MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34d51de5f6c433888504bd7b61cf58b92647599b80ba2aef103e58c4f6567e41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34d51de5f6c433888504bd7b61cf58b92647599b80ba2aef103e58c4f6567e41
SHA3-384 hash: 731ce95799e1c500cf2d5accfa9d2d1ecccc3e28ad2e18167c6cea8faf70a3349592f8fc3701f846e7b3f765ffb42ee4
SHA1 hash: 0f8c118d446ed9fd819fbcc9eeb28e6c9890e144
MD5 hash: 5bdb9922b09fa09519fdcd414dd000c3
humanhash: mockingbird-arizona-helium-crazy
File name:RFQ Inquiry 322716990-988927347478.pdf.gz.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:223'226 bytes
First seen:2021-07-12 05:36:11 UTC
Last seen:2021-07-12 06:56:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep 6144:xMm4CCAAInfxWntiHYPKivsYTYiHNkckrSveSA3aZK:xMwRDnf2iQKeTtkcEjSAIK
Threatray 6'580 similar samples on MalwareBazaar
TLSH T18D2412211AE2C8A7E83A0573297C57A50AFDDA4B003DAE1F57708FCAB813197DD5E721
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ Inquiry 322716990-988927347478.pdf.gz.exe
Verdict:
Malicious activity
Analysis date:
2021-07-12 05:39:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/38bdb633-0dc6-47f4-bb7c-f89de32bd0ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170875/
Detection(s):
SecuriteInfo.com.Gen.Variant.Jaik.46770.14411.28841.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3aff8a16-e2a7-423c-9612-fa5220873276
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814510
Signature
Antivirus detection for dropped file
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/34d51de5f6c433888504bd7b61cf58b92647599b80ba2aef103e58c4f6567e41/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 02:08:36 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gtkr3zpwyqzyrbiexv5wdt2yxeteowm3qc5cv3yqhzmmj5swpzaq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
074091e8c34379d0b8f0012aae84bd058e24725376d357a9db272ce5c5ba3103
AgentTesla
08dda16e7d2b6bceccf160ffd98ca14cfa233e8e0122974288f4ec857f95841c
AgentTesla
0f95895a5ea5227304c10231e948c8f463d02a5d7d11097c25713d9672ed3c4b
AgentTesla
5f9a10a2caebb78a305800c2fd28d3a4a9387a5415df54fbfebf26e2150997a7
AgentTesla
6eae84ece9518036a2bb762dc2e30a32568e20a1f1f8ce50247310b727389150
AgentTesla
7bc6a25d60011a784a488b24aef18f3352edacc5a9b81ce5f2410e9c4448e208
AgentTesla
8ea91fdbe1081523d28e5b8328e2e63f9ee639712039236ffb31a7ce1025f371
AgentTesla
a56b70e41664dadf269b381f7b34bf08091cc5810c25c107f92cdaabae6eecfd
AgentTesla
e3ad74b8a016f646b88664a92a9d90dc06d73e3ad917fe3b42518b9e91bbfbf1
AgentTesla
fd66396106445b222874341bbfa95edd8c4c4d4835920083d08deb953ae5d47c
AgentTesla
+ 6'570 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210712-q9egtg9an6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c091fa8619aa0e5adedd0b39a4ef3438e37ba1de297e7c8805e98135f1c4795b
MD5 hash:
7fe56ea080cdb5180ecf58fe00cc79e6
SHA1 hash:
1bb00707d514a2a8412b07bee3705c8e70e2e002
Link:
https://www.unpac.me/results/e4f30749-ab7e-4aa9-89e2-de51292afd5c/
SH256 hash:
4ef7c5df104c0b2d9c1f7cb4cc7cf36ac0e6321e5d227dafe45f6b85a6523896
MD5 hash:
3cce1b26e9808ea47ed3a9bdb511f50c
SHA1 hash:
09d6382b71ba86486886e62c4a1520e9d8eeae31
Link:
https://www.unpac.me/results/e4f30749-ab7e-4aa9-89e2-de51292afd5c/
SH256 hash:
16d741e7962e1ba4b43d680eb16303900b6cf655e1f9c75f95de445e08d46067
MD5 hash:
5398d09e5a53540521ff2e9876ac0bc3
SHA1 hash:
85d029926612773cd4d3b0e8afc92c1e516336a4
Link:
https://www.unpac.me/results/e4f30749-ab7e-4aa9-89e2-de51292afd5c/
SH256 hash:
34d51de5f6c433888504bd7b61cf58b92647599b80ba2aef103e58c4f6567e41
MD5 hash:
5bdb9922b09fa09519fdcd414dd000c3
SHA1 hash:
0f8c118d446ed9fd819fbcc9eeb28e6c9890e144
Link:
https://www.unpac.me/results/e4f30749-ab7e-4aa9-89e2-de51292afd5c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/34d51de5f6c433888504bd7b61cf58b92647599b80ba2aef103e58c4f6567e41

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 61561a41dc8d1f14e6f5c06a9f11f882f23e832977fe2166aad57d572a7f052f

AgentTesla

Executable exe 34d51de5f6c433888504bd7b61cf58b92647599b80ba2aef103e58c4f6567e41

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 61561a41dc8d1f14e6f5c06a9f11f882f23e832977fe2166aad57d572a7f052f
Cape
Cape
https://www.capesandbox.com/analysis/170875/

Comments