MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34171a31313d54778585ace53cf1f7b00ceca450c24e5bc39c4ef7086062699e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34171a31313d54778585ace53cf1f7b00ceca450c24e5bc39c4ef7086062699e
SHA3-384 hash: 334e7b7127e47dc472ba5d5bc28d3af060ccc53fbd8501c7fda5dd986ef9cfef6ec376b66d95c1539f57fbefa30b8c93
SHA1 hash: 5e9ba982207ad9d163d72a93ec3749adda4755be
MD5 hash: 060d30846ff0d9534816935948dba53b
humanhash: coffee-seventeen-ack-table
File name:img002990.PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:197'632 bytes
First seen:2022-03-07 15:47:11 UTC
Last seen:2022-03-08 08:13:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:TDi0YAK7VgDKRPgOH28iWEwVmTuNAArZ1zdoMZhsZB83oEljDQAmf:TDi+K7meRPAFwVDjuKHfljI
Threatray 15'515 similar samples on MalwareBazaar
TLSH T13A14CF85FB053274CD24A871D813194027335D76668AEB8338E9BE24BEFF5638A73617
File icon (PE):PE icon
dhash icon f0f0f0b0cca0c4c0 (1 x Loki, 1 x Formbook, 1 x AgentTesla)
Reporter TeamDreier
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/247953/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Injuke.4c.4823.6418.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Creating a window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/06b87a48-37fb-4cd9-8d69-a57c186c7629
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/951928
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/34171a31313d54778585ace53cf1f7b00ceca450c24e5bc39c4ef7086062699e/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-03-07 15:48:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gqlrumjrhvkhpbmfvtstz4pxwagozjcqyjhfxq44j33qqydcngpa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3b657298a18c54b3d55c3e5001fff9b6933b6f58bd3dd0b4a73de1307328917d
AgentTesla
3d66e45674214db609e7a116642f6e574438499905d2e38df1f4a60b64320b7d
AgentTesla
4e8c8f98c455a5b6e02cecb44c4239f6173116d8ea694f1bc087db7c3dcdd48c
AgentTesla
64430368874f0d720a2bb31e091b1986fc2ff4dfb581d812a05fa6dda0083230
AgentTesla
a0084fcb779319411ba0228a3e15cb3f76624d7077d46f309714de8d60f1980f
AgentTesla
a8db5691e41b1e37a1356ab50d5bde85050df5708a966b170b5062aed05f9366
AgentTesla
c08e280570de9dc368e7fa90a6da1f047c059e70bff357ef99e4b3fac88b4b54
AgentTesla
c7607bcbc0acfdf8733dff8a4f709009236da553d300abc2d0df98b3e6c70f58
AgentTesla
+ 15'505 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220307-s8rw4aacem/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
34171a31313d54778585ace53cf1f7b00ceca450c24e5bc39c4ef7086062699e
MD5 hash:
060d30846ff0d9534816935948dba53b
SHA1 hash:
5e9ba982207ad9d163d72a93ec3749adda4755be
Link:
https://www.unpac.me/results/df0ce1bb-b58b-482a-b46e-371f3f1f709e/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/34171a31313d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/34171a31313d54778585ace53cf1f7b00ceca450c24e5bc39c4ef7086062699e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 34171a31313d54778585ace53cf1f7b00ceca450c24e5bc39c4ef7086062699e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/247953/

Comments