MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31f74743aed6aabe5af121a44785c9e68b951a7d16849873d346503d79868246. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31f74743aed6aabe5af121a44785c9e68b951a7d16849873d346503d79868246
SHA3-384 hash: 136de901b50f7509155406204f9ad1621697f7d0ddb719ec07fa5cc152f3e5816b2a76cb2eabc7a4551e39cd76973304
SHA1 hash: b6a439786246e31f249202fa940a7eec171b74c3
MD5 hash: 1ac20ea6f693057e38bc68ed2d0273a6
humanhash: pennsylvania-seventeen-ack-seventeen
File name:order for february and march dated 02142023 NO00384855.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:337'328 bytes
First seen:2023-02-14 07:24:01 UTC
Last seen:2023-02-14 08:33:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:/Ya6LJ9NcS8A+h445yf0vf+xJ2ZbDoGO1JL4f1G422D/mYGEBznP0Zz+y/X:/YxTOSUhD53LZYLb4PDe7EiZz+yP
Threatray 25'985 similar samples on MalwareBazaar
TLSH T12E742360A68CD8A3E663133035343BBB6AFA4A6415B9474B0760DFDC3A6B441ED7F721
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
order for february and march dated 02142023 NO00384855.exe
Verdict:
Malicious activity
Analysis date:
2023-02-14 07:25:35 UTC
Tags:
trojan rat agenttesla
Link:
https://app.any.run/tasks/4e3962ed-b8ea-4eea-81ef-dd8631ea579a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/365472/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.30104.7093.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/69403/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63eb37134c5f96ec064d5f85/reports/c526b7eb-b4b7-4a7b-a928-70fd4105081a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/31f74743aed6aabe5af121a44785c9e68b951a7d16849873d346503d79868246
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7464bff7-8362-4b22-aa3e-c84f0327a13f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1174138
Signature
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/31f74743aed6aabe5af121a44785c9e68b951a7d16849873d346503d79868246/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-14 04:18:17 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gh3uoq5o22vl4wxregsepboj42fzkgt5c2cjq46tizid26mgqjda._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3c455abc346654cecc4d49a9eb53b0f0153e3c898da5df414fb681474b43ca10
AgentTesla
63d326378f14d1814e0a2fe7ffc08d5d770f1dc6771ee07729700535094f0997
AgentTesla
a9c29ccb259ed6f5ff5ee320b6db411965393b1214516e997b9737009e81c535
AgentTesla
c44e9ac12ce90aac4ecb72c2c2077c9d068293bfb3ce47956f12a98a6b1f8746
AgentTesla
c7859e38dac67d93a0be63264364683ce6fd6b22f9145fdf7f45294458cae5a0
AgentTesla
d9e7d9699b28022d1fd6b5ced9f32e3dd3210475d6a2b2ec770d331d6a910a53
AgentTesla
eae32b5ad9674c7bf4fd973786cae305a69b47c28f6318262fcaabbafc442836
AgentTesla
+ 25'975 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230214-h8c3tsba3w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
e4aaf19ab58a9336085234c8064d42ab2506305d80a8738656f2f63b1b6e395b
MD5 hash:
53bafceb44f66074283ebee1a297eba9
SHA1 hash:
aa429c19fb377151b239f7db5f670aadc027ae1f
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/289e2690-8820-47bf-9e0e-3fef0022f776/
Parent samples :
c7cc9b494022ce3e0e73f9da5a6e8c1ba4541b012c0b73be4bb4a10b2eb4c801
c0d0fe7c94e5eea8895b8b3d1a82cf8030883e1e3a5404966761d08a29063d89
c496880015b8aca953669bbfefd71f7c777370e3c12b042d6556f3e8c96d886c
8fd45841fb13a3559678bffcc6aa5d583c9d38918a5657aa8fa0337821adb237
571b5a5b56217afed525b3602ef2b894650c6c419fc18e70bfe74e2973e207f2
c7859e38dac67d93a0be63264364683ce6fd6b22f9145fdf7f45294458cae5a0
31f74743aed6aabe5af121a44785c9e68b951a7d16849873d346503d79868246
67d4ee9e6ff5fbe379250a946da129ed87a24d5d519d223450b7dfd885b4ab11
5efb7a214b43bc47d505091c168ad6ef30706a7632a98b080460895845ded776
SH256 hash:
5bcc272d31fd3651baf1fcdbc243f90aea85118dabe77d44e3c03d9af27bcdea
MD5 hash:
89d93bb4fef96dffdde5f3a451bcd14e
SHA1 hash:
2e1f60f7e30bf461671aa787f0832cc72c3a2495
Link:
https://www.unpac.me/results/289e2690-8820-47bf-9e0e-3fef0022f776/
SH256 hash:
f203bca5a49e10cce80b20d6c0db2eee508e8fdfb75cdf8f83bc7581dd1a2cf8
MD5 hash:
55dac0f2329853642bf9c0a9059acf8a
SHA1 hash:
0c41d7d882efeba7581d09cd82e0561b04a27df5
Link:
https://www.unpac.me/results/289e2690-8820-47bf-9e0e-3fef0022f776/
SH256 hash:
31f74743aed6aabe5af121a44785c9e68b951a7d16849873d346503d79868246
MD5 hash:
1ac20ea6f693057e38bc68ed2d0273a6
SHA1 hash:
b6a439786246e31f249202fa940a7eec171b74c3
Link:
https://www.unpac.me/results/289e2690-8820-47bf-9e0e-3fef0022f776/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/31f74743aed6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/31f74743aed6aabe5af121a44785c9e68b951a7d16849873d346503d79868246

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_d3ac2b2f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 31f74743aed6aabe5af121a44785c9e68b951a7d16849873d346503d79868246

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/365472/

Comments