MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd8aae27e7726cc2fa28a115919e94014d94b8300018c97fc06448f8fea2796c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	dd8aae27e7726cc2fa28a115919e94014d94b8300018c97fc06448f8fea2796c
SHA3-384 hash:	d975264f3badd6c2d4fbe2bbb41a07c77138768b8651f673cbdaf2911976bfc8004dd0d2f7e2784680a8c5caee9c6875
SHA1 hash:	9d90e3bc34698ea7cd32a1e01fa5bc36e83a62d3
MD5 hash:	e40b02f52316d85f32ed05c34f100a9a
humanhash:	uncle-yankee-zulu-high
File name:	junta justificante.exe
Download:	download sample
Signature	AgentTesla Alert Create hunting rule
File size:	366'063 bytes
First seen:	2023-11-26 18:19:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7eae418c7423834ffc3d79b4300bd6fb (51 x GuLoader, 16 x RemcosRAT, 15 x AgentTesla)
ssdeep	6144:bNDlOltlhX8OMB7p7sKBWgVEfaq3Az8wG8dZIu8I0bCy1Fx0iOk9+RLWps:but7JMT7s4WgEfav8wG8XfD0ey1F6bky
Threatray	2'458 similar samples on MalwareBazaar
TLSH	T1157401423B90E05EE66147B21F3B1DD267A23D3D6562B21B7370F30D783E5A1960EB4A
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e4e0d27230b95858 (4 x AgentTesla, 2 x GuLoader)
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

299

Origin country :

NL

Vendor Threat Intelligence

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/460396/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.Agent.EKCH.14211.11984.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Clean

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a file

Creating a file in the %temp% subdirectories

Delayed reading of the file

Searching for the Windows task manager window

Dragonfly

Gathering data

FileScan.IO Likely Malicious

Verdict:

Likely Malicious

Threat level:

  7.5/10

Confidence:

100%

Tags:

control installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/65638c590a09154b192621f1/reports/b8149039-74c9-4e22-9960-a4468f6a6c9a/overview

Hybrid Analysis Trojan.Generic

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/dd8aae27e7726cc2fa28a115919e94014d94b8300018c97fc06448f8fea2796c

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/e9e06f38-4d53-4ba5-bd6a-6a9f220f8781

Joe Sandbox GuLoader

Result

Threat name:

GuLoader

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad.spyw

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1348088

Signature

Antivirus / Scanner detection for submitted sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

100%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/dd8aae27e7726cc2fa28a115919e94014d94b8300018c97fc06448f8fea2796c

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dd8aae27e7726cc2fa28a115919e94014d94b8300018c97fc06448f8fea2796c/

ReversingLabs TitaniumCloud Win32.Trojan.Guloader

Threat name:

Win32.Trojan.Guloader

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-11-23 05:06:07 UTC

File Type:

PE (Exe)

Extracted files:

9

AV detection:

13 of 23 (56.52%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3wfk4j7hojwmf6riuekzdhuuafgzjobqaamms76amrepr7vcpfwa._file

Threatray agenttesla_v4 cloudeye

Verdict:

malicious

Label(s):

agenttesla_v4

Alert

Create hunting rule

cloudeye

Alert

Create hunting rule

Similar samples:

28a46a9953f0b0771ec1bf9527cd35fbefd82119f2f7349faed0e5cbec61abc4

AgentTesla

594bca97764ebc34032781ebdb633eee3ea31e2ed721ca765ce5827e6a17dcf9

AgentTesla

6acdfc7d8365b4e70685394907a60e18eac1c115c7699b364ebaa22e9c2183f9

AgentTesla

6f1d937b47e5910b8d3ba50bd73c3f52ff06b02325892f09f43a51069657ad0b

AgentTesla

880b355f4d076ee0088a17ca0b32c4b3771aae3587c49c60d853c31f129b18ed

AgentTesla

9aecf5734ff36e456fd5a50650b083c1d521d36212c0a440ec6202fc00d14380

AgentTesla

dd8aae27e7726cc2fa28a115919e94014d94b8300018c97fc06448f8fea2796c

AgentTesla

f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114

AgentTesla

+ 2'448 additional samples on MalwareBazaar

Hatching Triage agenttesla

Result

Malware family:

agenttesla

Alert

Create hunting rule

Score:

  10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231126-wyq4laah37/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

AgentTesla

UnpacMe 5

Unpacked files

SH256 hash:

1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

MD5 hash:

f27689c513e7d12c7c974d5f8ef710d6

SHA1 hash:

e305f2a2898d765a64c82c449dfb528665b4a892

Link:

https://www.unpac.me/results/912c7d22-27c8-4c5d-afdc-261f71e3e73f/

SH256 hash:

6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

MD5 hash:

8cf2ac271d7679b1d68eefc1ae0c5618

SHA1 hash:

7cc1caaa747ee16dc894a600a4256f64fa65a9b8

Link:

https://www.unpac.me/results/912c7d22-27c8-4c5d-afdc-261f71e3e73f/

SH256 hash:

bc4f95b716d26bbf9a6434569a6d777755ba233666a9ce57cb393ca25b82212f

MD5 hash:

d4be14b49e319ba76c559e6c2c284a04

SHA1 hash:

ef39e0be34505530da6710d450c0d97922ef0e1d

Link:

https://www.unpac.me/results/912c7d22-27c8-4c5d-afdc-261f71e3e73f/

SH256 hash:

f344713a08459675b6db6fc79e93f7813d8793af6fd9a2c8c64aa1a0a0e0d218

MD5 hash:

d53c32cedd3d4c37d0a35183ec531ed9

SHA1 hash:

1184372024a780df8234ac67c4a5db4d303adbc5

Link:

https://www.unpac.me/results/912c7d22-27c8-4c5d-afdc-261f71e3e73f/

SH256 hash:

dd8aae27e7726cc2fa28a115919e94014d94b8300018c97fc06448f8fea2796c

MD5 hash:

e40b02f52316d85f32ed05c34f100a9a

SHA1 hash:

9d90e3bc34698ea7cd32a1e01fa5bc36e83a62d3

Link:

https://www.unpac.me/results/912c7d22-27c8-4c5d-afdc-261f71e3e73f/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dd8aae27e7726cc2fa28a115919e94014d94b8300018c97fc06448f8fea2796c

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe dd8aae27e7726cc2fa28a115919e94014d94b8300018c97fc06448f8fea2796c

(this sample)

  

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/460396/