MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 347d5e11054d6bd3be95cbef68ed59692ecc7479ca2361ab62ca23ce46d9c3ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 347d5e11054d6bd3be95cbef68ed59692ecc7479ca2361ab62ca23ce46d9c3ba
SHA3-384 hash: b2362554290f7805fed21aa097288573fe7a77e36ba07f81c59e665cd18fc7877e1704e4a7d5f477fa986d5305ac07bd
SHA1 hash: 01fdd728dc4252fa5d68fe089adce4d71630ca58
MD5 hash: 47096c8e597d10d44bcd609361e91469
humanhash: winner-robert-social-oklahoma
File name:Swift Bank Copy #156065.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:641'024 bytes
First seen:2021-01-26 19:04:25 UTC
Last seen:2021-01-27 00:50:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:O6xTHdstwYWLGCo7JvBndkbLJ8DJjRigy6yMHWZTfh01lepp:ppklBvDk989RiK2D
Threatray 11 similar samples on MalwareBazaar
TLSH E4D4CF612245DF99E07F77FA5429842063F0AC8FD322D60E7FC62AAA15D7B420173B5B
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
6
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Swift Bank Copy #156065.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-26 19:06:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/097923b8-298c-4f04-a68e-b44c6c94a623

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113987/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.471.21394.18181.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/591160
Signature
.NET source code contains very large array initializations
Binary contains a suspicious time stamp
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/347d5e11054d6bd3be95cbef68ed59692ecc7479ca2361ab62ca23ce46d9c3ba/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-26 02:57:44 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gr6v4eifjvv5hpuvzpxwr3kznexmy5dzzirwdk3czir44rwzyo5a._file
Verdict:
unknown
Similar samples:
3c8032ddd2f77a14862946d88ec94bff2d42ea6b4cf59ac2942327f275a2a298
AgentTesla
4aadc70a9c5743560308e411e042c9705eaa3aff56d58fd4e169bf37b1f34bab
AgentTesla
500e14e032d4586764f392151b1bd45545e99fae4d3a84a1470fa2735ec6694b
AgentTesla
77d54c4049d7d7beca2c7f4897882ca793587b22def49d1b2268f6707a17285a
AgentTesla
a91554baa682533311ba775b34eeb0843cf49487721fb1a6befb5b35474c6bf9
AgentTesla
b0512bf4c4bebccd0be10d2f25cf41a31b76ad4d282e0f3fa53799d45e906a15
AgentTesla
d3832be817e8fc538d6c4348290e9998dc8c7fe8e7fecc5a41e446f3614b1a91
AgentTesla
d7d0034131ad17dbfbb4a01fc0777da552bfe908862326c695a5894384659495
AgentTesla
e9bcbfd654307b0c2e6960776084c20444dae83a4300b301f541e5473077b257
AgentTesla
eb32326655d9ff8ffab963e29d0000703da122353d65091f4f56ab252e45299a
AgentTesla
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
ransomware
Link:
https://tria.ge/reports/210126-ln8wcml4kj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
1c0ad102876b4a5b823aae9071ae115be6e355ea9eae75276cf1015dc7eb13d6
MD5 hash:
7d4497e4b657d37862a02081aabf0774
SHA1 hash:
b2ef3482ef086656c09f54808b297fa8f5f815c1
Link:
https://www.unpac.me/results/4969a4de-be44-446b-8e85-ec1580101687/
SH256 hash:
4e75e374e4ad406127382fc34e04cff6928787857a63def7c7c6eb7e13239c39
MD5 hash:
4c9cea29dc56a6dff49d05eb691f37de
SHA1 hash:
89ed70820f911a817e3fe502b9d9515229a6293f
Link:
https://www.unpac.me/results/4969a4de-be44-446b-8e85-ec1580101687/
SH256 hash:
ac4512c817c309261d8198967719f4e284f6b701a81c0ccc58d64c81aeb9048a
MD5 hash:
f7b258e18e4a156535d10710b26d0f4e
SHA1 hash:
402934203483bb6e2afa1705905c470a374bb44a
Link:
https://www.unpac.me/results/4969a4de-be44-446b-8e85-ec1580101687/
SH256 hash:
347d5e11054d6bd3be95cbef68ed59692ecc7479ca2361ab62ca23ce46d9c3ba
MD5 hash:
47096c8e597d10d44bcd609361e91469
SHA1 hash:
01fdd728dc4252fa5d68fe089adce4d71630ca58
Link:
https://www.unpac.me/results/4969a4de-be44-446b-8e85-ec1580101687/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/347d5e11054d6bd3be95cbef68ed59692ecc7479ca2361ab62ca23ce46d9c3ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 0d989803ab5dcd272dcba7f79e19386a8ad264b0a2fddbc8ee03525a2eaef67d

AgentTesla

Executable exe 347d5e11054d6bd3be95cbef68ed59692ecc7479ca2361ab62ca23ce46d9c3ba

(this sample)

  
Dropped by
MD5 57185da5b7e11698c450f6f13cfc06d6
  
Dropped by
SHA256 0d989803ab5dcd272dcba7f79e19386a8ad264b0a2fddbc8ee03525a2eaef67d
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/113987/

Comments