MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 350b31699cc2a188797aa30da41b3a5c4050b091335c7be16f237f7f66ec9e7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 350b31699cc2a188797aa30da41b3a5c4050b091335c7be16f237f7f66ec9e7e
SHA3-384 hash: ba29f70dd06d2ac983a673956db1c951f1a5eaaa363c96fb2bca50e02a2c0bf9fb6c7aeef6cde209a39621171749faa2
SHA1 hash: f4c017a9aab755c447f2cbe019e2547d78df53fd
MD5 hash: 10201bf42cb442257b777332e3d71a30
humanhash: bakerloo-lactose-shade-chicken
File name:10201bf42cb442257b777332e3d71a30.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:914'944 bytes
First seen:2021-07-13 12:56:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:JyuKPYqd994yZuVeZ4D9su9H7/NlshHlzquu9v/SaXN5GnTOdU+CHpZges:YuUnQ8cau1ZCplm9XSxs
Threatray 6'659 similar samples on MalwareBazaar
TLSH T184159D6C33FEA509F237FE709FA4F7449E6A66BA9225910D59C4030B6821D80FE77532
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Inquiry.xlsx
Verdict:
Malicious activity
Analysis date:
2021-07-13 13:04:30 UTC
Tags:
encrypted exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/f8d072ae-34a2-425b-a632-0b7c395ce67c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171391/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.925-1.UNOFFICIAL
Create hunting rule

Win.Packed.Taskun-9874486-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1615c32e-08f7-4664-8aa7-311815a55d8e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815687
Signature
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 448118 Sample: d6zIvoGMDY.exe Startdate: 13/07/2021 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 5 other signatures 2->49 7 d6zIvoGMDY.exe 7 2->7         started        11 MLdAu.exe 5 2->11         started        13 MLdAu.exe 2 2->13         started        process3 file4 29 C:\Users\user\AppData\...behaviorgraphErNrLdFluSf.exe, PE32 7->29 dropped 31 C:\Users\...behaviorgraphErNrLdFluSf.exe:Zone.Identifier, ASCII 7->31 dropped 33 C:\Users\user\AppData\Local\...\tmp7714.tmp, XML 7->33 dropped 35 C:\Users\user\AppData\...\d6zIvoGMDY.exe.log, ASCII 7->35 dropped 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->51 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->53 55 Uses schtasks.exe or at.exe to add and modify task schedules 7->55 15 d6zIvoGMDY.exe 2 5 7->15         started        19 schtasks.exe 1 7->19         started        57 Multi AV Scanner detection for dropped file 11->57 59 Machine Learning detection for dropped file 11->59 61 Injects a PE file into a foreign processes 11->61 21 schtasks.exe 1 11->21         started        23 MLdAu.exe 2 11->23         started        signatures5 process6 file7 37 C:\Users\user\AppData\Roaming\...\MLdAu.exe, PE32 15->37 dropped 39 C:\Users\user\...\MLdAu.exe:Zone.Identifier, ASCII 15->39 dropped 41 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->41 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/350b31699cc2a188797aa30da41b3a5c4050b091335c7be16f237f7f66ec9e7e/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-07-13 12:57:04 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=guftc2m4ykqyq6l2umg2igz2lrafbmergnohxylpen7x6zxmtz7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
086b930d1a631edf83cfe41204603a67e9cf4661ecee97761f7dcb8f87bb6e70
AgentTesla
2361e8542045dddfaa5e2e6dfc49db670b687dcfa00e7877830de468bc076e38
AgentTesla
528c4017fc8019572354de7746bba7978bb1ce0c9508e42644799712fb5ea869
AgentTesla
5bb1ec5f6be562ca2beec31d45c6cce4b811283b225e3f2654dbfbe5cc8f07de
AgentTesla
988015476a43d916c6d49009eaa2e262246ac18eaf1615113262cd3540708450
AgentTesla
9c945e3dd82b26e5b6e2bc96a1aa6fdc1365235e6479c143340073fc831048fe
AgentTesla
c6cacd1d2bfb210318a62cabce8045f5735cd9a0e58c3aea8d3ec2174f6d7abb
AgentTesla
c7607bcbc0acfdf8733dff8a4f709009236da553d300abc2d0df98b3e6c70f58
AgentTesla
df54a04599bb3953ffcf067a4308e01dafe8ac2c9064bdd3fbc3a441725a06f2
AgentTesla
fe71bef6acadf2feb1a19c9e51543be0cacb245a5ce034b7510c72912996580e
AgentTesla
+ 6'649 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210713-tellyj9ct6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
3362f55b8411cfd69ab320cdfa8fd2a56e8a2e0cb2995bf8b5065bd843f4830b
MD5 hash:
18cce0397618850302566807bcded839
SHA1 hash:
eef0db37c23f7c254be4d2ab593af366fc481e90
Link:
https://www.unpac.me/results/afbd28d4-216d-4997-ac2e-df177ec6e64e/
SH256 hash:
139dd5e7e416f37213c5a7465f6ea1c3626827e67a25d2d8b29ea78627ee0db6
MD5 hash:
436ed575a6304277846806f1458e6c57
SHA1 hash:
e7c05aef669660ac407bf5b4b098365654a887a1
Link:
https://www.unpac.me/results/afbd28d4-216d-4997-ac2e-df177ec6e64e/
SH256 hash:
553107495afaa63cfe8921f123be1796987885a0813872c6b6906be32ec4aa44
MD5 hash:
36af3d9a6a29d5ec0d6ec65f8463acff
SHA1 hash:
cecd0f41a788a1d191ee047b66e8348a412beef0
Link:
https://www.unpac.me/results/afbd28d4-216d-4997-ac2e-df177ec6e64e/
SH256 hash:
3c9f552765104183e47e238fdae5ff82210b46af1f9b511ee8aa9e41f19b4077
MD5 hash:
7aed072fc2b30310efc248a2bafc7dda
SHA1 hash:
9e956bce77fc925854d6800b6fb4647dfb813e26
Link:
https://www.unpac.me/results/afbd28d4-216d-4997-ac2e-df177ec6e64e/
SH256 hash:
350b31699cc2a188797aa30da41b3a5c4050b091335c7be16f237f7f66ec9e7e
MD5 hash:
10201bf42cb442257b777332e3d71a30
SHA1 hash:
f4c017a9aab755c447f2cbe019e2547d78df53fd
Link:
https://www.unpac.me/results/afbd28d4-216d-4997-ac2e-df177ec6e64e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/350b31699cc2a188797aa30da41b3a5c4050b091335c7be16f237f7f66ec9e7e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 350b31699cc2a188797aa30da41b3a5c4050b091335c7be16f237f7f66ec9e7e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1430278/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/171391/

Comments