MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3838d700587705b7ca1c4841b7432f96dab120bf04920644df95493ddabe7ad2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA 5 File information Comments

SHA256 hash:	3838d700587705b7ca1c4841b7432f96dab120bf04920644df95493ddabe7ad2
SHA3-384 hash:	6545a62ccd2f8e81a674bcd60055f5354f45c02c7848456bf15b7e25449a8cfe1185d51976d42193245f0beb40bd924e
SHA1 hash:	25caf76213d5f4d9cdf22c48963fa7b8dce95926
MD5 hash:	d024959c42044ce93e84637c3b135c88
humanhash:	florida-montana-cardinal-west
File name:	QUOTATION_OCTQTRFA00541·PDF.scr
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	795'408 bytes
First seen:	2023-10-17 08:37:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:T1KbQTZNKYt7vIHgTuVJwvZ9xbPqJMhOds4KsLWDyavOtBj45WZwFF+sx92EF7Pn:xzHSCNJb4Mws4ae8IUFEmZQ3VO7r
Threatray	1'810 similar samples on MalwareBazaar
TLSH	T188058C17F5B54562CE44C739D6F69D0083E7ED84A7E2D6292089BADD07323BE8F0358A
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	7068ccb0b2b2b2f8 (129 x AgentTesla, 54 x SnakeKeylogger, 28 x AveMariaRAT)
Reporter	JAMESWT_WT
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

332

Origin country :

Vendor Threat Intelligence

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/455223/

Detection(s):

SecuriteInfo.com.Win32.RATX-gen.16099.21422.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade overlay packed

Link:

https://www.filescan.io/uploads/652e47ea8d16e62970c8bf51/reports/e0a40b56-1607-48cf-a3f6-8e1f94352f23/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/3838d700587705b7ca1c4841b7432f96dab120bf04920644df95493ddabe7ad2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f306b827-fe96-4882-830d-d46ef628a68c

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1327098

Signature

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3838d700587705b7ca1c4841b7432f96dab120bf04920644df95493ddabe7ad2

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/3838d700587705b7ca1c4841b7432f96dab120bf04920644df95493ddabe7ad2/

Threat name:

ByteCode-MSIL.Trojan.GenSteal

Status:

Malicious

First seen:

2023-10-17 06:02:37 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ha4noacyo4c3psq4jba3oqzps3nlcif7asjamrg7svet3wv6plja._file

Verdict:

malicious

AgentTesla

4979d51c93d480bc32b1de7fe0d366d0a6fc93301e46ad4dd8a2089d26e57065

AgentTesla

5b6e037d89d37583717c2ac542e8f9e438cda7dd039ce042f2473a98b260716f

AgentTesla

79d976cea79bce9e0f920d918af0f1b0721266ca091633ae37811e088b04d1ec

AgentTesla

b91e939e8c2270f7371f16b266f738659ff6f16cf1b2cf1c66147008e3e10a8c

AgentTesla

d35dce5a33e43611c39ea134ece8746a4192f1bfd8c1577d7ebd77c0ebd66120

AgentTesla

ddd5d81f5be6314dfaa80c13fb6332b2b7e94b218b049447b37ead946f21be78

AgentTesla

f7a062cbdd22f2bd346f704ba3d4e1ca864ec525a4fa96ac2be1991faeeb5690

AgentTesla

f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114

AgentTesla

fb88365884043fb264c0bb3d9291a58cfd5955468f35bfe77154b316981bdaa6

AgentTesla

+ 1'800 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231017-kjp27saf5z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

AgentTesla

Unpacked files

SH256 hash:

42781bd4a2a350ba725a0e7a5024b06820c745c922a41dd0774ff26c71465c31

MD5 hash:

32e7c9c6eb0cf0197a48537b31326b40

SHA1 hash:

ecdf97370b743ff420c4c2ef308de2bd0bd7c8fd

Link:

https://www.unpac.me/results/c0fea372-082e-4ef9-a4e9-db224e9e6151/

SH256 hash:

a804ae78a31e1e501f375ed177d30d3bdf05f98603f27cf9b26ead0956bb9590

MD5 hash:

81b6c944c8a387ed80808a52f4a59763

SHA1 hash:

b36242685419af9855f64c56b9a63105e70be411

Link:

https://www.unpac.me/results/c0fea372-082e-4ef9-a4e9-db224e9e6151/

SH256 hash:

78489f2e95c23802af7e0f7de3d424e6954694dfad188e8c69289ff75fae98ea

MD5 hash:

10819df422e98ade2af3b91a4436770e

SHA1 hash:

a892463123137584b4de8b332cf8edf1040283a7

Detections:

AgentTesla

win_agent_tesla_g2

Link:

https://www.unpac.me/results/c0fea372-082e-4ef9-a4e9-db224e9e6151/

Parent samples :

ddd5d81f5be6314dfaa80c13fb6332b2b7e94b218b049447b37ead946f21be78
3838d700587705b7ca1c4841b7432f96dab120bf04920644df95493ddabe7ad2
daf050ba6e318d8c8ff6733b838a7ae1007b66ccb467aaf0dfb9de81209c0d73
43a9be811611717939ad71f7b92ce62bd44cc096dcc463338952a7aff113c29b
538de2b03d110b5a4e88b93442e65449e70a8fd83f085309b114ed4fd7d859ac
ed414c5cd76f7735a701b3c734bc8b7fc0d21e2143eae7925e57451d49b256ea
5030bc30c14139d9c48dc4cd175de6c966e83a9059035d18af33dda06f2541ab

SH256 hash:

45ddd6161fee90b79b91a4eef2bbaf173098f15adfe664afa28141cfeea9d396

MD5 hash:

0cf3fb944a93c891ab2d7b1ae8f234eb

SHA1 hash:

21b2a3bd790688335e30338ba72326697a5ee330

Link:

https://www.unpac.me/results/c0fea372-082e-4ef9-a4e9-db224e9e6151/

SH256 hash:

3838d700587705b7ca1c4841b7432f96dab120bf04920644df95493ddabe7ad2

MD5 hash:

d024959c42044ce93e84637c3b135c88

SHA1 hash:

25caf76213d5f4d9cdf22c48963fa7b8dce95926

Link:

https://www.unpac.me/results/c0fea372-082e-4ef9-a4e9-db224e9e6151/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3838d7005877/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.09

Link:

https://yomi.yoroi.company/submissions/3838d700587705b7ca1c4841b7432f96dab120bf04920644df95493ddabe7ad2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/455223/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample