MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f944345b0375d032341a96a19a1cc9edc944dd7bf73a77cc1a36328ae63b0e6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f944345b0375d032341a96a19a1cc9edc944dd7bf73a77cc1a36328ae63b0e6e
SHA3-384 hash: 70839ed4d14740384b7753fa8b71e354aa66715e18b28f765deaa401c9d023e2c5edd5553898a78df3859c1d5ade1239
SHA1 hash: 512f52fe302760b2da87b77ebd19350c29c9315a
MD5 hash: 69a5028f833138f40903aa088c2f8c07
humanhash: fish-robin-high-cold
File name:Shipping Documents.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'269'184 bytes
First seen:2022-08-04 17:18:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:OwEpddgQ6yAD/TzPquuU+uAf+FkGC6zeeTN5T3o8R84/ZmD:/adv6yOiuuU+uAf+FZC6zeMXT3o8RrZC
Threatray 2'968 similar samples on MalwareBazaar
TLSH T154B55DE4D316CB7BE40AFC35856EA4B258E7E6D8E313C10A262918E6C93072F554F9CD
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon c4c4c4ccfcccf670 (5 x AgentTesla, 4 x SnakeKeylogger, 4 x NetWire)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
445
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipping Documents.exe
Verdict:
Suspicious activity
Analysis date:
2022-08-04 17:20:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/153aa5db-a4d9-4e53-bfee-6c996d426236

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296529/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62ebff886336465f2a0fcc9b/reports/9179c45d-7d4e-46b8-be15-c07580e49495/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18cf8ffb-65ed-4b22-95ff-4b8cefab7a44
Result
Threat name:
AgentTesla, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1046413
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f944345b0375d032341a96a19a1cc9edc944dd7bf73a77cc1a36328ae63b0e6e/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-08-04 16:57:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7fcdiwydoxidena2s2qzuhgj5xeujxl3645hpta2gyzivzr3bzxa._file
Verdict:
malicious
Similar samples:
00286bed05e99217e33ec5b564dd3fdbce80effc233616bab21a26814d8e7009
AgentTesla
0c656a34dc4cedfb65ae9157b33f6af2ad1435f24b00fc93a623d1d50f31750a
AgentTesla
0dd538610bdf775fa097bf8722c58c55edac86810b314d98d152c6bce90b0b7f
AgentTesla
44e1fc8d3558bd5caa25ec85f99363873fefdab67ec1a478e67a93ffa993c850
AgentTesla
45440ff61950e60ffe3af3d1b56641f2e7b1f681510b37d25d50c0cbacecf6bc
AgentTesla
6247d75d15a1cb53acd2b704587c34520241452fa6a6983ab4c78932b4b251aa
AgentTesla
c8e3013549745ed40ee43e282037916d2e6365d8e79e94970677b25d167057e8
AgentTesla
cdd0917d044e094cf8f67787668dabaa1a8b3cdbb08859bcec8246df2e3fa6cb
AgentTesla
dcbf9df2e983476aefaba6c89d3b7a8faee511738653568ff0008d8a8aac0aa0
AgentTesla
+ 2'958 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
collection
Link:
https://tria.ge/reports/220804-vvt6eaachm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Unpacked files
SH256 hash:
2e1e6881170e1119f269f1e32500c496d516449b5d8117f0e7556a0a19df3a97
MD5 hash:
7158686f0db9cdd2cebe469d0330a4e7
SHA1 hash:
bca4b747797bcd3272e0f73e3d6b5558f5df1c1d
Link:
https://www.unpac.me/results/6f0bd672-336d-43da-baa4-2702380043ad/
SH256 hash:
8b30bcd66842616ff9a9ed7e183c8c97582d9b29474192061d4aff2a3d279d66
MD5 hash:
6f691e22f841d12166fecc09e3abc9fd
SHA1 hash:
4d3d2e1e2d01d6d7dadb0eddfbe582da414ebbde
Link:
https://www.unpac.me/results/6f0bd672-336d-43da-baa4-2702380043ad/
SH256 hash:
f944345b0375d032341a96a19a1cc9edc944dd7bf73a77cc1a36328ae63b0e6e
MD5 hash:
69a5028f833138f40903aa088c2f8c07
SHA1 hash:
512f52fe302760b2da87b77ebd19350c29c9315a
Link:
https://www.unpac.me/results/6f0bd672-336d-43da-baa4-2702380043ad/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f944345b0375/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/f944345b0375d032341a96a19a1cc9edc944dd7bf73a77cc1a36328ae63b0e6e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f944345b0375d032341a96a19a1cc9edc944dd7bf73a77cc1a36328ae63b0e6e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/296529/

Comments