MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35a006c11e8b3efaa0b70dea8608b25d61ad5ad51c21bc8faa9733c06ccd2147. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35a006c11e8b3efaa0b70dea8608b25d61ad5ad51c21bc8faa9733c06ccd2147
SHA3-384 hash: 76c45e0915cdf402ada269e740a3eb58ccf76554b7ac4de3d917568e393e81b16fc5814ee491ef2b2b11c7ccff754b69
SHA1 hash: 3e69f0f574fd2cdeb11ded1ff4f04f2b8a4905f3
MD5 hash: a68285dc5382313f6c565940baf8db40
humanhash: alaska-monkey-fourteen-arkansas
File name:Quotation Prices.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:979'456 bytes
First seen:2021-01-26 12:47:30 UTC
Last seen:2021-01-26 14:34:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:0R1BXrK9NWwBx1NvgdLHnHVBBs2+6rVO64ATzDMhvU+R5ZvaWjBZ19RlFIlAf:0R37+1TrveHnHVXrVUenMpZNRDCAf
Threatray 2'417 similar samples on MalwareBazaar
TLSH AF25CF0D02D08E19C27C5B749154C23157F97CA69A4AD72CADC5ACEF3F33642EB2B266
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quotation Prices.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-26 12:49:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/458f31a5-b898-4bc4-81c2-353583d8cdb3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113891/
Detection(s):
SecuriteInfo.com.ArtemisA68285DC5382.20932.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/590629
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/35a006c11e8b3efaa0b70dea8608b25d61ad5ad51c21bc8faa9733c06ccd2147/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-26 08:31:07 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gwqanqi6rm7pvifxbxvimcfslvq22wwvdqq3zd5ks4z4a3gnefdq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0063947555fada876477c4e186d19517a3894d56153477590b0d6367ec80fe2d
AgentTesla
306e5b34b75ce392b55691abcda73d75d7f8717e286cadc36c5582c7ebde621b
AgentTesla
67377c6c2259974077c2b7476f77823862ed6d5c6ce95c579e101b3d0a81b71e
AgentTesla
76c7edf5852cfb7559a3886e0df7dee4422a624403630a60b7584bbd050c89b6
AgentTesla
975bfa103383a4a8ee097bdaaefebba41244a41ac68a862603d1de36385f709c
AgentTesla
a1e74b7743cc21b76c0c0a4d29e020d12cf32e03b35d7425607940fe7aae3398
AgentTesla
acef7155f56a1434770c602a92ebf4945474ad85e9382df19ff5d3ffee461423
AgentTesla
c1c46e45d0b8b42cf005b9e9bd380e4de9ee18d67901d5558dab688aa8c41fde
AgentTesla
fb1c77156c32d3643f2b21550110a48c3bbf869d2f0aa099b7400646e1fcaeb5
AgentTesla
fcb2107f5b1fe383bdd0f8ec5d085a1ed2be421ce2c1616a767b597c6b7003f7
AgentTesla
+ 2'407 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210126-r5ylvq6nwe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
9f7a5234d3e4e279a98cc0f4a8f5df63627cacff0a8535a210bc58c1df078b69
MD5 hash:
4016b63911e374a38dcfa2d298e29b9b
SHA1 hash:
852f6ce8fcb3d40e27ddce77b174e6e479d8cda6
Link:
https://www.unpac.me/results/2359f18c-d85d-4f7d-969d-1d94a767ab1e/
SH256 hash:
425653158fabdcf456d5d0123fe63ad1f3248186b67a99f9925f1ff7714b980f
MD5 hash:
7ef3a3e153e1a4bd8dbb00f084d78adb
SHA1 hash:
765f44e9390be8759877a0e79cab2b438d44e639
Link:
https://www.unpac.me/results/2359f18c-d85d-4f7d-969d-1d94a767ab1e/
SH256 hash:
6e87068339890925ec7cd0c259355f2214dbf4ceb47c99650758a8c41b09b56a
MD5 hash:
638f9a8c72a34d21b62efeb8504bc483
SHA1 hash:
1969246543777c72af67431e1e90a2c8537f7e74
Link:
https://www.unpac.me/results/2359f18c-d85d-4f7d-969d-1d94a767ab1e/
SH256 hash:
35a006c11e8b3efaa0b70dea8608b25d61ad5ad51c21bc8faa9733c06ccd2147
MD5 hash:
a68285dc5382313f6c565940baf8db40
SHA1 hash:
3e69f0f574fd2cdeb11ded1ff4f04f2b8a4905f3
Link:
https://www.unpac.me/results/2359f18c-d85d-4f7d-969d-1d94a767ab1e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35a006c11e8b3efaa0b70dea8608b25d61ad5ad51c21bc8faa9733c06ccd2147

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip e017300a4071f97ac22da9fc3a6b1d411485da7ecaa17d7ea8e483d57852e4e9

AgentTesla

Executable exe 35a006c11e8b3efaa0b70dea8608b25d61ad5ad51c21bc8faa9733c06ccd2147

(this sample)

  
Dropped by
MD5 8e33c49616b131075ae5343e7f8a6957
  
Dropped by
SHA256 e017300a4071f97ac22da9fc3a6b1d411485da7ecaa17d7ea8e483d57852e4e9
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/113891/

Comments