contains very large array initializations
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db31c43819071dc78a0fbf9eea7d924026b1894c5415b76636dc533c7cb370c9/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-01-06 13:07:06 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3my4ioaza4o4pcqpx6pou7msiatldckmkqk3ozrw3rjty7ftodeq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
14ed7cfbbff1d50464680875332052a04a19e55519b83a88749b6a2ae8d6d883
AgentTesla
4a0f195296d29cba9e753eb3b084961e5f6ff9320c2b4338c4cb8616c39ff8ac
AgentTesla
80d6b393b61dda91362a0a079fb834cc07be6740e6aca88fd94103296e0200d0
AgentTesla
8373691997253a144ab7c2059be27c2b1aa3e2172c424058cba3df514f9903b0
AgentTesla
a32619cd26fbb97072657ec6a481d4f4fd6c51b72ea5ea0837006d9a8dd24800
AgentTesla
b3271cac975a34320b8dd67850d535e5ef96651e3371356cf3ec7cfca34a3caf
AgentTesla
d632ab7152824714b8cc8e02f712512efd4940858bbd21c98a17f36caccc111c
AgentTesla
+ 11'110 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230106-qcmldsgc85/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/62cc48e3-5f27-4620-95c9-9892b0d7cf24
Unpacked files
SH256 hash:
24ef65cde66455c7f23b5ba4ad11d4afac613f2532329a6732d70dc447e258a1
MD5 hash:
2ee81f261d67a8896efdce4471c44690
SHA1 hash:
7b20a0188579443276fab008618a0d6e6a9dc03c
Link:
https://www.unpac.me/results/0d1a4392-c28b-45c4-a391-71d3b8786f67/
SH256 hash:
363c29796a4095754f90f45f019c1bbca56ba5982a26ae7b4d3dbcd07bc342fe
MD5 hash:
4e9a7fdc2b96dd0603e9c53db875e95d
SHA1 hash:
331a4d59e2f8cc882cba1703978268066c1f8037
Link:
https://www.unpac.me/results/0d1a4392-c28b-45c4-a391-71d3b8786f67/
SH256 hash:
7b1e3eb9b1d60ef1b49379cc1155e9090bfe7d33f6bbb64212f4df86d61e9def
MD5 hash:
72fafda2495e25158b654eb4567e8bdc
SHA1 hash:
c4182fe21ebcef6844eb907b44cddd18dd12c1fc
Link:
https://www.unpac.me/results/0d1a4392-c28b-45c4-a391-71d3b8786f67/
SH256 hash:
db31c43819071dc78a0fbf9eea7d924026b1894c5415b76636dc533c7cb370c9
MD5 hash:
61193e74fab0abc860f0548ecd13dadb
SHA1 hash:
3e05b3ad32e36308221661290c91bba61f903a96
Link:
https://www.unpac.me/results/0d1a4392-c28b-45c4-a391-71d3b8786f67/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/db31c4381907/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/db31c43819071dc78a0fbf9eea7d924026b1894c5415b76636dc533c7cb370c9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/350054/

Comments