MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 390127392e918e364a87a02ef80465150a85cba2d9c870c6c339706e1058fee3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 390127392e918e364a87a02ef80465150a85cba2d9c870c6c339706e1058fee3
SHA3-384 hash: 0d86f4b543f26c2f1d45d319073cc8e0e5b65676a1764fb9dc2a45b0597a2dff79482fcc0ec75a245f79e5ce456b12cb
SHA1 hash: b3ac26ee6b88a71bc162a8ed63883864d2461e48
MD5 hash: d8f16d45c6f2d7346b88c5bf8ad20424
humanhash: carolina-south-failed-pluto
File name:MN2039874656822937.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'133'408 bytes
First seen:2022-02-28 14:32:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:pwUFW/FZoLDo4e1/KwQEi6zLU+q+eUDPggaIRdADV3ysfe:DL415RHz/PHlL0VDe
Threatray 14'959 similar samples on MalwareBazaar
TLSH T196357A94DA8CBD43E17623B3EF3BD3CD06ACDD819C0182FF965A71890875B427A434A6
Reporter James_inthe_box
Tags:AgentTesla exe signed

Code Signing Certificate

Organisation:Google
Issuer:Google
Algorithm:sha1WithRSAEncryption
Valid from:2022-02-28T09:50:02Z
Valid to:2023-02-28T09:50:02Z
Serial number: b893133d74088690c05433467ccf2166
Thumbprint Algorithm:SHA256
Thumbprint: e0617304e75c41a0d55a4b96a5a59a524ac4e372f30142c7ce82c51ac61a1a1d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/245369/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1218.28541.30682.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Adding an access-denied ACE
Launching a process
Creating a window
Creating a file
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe mimikatz obfuscated overlay packed replace.exe shell32.dll
Link:
https://www.filescan.io/uploads/621cdd29b94fb38cb425231b/reports/8043372e-0d77-4d71-8d9e-4c3467ea404d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/188a5880-1a1f-4824-a8f1-bb830ca50dcb
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/947455
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to hide user accounts
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/390127392e918e364a87a02ef80465150a85cba2d9c870c6c339706e1058fee3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-28 10:29:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=heasoojosghdmsuhuaxpqbdfcufils5c3hehbrwdhfyg4ecy73rq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0689d5aa88eeabb27ebb29c4a50ce9d1d125e641484cc649ab1bf34327e611e5
AgentTesla
24fb7946550f1ce880b6e96318c2ce6cdb993679db6a9e2c34c6e809fab35c64
AgentTesla
307bef08b553d68ba62974a3a99aba16e0ddc375f08173a1af43fd915c11b2a4
AgentTesla
84abe78d773f55b54649a4dfefaa61461211fd7eb03338c984f8458ad695b1fc
AgentTesla
88b348808c427343e33d222946c1a5ed210c13abc7ed7388072b10282551c0a9
AgentTesla
9d80245b44ae7cbe4d443e2f1dfb9e0e67268456c8357112c602c71b7268182a
AgentTesla
e25588ef7f6dc061277b4380dc1f9ad034f1eb74c254cd778fea2ab7fe1783ab
AgentTesla
eedb540d83636a85e05d9b4f5df447d8d79d9950134ef023dd77601f7b97fd0f
AgentTesla
f91e8935593d3dd5132ddd5986d32f1c6e290922f7fe63245e0eba034b23c283
AgentTesla
+ 14'949 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220228-rwva1sedg2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
390127392e918e364a87a02ef80465150a85cba2d9c870c6c339706e1058fee3
MD5 hash:
d8f16d45c6f2d7346b88c5bf8ad20424
SHA1 hash:
b3ac26ee6b88a71bc162a8ed63883864d2461e48
Link:
https://www.unpac.me/results/9366af7a-2aba-40e9-84c3-edbf696fdb3d/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/390127392e91/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/390127392e918e364a87a02ef80465150a85cba2d9c870c6c339706e1058fee3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/245369/

Comments