MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddb3e78ed4aa9ec9eaf53385fbc35a8b96e542b501b289bb81285eb381f4e923. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ddb3e78ed4aa9ec9eaf53385fbc35a8b96e542b501b289bb81285eb381f4e923
SHA3-384 hash: 498c394542c7af63f5c32e054057ebb6b1498eafe60710d986bcad22550f6e80470291a6512ee825180a649581b379f9
SHA1 hash: 86f73a5125e2376068552f66b5a6f94a3ce2e8f3
MD5 hash: f157826eca71995a7772050f292cdf45
humanhash: cup-equal-angel-xray
File name:Sipariş sorgulama 19-04-22.msi
Download: download sample
Signature AgentTesla
Create hunting rule
File size:327'680 bytes
First seen:2022-04-20 09:10:53 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 6144:O0qOx0LfBO0nSjR051PKZ+4zSJLCOvQCDNCGeSHY8wu52CIhVqnjILfR7:Hqq09FPoLzGCaDNCZ9uAnujy
Threatray 1'640 similar samples on MalwareBazaar
TLSH T10A64120B7C888739D2110E322E2F87945726BD445EAF213E5560B7CC6FBB5C6027A5F2
TrID 86.8% (.MSI) Microsoft Windows Installer (454500/1/170)
11.6% (.MST) Windows SDK Setup Transform script (61000/1/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:AgentTesla geo msi TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264878/
Detection(s):
SecuriteInfo.com.Gen.Variant.MSILHeracles.31987.5513.27381.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/625fce34ffe27d511915c7cf/reports/6a6290f5-8512-4fbe-a8bf-022ff870545e/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/ddb3e78ed4aa9ec9eaf53385fbc35a8b96e542b501b289bb81285eb381f4e923
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/979418
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found Tor onion address
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Capture Wi-Fi password
Sigma detected: Koadic Execution
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 611918 Sample: Sipari#U015f sorgulama 19-0... Startdate: 20/04/2022 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 Sigma detected: Capture Wi-Fi password 2->51 53 5 other signatures 2->53 8 msiexec.exe 84 27 2->8         started        11 msiexec.exe 3 2->11         started        process3 file4 33 tmpmsi_A6afc7e4030b7a5fe748ac410329a.exe, PE32 8->33 dropped 13 tmpmsi_A6afc7e4030b7a5fe748ac410329a.exe 13 1 8->13         started        process5 dnsIp6 37 ip-api.com 208.95.112.1, 49173, 80 TUT-ASUS United States 13->37 39 46.173.214.33, 19797, 49174 GARANT-PARK-INTERNETRU Russian Federation 13->39 55 Antivirus detection for dropped file 13->55 57 Multi AV Scanner detection for dropped file 13->57 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->59 61 7 other signatures 13->61 17 cmd.exe 13->17         started        20 cmd.exe 13->20         started        signatures7 process8 signatures9 41 Uses ping.exe to check the status of other devices and networks 17->41 43 Uses netsh to modify the Windows network and firewall settings 17->43 45 Tries to harvest and steal WLAN passwords 17->45 22 netsh.exe 17->22         started        24 findstr.exe 17->24         started        26 chcp.com 17->26         started        28 PING.EXE 20->28         started        31 chcp.com 20->31         started        process10 dnsIp11 35 127.0.0.1 unknown unknown 28->35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ddb3e78ed4aa9ec9eaf53385fbc35a8b96e542b501b289bb81285eb381f4e923/
Threat name:
ByteCode-MSIL.Trojan.SpywareX
Create hunting rule
Status:
Malicious
First seen:
2022-04-19 19:21:52 UTC
File Type:
Binary (Archive)
Extracted files:
23
AV detection:
20 of 41 (48.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3wz6pdwuvkpmt2xvgoc7xq22rolokqvvagzito4bfbplhapu5erq._file
Verdict:
unknown
Similar samples:
5906182e34caa4c37339e8d87cb46c9b9788088450d8a4b7c2052db5dbb8d174
AgentTesla
60ad2031ee79fbead639c2359aa309cda2acb96b98d865f68eab61ab9ec8b549
AgentTesla
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177
AgentTesla
89a9279a31e78ceb036d8be5b2e3c7aeb1021a05cff7bbd5e5025250c911234b
AgentTesla
a0afd4f0c83fe98b2d2ddbe7c6605af22dd49c72e0ee008841013bdf4e8c617c
AgentTesla
cdbed3a79d37d581fc5be268df61e13aaafa5c88a001f4e8b298d77c4b37ae13
AgentTesla
cfb01d8ae511edfad85ab8534df953192bbe71a866abe46b873b6a1bdbd0d465
AgentTesla
d0dd71ec1bfd99d11786c137ee44857efa26e39febe0bce1b238e13717bbebf3
AgentTesla
d42ae9509a110e4c8316bb71949c14a908f38277cbf6b4d2a216ba173aa24e55
AgentTesla
edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f
AgentTesla
+ 1'630 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/220420-k5llxaahcr/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Accesses Microsoft Outlook profiles
Enumerates connected drives
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/ddb3e78ed4aa9ec9eaf53385fbc35a8b96e542b501b289bb81285eb381f4e923

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/264878/

Comments