MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db765e3ae32dab0e207e927fa48ca963404819122f9b094908001aa4d3ee7b94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db765e3ae32dab0e207e927fa48ca963404819122f9b094908001aa4d3ee7b94
SHA3-384 hash: 03dd4c51f09e0136ad232cd0a3ad05454a9d947bd55cb8e6007434715e3ed63729dd280cada8a339f0be0722431854cc
SHA1 hash: a978282d918e6088a3c84b8e0351c3126b8b237c
MD5 hash: 1ac789b4d8af79035ec0392e0f1c6752
humanhash: ohio-fruit-winter-indigo
File name:10.000 usd ödeme talimatı,pdf 345.9kb.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'112'576 bytes
First seen:2023-10-13 11:18:50 UTC
Last seen:2023-10-13 11:58:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:NF90U+ivk56Zvuqeci0wLuFvqh4lX3Gs1JAPMT6lYfT6/:L9r+isKuIsLuFU492s3APMulmTM
Threatray 478 similar samples on MalwareBazaar
TLSH T1AE35242C0CF809124161F1AEDFD8EA57B2C08CD6664C9D9687C68F995A1393BF09BD3D
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:AgentTesla exe geo TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
319
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
10.000 usd ödeme talimatı,pdf 345.9kb.exe
Verdict:
No threats detected
Analysis date:
2023-10-13 11:21:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fe4af049-3a2a-4fb6-a0a6-6730a9dcf118

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/454117/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin masquerade packed replace
Link:
https://www.filescan.io/uploads/652927ac853e4f06480aff95/reports/9d046e5d-760a-4e26-a902-f250bc544665/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/db765e3ae32dab0e207e927fa48ca963404819122f9b094908001aa4d3ee7b94
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4a5e9ca-6360-4a67-995e-a37c18c628d8
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1325233
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/db765e3ae32dab0e207e927fa48ca963404819122f9b094908001aa4d3ee7b94
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/db765e3ae32dab0e207e927fa48ca963404819122f9b094908001aa4d3ee7b94/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2023-10-13 09:23:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 37 (51.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3n3f4oxdfwvq4id6sj72jdfjmnaeqgisf6nqssiiaankju7opoka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
57a285820956c77b8f6c8720ad8f2612d00012991d002b975cbb14310d481956
AgentTesla
6ca768e186aca34cce8eb9a3283f2a17a28f9b81281d464a3c80561b4fbaf066
AgentTesla
7316b0e5c95d1ff17274693f4681e7920d6305079d5833c96acf54d724852651
AgentTesla
afebc44291db59603826cac90112a97e371aa65fdd92c6da15363253e2dac27d
AgentTesla
b4e8e8b4c73c99ec54704c991759dc5e88c8623a487614ca6461ac6e4719f4d3
AgentTesla
dd6ae006c63102e72e6b73cd95097bb427fcafe3900e9d83d8864e51aa6b07a9
AgentTesla
e4c2c8f842ce22820f548ebae96def1fff8f86ce6c92adc4ff801d4adf46e1c9
AgentTesla
e6dc643614e1ab6b1809cd46b3e820157a12222c862558b12ba77568ad1c5c92
AgentTesla
e8d0cc3c7ea34571768f840ae00c2f81f08ce08a1cf237c2374f47bd3f0da646
AgentTesla
ffb16c9e23092b4194b076ed1a8fb847e65051329b025c99ff06088dd760e5a8
AgentTesla
+ 468 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/231013-nevzfaaf88/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
a040efb5ce92995b5d40fd2536c8ad6a93f2d8584a3dd52f07cdb0b34c9e6e29
MD5 hash:
a5a52675690de850e3de6c05a9bd885f
SHA1 hash:
fd953edf2e910fbb43c9e6d4c8d48632bb4e55c6
Link:
https://www.unpac.me/results/922c84f3-36b0-42f7-a1ac-5ea47f7891cd/
SH256 hash:
b4a0ac5b6ceaf925236d7131322c60c392e56fa7cb9cfa3f9f205721c5d68df8
MD5 hash:
4f276f4d2b1ee2d1ce99bb35cdbc7209
SHA1 hash:
f8ecc0f0a37bec20e4f6551b762db30dc2247bd7
Detections:
win_agent_tesla_g2
Create hunting rule
Link:
https://www.unpac.me/results/922c84f3-36b0-42f7-a1ac-5ea47f7891cd/
Parent samples :
dd6ae006c63102e72e6b73cd95097bb427fcafe3900e9d83d8864e51aa6b07a9
db765e3ae32dab0e207e927fa48ca963404819122f9b094908001aa4d3ee7b94
10dec278f5878a62bda355e604789c42fcf7605a316caa60fb9361476093b078
2c4c1e3b9b19dc261dd44b2f59d139e3f53a7369a4bfd100c27260d511c51224
9bb7089acae83dafa7d2b4acae2384cec384bc2aab6962e514122ac69c6a5fed
SH256 hash:
b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63
MD5 hash:
5c904da8528cfb1b87b15a6aa7c059cd
SHA1 hash:
f0a192969485d1bc34bf52adf37d9c20176d6b85
Link:
https://www.unpac.me/results/922c84f3-36b0-42f7-a1ac-5ea47f7891cd/
SH256 hash:
998758f4df26db94b8b10f10d238314fe41afe58e0c09f23e0207e9484e64570
MD5 hash:
d2e6454d029f9db292cb52ac66a046df
SHA1 hash:
7ce7b30b0fbf57e1bd638d08938d350320dbb224
Link:
https://www.unpac.me/results/922c84f3-36b0-42f7-a1ac-5ea47f7891cd/
SH256 hash:
db765e3ae32dab0e207e927fa48ca963404819122f9b094908001aa4d3ee7b94
MD5 hash:
1ac789b4d8af79035ec0392e0f1c6752
SHA1 hash:
a978282d918e6088a3c84b8e0351c3126b8b237c
Link:
https://www.unpac.me/results/922c84f3-36b0-42f7-a1ac-5ea47f7891cd/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/db765e3ae32d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV2
Create hunting rule
Author:ditekshen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:MALWARE_Win_AgentTeslaV2
Create hunting rule
Author:ditekSHen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/454117/

Comments