MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3884e567629d6433ebefa10b2e6d53a27f7b19c9d2e1c4ca7126fc4ceeda230f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3884e567629d6433ebefa10b2e6d53a27f7b19c9d2e1c4ca7126fc4ceeda230f
SHA3-384 hash: 3a4bee9605e3e91b9af20209e4aa290f58374f8ea46e36eb26c71fc38c309c39d08d5ff973ca576029b0c8c8ac62f6ee
SHA1 hash: 778ba3349fecb99d951d26abac2a8df62bf2cd30
MD5 hash: f855618edbdc3d9a2feca6aa55b9c11b
humanhash: music-burger-utah-zulu
File name:096 invoice.Docx.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'163'776 bytes
First seen:2023-06-19 11:32:20 UTC
Last seen:2023-06-19 14:58:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:GQYqtm8OqKW3nNcF1apNL5dJurc5Msk+mgPwiSL0jb85:7+8OQN2Y7BuYznIiSL0385
Threatray 5'413 similar samples on MalwareBazaar
TLSH T1C435F5C61A14A747FFFC86B50099E13F126E6F5DA914A2CE5E91B3E5A233A0D0DC1B43
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 16874d4c4e0e8756 (2 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
288
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
096 invoice.Docx.exe
Verdict:
Malicious activity
Analysis date:
2023-06-19 11:37:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0cb8729b-d06f-4025-9e13-7cf35fb0834d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400404/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.31960.26975.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64903cee68ccfa51b7d81103/reports/c92d097e-0b00-4114-b485-947df83a72eb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/3884e567629d6433ebefa10b2e6d53a27f7b19c9d2e1c4ca7126fc4ceeda230f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c52374e9-77c6-4737-80a8-005e9e2cd611
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1257334
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3884e567629d6433ebefa10b2e6d53a27f7b19c9d2e1c4ca7126fc4ceeda230f/
Threat name:
Win32.Trojan.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-19 09:42:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hccokz3ctvsdh27puefs43ktuj7xwgoj2lq4jstre36ez3w2emhq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a50e4e96fe3948c570214cd5dcdf34b3a2625742eaf15ebdde41d0cd75dea61
AgentTesla
14480f4ce9a1c99ea2336e2d28ccd37aac77275f8adde88ef001318b45a644b7
AgentTesla
1f1987c42f73ffac95703d0f7c9445819e46f1471eb6049a51b66e0c7e730804
AgentTesla
39893af7f960c76c20ab2b99e5caa2acabab3c7fc01e47791586f451eba5be5b
AgentTesla
3d0816e876a59f4e3b56bd2105122ef69499f79bab375b0956716494eb286dbd
AgentTesla
3d9b67b5dc857a2663548b9335d48dde0a880f6b61490f0cced767399a166f2b
AgentTesla
415dba49ad160b272fc159f4a7eacba2990c09f0941127acb8c3366fe7866c12
AgentTesla
642caac35b91c7f6346536161060cb7f06ad8e5849ba771eafb0b247447bb64f
AgentTesla
82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59
AgentTesla
9535651c3045997ff8c014100fa84d249541469028b3366624a4f472ed08f644
AgentTesla
+ 5'403 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230619-nnyrpaef4y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5817723059:AAHLBu2CaRbhv8Vp2UNvh8S3DM3a6i7mZsk/
Unpacked files
SH256 hash:
44e898c13b8933ef2386e350159d819a4b7e432ddce027e3d1e699ef2e15ef2b
MD5 hash:
a2f9853ea209cc920efceddd589241e9
SHA1 hash:
d516fb8797825e6b46345efb0a75bed6b1406c8d
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/88733aac-6042-45aa-b1eb-5fb830f0060d/
Parent samples :
14480f4ce9a1c99ea2336e2d28ccd37aac77275f8adde88ef001318b45a644b7
0a50e4e96fe3948c570214cd5dcdf34b3a2625742eaf15ebdde41d0cd75dea61
9535651c3045997ff8c014100fa84d249541469028b3366624a4f472ed08f644
5ed11a0df9fba27a5396e764f91ffdef4cc12784303f8d48bd1090528df306de
39893af7f960c76c20ab2b99e5caa2acabab3c7fc01e47791586f451eba5be5b
3884e567629d6433ebefa10b2e6d53a27f7b19c9d2e1c4ca7126fc4ceeda230f
SH256 hash:
24b077fd9b344cd944a736f24ada8b80c7285f7343ff9dc56b58769bde27e4f6
MD5 hash:
64fcc151459a284a183dbbc044aa2142
SHA1 hash:
a33fa55f857e654bb5688c116680217e673bb600
Link:
https://www.unpac.me/results/88733aac-6042-45aa-b1eb-5fb830f0060d/
SH256 hash:
9b65db7047bda478926e1453005044c60ca79968374ee0ef0264136117d5ee8c
MD5 hash:
d5e80ccf807eefa5232ee073cb4d276e
SHA1 hash:
656f6608cafb779ac716e8c04ccd4e60f139604f
Link:
https://www.unpac.me/results/88733aac-6042-45aa-b1eb-5fb830f0060d/
SH256 hash:
45212998b494a6305625769b4900dd408e0f1104625abf80e1924a8a9c04c152
MD5 hash:
67780ed6273179d626851e876646b1f3
SHA1 hash:
44ad9a934f08479058590f08f1ff5268225e29ce
Link:
https://www.unpac.me/results/88733aac-6042-45aa-b1eb-5fb830f0060d/
SH256 hash:
bbd2ed6ad2547fd8d745c55c51240f06c599dae9374b52fd4fac5b74daa86ce0
MD5 hash:
f3d896f7cfdda4ab71acdb0270647d59
SHA1 hash:
27eeb4499d3bf8fb6b6ece4f398b95f6b24eac2e
Link:
https://www.unpac.me/results/88733aac-6042-45aa-b1eb-5fb830f0060d/
SH256 hash:
3884e567629d6433ebefa10b2e6d53a27f7b19c9d2e1c4ca7126fc4ceeda230f
MD5 hash:
f855618edbdc3d9a2feca6aa55b9c11b
SHA1 hash:
778ba3349fecb99d951d26abac2a8df62bf2cd30
Link:
https://www.unpac.me/results/88733aac-6042-45aa-b1eb-5fb830f0060d/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3884e567629d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3884e567629d6433ebefa10b2e6d53a27f7b19c9d2e1c4ca7126fc4ceeda230f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 3884e567629d6433ebefa10b2e6d53a27f7b19c9d2e1c4ca7126fc4ceeda230f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/400404/

Comments