MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f35b10b0e3e35686a822299fda274cae3a8eb0e1cb3e95cc1feac297c6429f29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f35b10b0e3e35686a822299fda274cae3a8eb0e1cb3e95cc1feac297c6429f29
SHA3-384 hash: 70112a3a31f09ab22fbda29122fc1b2b8ad4a732b57c6d062c07c47062e9021e38e37418a51f98957020e6e6d0eb5ac2
SHA1 hash: ede2305272089a2c23608c967fba3a64990648b6
MD5 hash: d5cffdbf67e5690cda73d08b584c680c
humanhash: table-cat-floor-montana
File name:Bank Details.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:829'440 bytes
First seen:2023-01-24 12:26:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:8kmLjs6/yHcnLjLyi5yXXyYmoqef8v0fRyZf4zRXwplBvLNaGniWaKr/MI:WLpVbjynwoUWRgfC+BdiWaKrEI
Threatray 20'234 similar samples on MalwareBazaar
TLSH T10B05493A05B81AC2C1BEF67DAB94DD14FEE09442F201DD8EDEE60885D81368361DBD5E
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Swift Birdimi E-posta 6,231 USD 19.01.2023.exe
Verdict:
Malicious activity
Analysis date:
2023-01-19 08:54:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cd7c8223-cdaf-401c-a6c8-3bdfa1267311

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356373/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/63cfce981c9cbf7d625206de/reports/1c777d81-f6f7-465d-9c18-0c27aef502e8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dbd766dd-8c09-4e74-b11d-202a3d4fc4e8
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1157870
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f35b10b0e3e35686a822299fda274cae3a8eb0e1cb3e95cc1feac297c6429f29/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6nnrbmhd4nlinkbcfgp5uj2mvy5i5mhbzm7jlta75lbjprsct4uq._file
Verdict:
malicious
Similar samples:
01b0e10d7351007133aa2a5f1cef379b855706256fb70f327990ea142df772ad
AgentTesla
2b3546bdeb88c59e6a93906e1eb14eda343c40bac1b864157574ee1e40874b5d
AgentTesla
5f1d6d9c49024913322423dbd249144d93feab55663e1cc26fb0cdf9eb16c610
AgentTesla
62a868ec8c1727bcddd3954bd37e482a5584bd40b7163132738885b7deffaa4f
AgentTesla
8bc377af9f3f8d7047f091429a8d61a7d21e1a0c826532e3c0e8da675b396b39
AgentTesla
a861f0051703c40665038421dffeae5831e31457f477e6cb12904f7254808534
AgentTesla
bf4f6bbb8086ae04df8d3b6b1874f11adb221fa765a49ccac065c458ba515488
AgentTesla
f20c0a34d3fa5c65d495dd1dcdd1a39b2512607bcc3bc24aa7e295f5b2779698
AgentTesla
f76fef3e72be648d3a32fb43e48276ef6f04cc0f5a21b89d58983c3232775adc
AgentTesla
+ 20'224 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230124-pmrgnacc3v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
94c2ba257a21a0eb4527346753abdedc7bb2fe3aa72d20642546994626602129
MD5 hash:
874dcc6be499121b1425bfdff1f8ad46
SHA1 hash:
66f83bedc73876b77e152c604b8214bde86d965e
Link:
https://www.unpac.me/results/7866729f-09ed-4f3b-a509-b3d2a21fce2d/
SH256 hash:
6f04d12ae480f516b45ac0e90ece808bff79c8cf7155d96587f1de6ee9357b09
MD5 hash:
3a32117b53af2ce059cae97fec2bfb18
SHA1 hash:
3886c65d79efa79fc58d035321c4bb3d217ffef8
Link:
https://www.unpac.me/results/7866729f-09ed-4f3b-a509-b3d2a21fce2d/
SH256 hash:
6674ca1721a265ff173e4bc8c8251d7f09d4df66d4af1ac1a2e6d462b6e5e431
MD5 hash:
f4e85c3a316b54d8d4dbe0b5eab191ff
SHA1 hash:
06fef672b3a43e06af1993cb72f415dbd3a9ddcb
Link:
https://www.unpac.me/results/7866729f-09ed-4f3b-a509-b3d2a21fce2d/
SH256 hash:
f35b10b0e3e35686a822299fda274cae3a8eb0e1cb3e95cc1feac297c6429f29
MD5 hash:
d5cffdbf67e5690cda73d08b584c680c
SHA1 hash:
ede2305272089a2c23608c967fba3a64990648b6
Link:
https://www.unpac.me/results/7866729f-09ed-4f3b-a509-b3d2a21fce2d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f35b10b0e3e35686a822299fda274cae3a8eb0e1cb3e95cc1feac297c6429f29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f35b10b0e3e35686a822299fda274cae3a8eb0e1cb3e95cc1feac297c6429f29

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/356373/

Comments