MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3735d13d69baca0f962676ec930f1b9c000031c76087ff8081772e7dcc0a6bdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3735d13d69baca0f962676ec930f1b9c000031c76087ff8081772e7dcc0a6bdd
SHA3-384 hash: 2584f5af5829a99e5b2f06521bb24428d99e3d504940ab9605587bfa4eb8146ba6eb39b9a07f70a5715a740f5fc4420e
SHA1 hash: 75ca8f3a8b3a4bd010edd6b5d939e68b8d88aa97
MD5 hash: 32ddad202182940cec3d449a9791ac30
humanhash: wisconsin-delaware-jupiter-stream
File name:2358_001_1.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:786'432 bytes
First seen:2021-09-27 14:54:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:nbFKX/iVVGDsz/UIF/OXPDv5VZRJfrtG9gywRqB6gaS6pQTdVWo3CnJLLAepV8:nZKlZIFaVVZRJf55qB646pQHSNAs8
Threatray 10'291 similar samples on MalwareBazaar
TLSH T1E1F4BF28722C892FD5AF4BB5A015050447FEEF76739DC6889D8670ED6AB673E01430BB
File icon (PE):PE icon
dhash icon cce4c4d8c8d0d0d0 (7 x AgentTesla, 2 x Formbook)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2358_001_1.exe
Verdict:
Malicious activity
Analysis date:
2021-09-27 14:55:37 UTC
Tags:
keylogger stealer agenttesla
Link:
https://app.any.run/tasks/835c107a-0efd-498f-9f12-c81be80ba5f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192167/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1048.3217.3073.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b90ea243-e646-4443-9d85-256845b1080c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/859087
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491514 Sample: 2358_001_1.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 Yara detected AgentTesla 2->52 54 4 other signatures 2->54 7 2358_001_1.exe 7 2->7         started        11 newapp.exe 5 2->11         started        13 newapp.exe 2->13         started        process3 file4 34 C:\Users\user\AppData\...\yRpNBUPohjPA.exe, PE32 7->34 dropped 36 C:\Users\user\AppData\Local\...\tmpDF72.tmp, XML 7->36 dropped 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->56 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->58 60 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 7->62 15 2358_001_1.exe 2 11 7->15         started        20 schtasks.exe 1 7->20         started        64 Multi AV Scanner detection for dropped file 11->64 66 Injects a PE file into a foreign processes 11->66 68 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 11->68 22 schtasks.exe 1 11->22         started        24 newapp.exe 4 11->24         started        signatures5 process6 dnsIp7 38 mail.cubasa.com.mx 50.116.93.102, 49811, 49816, 587 UNIFIEDLAYER-AS-1US United States 15->38 30 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 15->30 dropped 32 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 15->32 dropped 40 Tries to steal Mail credentials (via file access) 15->40 42 Tries to harvest and steal ftp login credentials 15->42 44 Tries to harvest and steal browser information (history, passwords, etc) 15->44 46 2 other signatures 15->46 26 conhost.exe 20->26         started        28 conhost.exe 22->28         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3735d13d69baca0f962676ec930f1b9c000031c76087ff8081772e7dcc0a6bdd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-27 14:53:46 UTC
AV detection:
16 of 27 (59.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g425cpljxlfa7frgo3wjgdy3tqaaamohmcd77aebo4xh3taknpoq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
382632572dab1a82bce5e4c6469f82a6032d28644f4dcf0269214dc5fdfb2093
AgentTesla
75506a0e57fd5c479e9ca63cb9a2f388210a642bc14c596260d3ed00d4534925
AgentTesla
786a9b90ee6541476ce7b9ffed8a4d22438b7cfc72ec33ddad9a3cf2cb2f8613
AgentTesla
7bccf288fd0f23a0ed1f1582ff2e5109b453c2bc01eda749bfe55a900f5b47b2
AgentTesla
903f140844764deeace11cb4295a020389de51b5bb69f3205b32d0c1d828ffa7
AgentTesla
92d0df3ce211b6be630ee1310a4f4ad91206ddc2cd30975c742b996b8c7303d1
AgentTesla
9ed5d707dbb09f0dd34e0bce5a9dbba3a9f4e61748b0aa9952f3700a8c418208
AgentTesla
b5a442f4437270d76b5f817c1265bbf0565e7904b823ba22d66442fe281b8661
AgentTesla
eb9581db02db6a23a836ba53574cf0d01bd50a6d368f10f77889a441bcb911cf
AgentTesla
fb3faf6c40ae2b4d79c0cb9e08916c5ad0eabb4747e4ffc23e925c8f5c9c59a3
AgentTesla
+ 10'281 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210927-sagngahcfl/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
c35b75ecd41045e35b7349e8674d7487caa236725761c5934cdc6c5a7dae208b
MD5 hash:
aa4405c049b80d6b470fbb64439327b3
SHA1 hash:
d8b0ab41839a8e24ba174f246b4bf71fd661ab3f
Link:
https://www.unpac.me/results/50bbb7d7-43dc-46c1-846b-81533c68c255/
SH256 hash:
1b03aa52709bd908a6d94fb3138373b650def946ad0f18f56dbfb8116dbcf038
MD5 hash:
755b352ba393047d4b577b8762c1f9dd
SHA1 hash:
be08d4465d7732c367be3c9f39dc1f374df3ca19
Link:
https://www.unpac.me/results/50bbb7d7-43dc-46c1-846b-81533c68c255/
SH256 hash:
047d3ac4e5c9140622559e0f9961449f8e0f27dccb7544b39f407ecf5a4429b7
MD5 hash:
2c9ba593ef0445e7a9f3cebb65125e34
SHA1 hash:
3e0151c2505afaa0f850ee3ce1aab42e7a98cf3c
Link:
https://www.unpac.me/results/50bbb7d7-43dc-46c1-846b-81533c68c255/
SH256 hash:
efd2f7657839b252c2fb8489c1ccf610b8e57b471efe049de86a74bc1506775d
MD5 hash:
c3f3e4a9e9ab54bf847a9fc02e7a2160
SHA1 hash:
0853bec33e36ede763927cda0f03129ca763bc07
Link:
https://www.unpac.me/results/50bbb7d7-43dc-46c1-846b-81533c68c255/
SH256 hash:
3735d13d69baca0f962676ec930f1b9c000031c76087ff8081772e7dcc0a6bdd
MD5 hash:
32ddad202182940cec3d449a9791ac30
SHA1 hash:
75ca8f3a8b3a4bd010edd6b5d939e68b8d88aa97
Link:
https://www.unpac.me/results/50bbb7d7-43dc-46c1-846b-81533c68c255/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3735d13d69ba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3735d13d69baca0f962676ec930f1b9c000031c76087ff8081772e7dcc0a6bdd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/192167/

Comments