MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03a5f02e2510ecf8b8990cd651cc7085e057555e8be3415e48167e73ae3aeb40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03a5f02e2510ecf8b8990cd651cc7085e057555e8be3415e48167e73ae3aeb40
SHA3-384 hash: fcb070024294c79a50a2a5b392a967a781a455634c20351a1677450793fa7cea0bb4ef0a041d323858d8a219724ec2b5
SHA1 hash: 52afbfbc10ded88fafa1022becf8d5fc4d91c7f3
MD5 hash: 3891b9765cdd6320b672dc4f1a8123b2
humanhash: happy-moon-snake-juliet
File name:3891b9765cdd6320b672dc4f1a8123b2.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:725'504 bytes
First seen:2021-07-16 08:23:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Y1Fn4GDhVscvqFPnmEFLMDA5gcbRT7N3pM8w8I6Vjw0ZO3hjvY:knntV8ZztaA5g47t7w8I61whD
Threatray 6'923 similar samples on MalwareBazaar
TLSH T19EF45AA603888517C7EDB6B47750A6B5F3565D82FA10ED2B49A2BC83353F923D881CCD
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.privateemail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3891b9765cdd6320b672dc4f1a8123b2.exe
Verdict:
Malicious activity
Analysis date:
2021-07-16 08:26:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e3e8768b-522b-4061-908e-7a28f0d7e644

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172137/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.5506.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/27d81411-d84b-46da-8314-e41111d9801c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817351
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 449764 Sample: 5D8K69LJBi.exe Startdate: 16/07/2021 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Multi AV Scanner detection for dropped file 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 8 other signatures 2->35 7 5D8K69LJBi.exe 8 2->7         started        process3 file4 19 C:\Users\user\AppData\Roaming\yvnFzjX.exe, PE32 7->19 dropped 21 C:\Users\user\AppData\Local\Temp\tmp52F.tmp, XML 7->21 dropped 23 C:\Users\user\AppData\...\5D8K69LJBi.exe.log, ASCII 7->23 dropped 37 Uses schtasks.exe or at.exe to add and modify task schedules 7->37 39 Writes to foreign memory regions 7->39 41 Allocates memory in foreign processes 7->41 43 Injects a PE file into a foreign processes 7->43 11 RegSvcs.exe 4 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 25 smtp.privateemail.com 199.193.7.228, 49741, 49742, 49743 NAMECHEAP-NETUS United States 11->25 27 192.168.2.1 unknown unknown 11->27 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->45 47 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->47 49 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 11->49 17 conhost.exe 15->17         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/03a5f02e2510ecf8b8990cd651cc7085e057555e8be3415e48167e73ae3aeb40/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-16 01:27:30 UTC
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aos7alrfcdwproezbtlfdtdqqxqfovk6rprucxsicz7hhlr25naa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ec625166e4d3d30edc9ecee2d9f4131085a6ade75de1ca6825a8f01a97c20cd
AgentTesla
1b19b55ce9b8738b1c0a308f0a29c4d9356888339ba0678ae11e2fc0aa749e89
AgentTesla
21bd5e4845c12f0601ae8988314a461339e03e78267cac80f4a34ce93ad404ab
AgentTesla
23efc97e61f8218480cd1b89de603d517f0b31ee4fe9e2bf1f83bcb38e242827
AgentTesla
3c6998935f862c2e46ef8d4b5ec303eeb1bbfbbc8d02955799568956ba77e051
AgentTesla
843953f91f7a0cea202cd389974f9bbfe111934bf175af7cb0e44804be5b9b4d
AgentTesla
8a61b2bcfc5f2663772aac693d9bf4f2bbeb5cf08b9ca0873250530cfb5baff0
AgentTesla
961f7b9bed8edc7f79de3d04f44282b97a4a8e41f329300e827b0c80888d5b5e
AgentTesla
9641b42c328e6e872819d139d20c3b64ed5e00d044de54550d58c2c77917e50c
AgentTesla
c7af68bcec3b1c2e3a87f08111ab75b525799c5386fa85b529f8690bfa1c766a
AgentTesla
+ 6'913 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210716-ehqcsbkzas/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
64c86435d1f874732a39787e655d7aaa5a4b80aef513ba3bd72de206b4916dc0
MD5 hash:
dfb9cffd3b579a6845e56231e979ac1f
SHA1 hash:
e64d68133f65ab2e4810d8f937a53f24204f9df9
Link:
https://www.unpac.me/results/4380dddd-3da4-4833-a7f3-b299529cb963/
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/4380dddd-3da4-4833-a7f3-b299529cb963/
SH256 hash:
7b1913f0cb02db202fa04b08781fe1415f0131150eb2315a0e746342982cdb38
MD5 hash:
9abbd69c587479b5567a5d8e9d3a4594
SHA1 hash:
b7eb58b877e2ff04480e5a70758252061b88c1fc
Link:
https://www.unpac.me/results/4380dddd-3da4-4833-a7f3-b299529cb963/
SH256 hash:
03a5f02e2510ecf8b8990cd651cc7085e057555e8be3415e48167e73ae3aeb40
MD5 hash:
3891b9765cdd6320b672dc4f1a8123b2
SHA1 hash:
52afbfbc10ded88fafa1022becf8d5fc4d91c7f3
Link:
https://www.unpac.me/results/4380dddd-3da4-4833-a7f3-b299529cb963/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/03a5f02e2510ecf8b8990cd651cc7085e057555e8be3415e48167e73ae3aeb40

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 03a5f02e2510ecf8b8990cd651cc7085e057555e8be3415e48167e73ae3aeb40

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1449842/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172137/

Comments