MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 341b8a2dd41846720d1e03fcc1d11e1ca48e1b274e1d209ee3cc1ced7684baf0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 341b8a2dd41846720d1e03fcc1d11e1ca48e1b274e1d209ee3cc1ced7684baf0
SHA3-384 hash: b9fe6286d8cc6651432e094344b0fa5a3d70b5856ef1fe163a824f6e43646177214ba456b1d1a9047b3e20ba77dd092e
SHA1 hash: 27cc6c835c34f5db991b2aa05f58542422c4d70e
MD5 hash: ff2ab7f60efeb9b4f928f02afe528df0
humanhash: kentucky-zebra-xray-iowa
File name:SecuriteInfo.com.W32.AIDetectNet.01.12646.11179
Download: download sample
Signature AgentTesla
Create hunting rule
File size:513'536 bytes
First seen:2022-04-25 20:35:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:5naZx9/1eNdIuJ/E5z1EJQfO8R862KzvhtG3jJu:5nal12Sx5z1H2gbLqzJu
Threatray 16'675 similar samples on MalwareBazaar
TLSH T155B4238B06459B70C2F607F760D2BDA283F2679B1422EB5A9D97D1FAC83BF0053D4912
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/266557/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.12646.11179.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6267063579c6c1e67d2e2c04/reports/e461ade1-3cfc-49c5-a372-abafc9748de6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/485ae11c-0a2b-4640-bb97-45c1be80cfab
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/982751
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/341b8a2dd41846720d1e03fcc1d11e1ca48e1b274e1d209ee3cc1ced7684baf0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-25 14:55:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gqnyuloudbdhedi6ap6mdui6dssi4gzhjyosbhxdzqoo25uexlya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0e969dba18e1defeed23c14f1246d15909ef3d1e10618b06c20206522d45c930
AgentTesla
49a9d39a546af011f10b52efa9f9fa003524a7585fb08f3101da8d090e6b93e6
AgentTesla
4b0f3abe3b0c7a9356687b4c29c68f9bab4247ca92cf5c37b42eec2881d3d2ec
AgentTesla
4e6704724e2218ac123163b44edcc4f34555cddaf9d5fd4afef51617918bdb9a
AgentTesla
9bf81bbb5c81b485b3cb9f5e79fdca12618929ab1d59cd46864f8eb31039d42d
AgentTesla
ad42e638f96ae99772ba92d8cd8a8f2ba158e23c57e446049f5a784d60469306
AgentTesla
ec5c817ad2b40525aa2f414a9d027eb313f2ead3b7d7bb28615a7725873d273f
AgentTesla
+ 16'665 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220425-zdjqkahecp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1999677510:AAHhNzHnb72ldnvRVF1mzkCYnWBTejckz6s/sendDocument
Unpacked files
SH256 hash:
09cd3bc420c8982190990a9673b58c3ab01e933dff0881f1e521d3316f1b9a6b
MD5 hash:
6933707e111286a128ad0f7fa298153f
SHA1 hash:
d1121c8bed634e9684727e8c0aad3f597b0749ad
Link:
https://www.unpac.me/results/e0f41e45-6455-4311-8f7f-0f34ae095058/
SH256 hash:
b2104f002c9ba006ae8569eb3402a076f9162f83857d1fde29fe4818100ff90e
MD5 hash:
eb3e0d2fb17610338cdef0c6f42f98ff
SHA1 hash:
876de0366e5c20653b08538575486966d4849035
Link:
https://www.unpac.me/results/e0f41e45-6455-4311-8f7f-0f34ae095058/
SH256 hash:
f681c8c12d4e05946a33884d0cdee5bc1a0c3495690a43945f179dfc35ec41bf
MD5 hash:
0a9e54f4bbd902d6e491811e4e0a6217
SHA1 hash:
1f3f47c8898756848502ed4b67b94e270ddd3a82
Link:
https://www.unpac.me/results/e0f41e45-6455-4311-8f7f-0f34ae095058/
SH256 hash:
8543bbb4c6e2f2349dd68d8993894cd86b236836385327e234eca3ffdc04c194
MD5 hash:
ca2486fe2952d0769d659e3ef6495452
SHA1 hash:
16eca69b6f89a2fd47f776f9b60124c9d6505529
Link:
https://www.unpac.me/results/e0f41e45-6455-4311-8f7f-0f34ae095058/
SH256 hash:
341b8a2dd41846720d1e03fcc1d11e1ca48e1b274e1d209ee3cc1ced7684baf0
MD5 hash:
ff2ab7f60efeb9b4f928f02afe528df0
SHA1 hash:
27cc6c835c34f5db991b2aa05f58542422c4d70e
Link:
https://www.unpac.me/results/e0f41e45-6455-4311-8f7f-0f34ae095058/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/341b8a2dd418/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/341b8a2dd41846720d1e03fcc1d11e1ca48e1b274e1d209ee3cc1ced7684baf0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pdb2
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/266557/

Comments