MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3487752e9714d406bfa5338a514a9bfbde46ab82e3b9eb09d19ef10667fa34e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 8 File information Comments

SHA256 hash:	3487752e9714d406bfa5338a514a9bfbde46ab82e3b9eb09d19ef10667fa34e6
SHA3-384 hash:	7e3bafeb598e65ad2f99b094cf1b71e1be1922320c579a5b964bd893314161910ffecda855231216223a435533b3e2d8
SHA1 hash:	215f2f968aea85a26fbf940256d1d9d860c28d79
MD5 hash:	d4efef1df4ba36a3b0fd1e7cf5382348
humanhash:	river-table-arkansas-winter
File name:	BL.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	858'624 bytes
First seen:	2020-11-12 14:12:16 UTC
Last seen:	2024-07-24 12:56:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1845b87344239de647efc152d562d95b (2 x Loki, 1 x AgentTesla, 1 x Formbook)
ssdeep	12288:XBnuTe1btDCiXQ3oEufKfM+EKQ1A28GCkm0JYu0B4Ai6kO08K:R4WlCiX6uikw4CkPoTvkJ8K
TLSH	6B05A023E2F15C37C17325389C0B5AA8AD2DBE1039645B873BEB3D4C9F392917919297
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3487752e9714d406bfa5338a514a9bfbde46ab82e3b9eb09d19ef10667fa34e6/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2020-11-12 11:48:24 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 29 (96.55%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gsdxkluxctkanp5fgoffcsu37ppenk4c4o46wcort3yqmz72gtta._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan upx

Link:

https://tria.ge/reports/201112-nvqtrkh9fs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

3487752e9714d406bfa5338a514a9bfbde46ab82e3b9eb09d19ef10667fa34e6

MD5 hash:

d4efef1df4ba36a3b0fd1e7cf5382348

SHA1 hash:

215f2f968aea85a26fbf940256d1d9d860c28d79

Link:

https://www.unpac.me/results/2441e1f0-91d7-4c4e-a206-c379c1902d1a/

SH256 hash:

8a5ad09bb3736df2198e62dac9191c322e086afe272a1833eaac58833198d5eb

MD5 hash:

b5a6d46fb8994d165dfd9347bdddf1cf

SHA1 hash:

8f18ad11761fe553157167871d021e46d4d017c4

Detections:

win_agent_tesla_w1

Link:

https://www.unpac.me/results/2441e1f0-91d7-4c4e-a206-c379c1902d1a/

Parent samples :

3487752e9714d406bfa5338a514a9bfbde46ab82e3b9eb09d19ef10667fa34e6
90c77987ce1e35af2b6b2713e635e4a01327c49f2c318916a99fad6bb6f5cf8f

SH256 hash:

43e554c48fb9589b0cec2aee773c312b21e57f67b51f473ccdeeb4732976e25b

MD5 hash:

d7e3d9c9f54fb301103ff7c15061005a

SHA1 hash:

ebb6bf2614d749b441bdb3970350b6854a7ed4f9

Detections:

win_agent_tesla_w1

Link:

https://www.unpac.me/results/2441e1f0-91d7-4c4e-a206-c379c1902d1a/

Parent samples :

3487752e9714d406bfa5338a514a9bfbde46ab82e3b9eb09d19ef10667fa34e6
90c77987ce1e35af2b6b2713e635e4a01327c49f2c318916a99fad6bb6f5cf8f

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Cryptor

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/3487752e9714d406bfa5338a514a9bfbde46ab82e3b9eb09d19ef10667fa34e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_extracted_bin Create hunting rule
Author:	James_inthe_box
Description:	AgentTesla extracted

Rule name:	AgentTesla_mod_tough_bin Create hunting rule
Author:	James_inthe_box
Reference:	https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	agent_tesla_2019 Create hunting rule
Author:	jeFF0Falltrades

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	MALWARE_Win_AgentTeslaV2 Create hunting rule
Author:	ditekSHen
Description:	AgenetTesla Type 2 Keylogger payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample