MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3905a71c3e23f4845d1201f74ac1c9c041b0254ff486a3ea4fc2bb7119631ce9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3905a71c3e23f4845d1201f74ac1c9c041b0254ff486a3ea4fc2bb7119631ce9
SHA3-384 hash: a2e2f263a4c09235efe87118975c153912e82586a05b53fa22f8451e50d34b4f877e33de603edc19c16fb70586adb29c
SHA1 hash: 1b8d4e51f63e23b881159d168b5c0e70012c7e6c
MD5 hash: a9b63c434e205092b3373e35c051a04a
humanhash: vegan-eight-nuts-six
File name:DHL_119040 ontvangstbewijs,pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:687'616 bytes
First seen:2021-11-25 10:35:16 UTC
Last seen:2021-11-25 12:55:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:UxRhb0PixBFmEkNkyqTDfVRehcS/MjMm/NrGa3zC+NHisv3ez0i:Uxrb0Pi1KNOTDfGc2+/VDNY
Threatray 13'007 similar samples on MalwareBazaar
TLSH T1B4E4E1185B54C563CEBC4B315850D27047362EF9BC2ECA0EBBD1B9EE1FF162257A04A9
File icon (PE):PE icon
dhash icon e0f0f8d4d4f0e296 (1 x AgentTesla, 1 x SnakeKeylogger)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_119040 ontvangstbewijs,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-11-25 10:42:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/24ff50d3-2c47-4ee1-86da-ac389514f3db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com..18639.3852.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/619f6715b71ceed4152fda1d/reports/cbbd0add-7229-4463-8080-f734e1e83bc4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2b845f69-ee2d-4a83-836e-0de67cb5036e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896027
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Multi AV Scanner detection for domain / URL
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3905a71c3e23f4845d1201f74ac1c9c041b0254ff486a3ea4fc2bb7119631ce9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-25 10:36:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
35
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hec2ohb6ep2iixisah3uvqojyba3ajkp6sdkh2spyk5xcglddtuq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
109c4995e9488d93ecd298ff9e0c5c6861b460f758d606e55f0119709f0cbb5a
AgentTesla
17c15779e354a3ab07ababa6df6eea95a31d04dbebd7f981424995d4194b9eaf
AgentTesla
2d8c309657fab94b3ff5f82de799ceee9a059a06792158e03903c39a32ee780e
AgentTesla
2fdb4786a7989663dd0873cd19eefcdb4a5bdc1dfe3d870c41da43b35cf9dacd
AgentTesla
63796a0b64029b82b751583696b72a929adabfe3578acf87e9f9d5abd692add5
AgentTesla
6f3ddb071f889d2c41a27e1237113f333ffee0232997b95896767d354eef7df5
AgentTesla
b783afa074a1c3937be1c2267c6bc5cb81449a78d877e3702f4418e78f7af490
AgentTesla
b830b088dcc04db74fc8afbb16dcfff0134c405228be44df5d996a9a5b254bff
AgentTesla
e8ce5985ee1a483e58a51299ba46bb084dd61b5adc33a1c0c903bb9b31beb66d
AgentTesla
+ 12'997 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211125-mm9l5aehcq/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://www.mgbless.in/mac/inc/0bb73b6c7ade1a.php
Unpacked files
SH256 hash:
f6639a3b21a09ca5e9e43e10f8ac7f822956232806805252096f03f68bc9815c
MD5 hash:
aa334e922c53c5cba0b43c342ac13b14
SHA1 hash:
68109327b5e98174293bb348dfea6a088cbd5d2f
Link:
https://www.unpac.me/results/2d22aca1-4b1b-47ea-9366-6731e1964808/
SH256 hash:
4c8509c1fa2f3d330301d13560c2ba9688ead71af335a77563c6031d16d1a1f2
MD5 hash:
8f7827b2ae51e52951cbb47354a3c784
SHA1 hash:
5fee4ff739fb039b57564fd8723d037c1e374e9b
Link:
https://www.unpac.me/results/2d22aca1-4b1b-47ea-9366-6731e1964808/
SH256 hash:
334a7c86cf0e20d2440140f08e56ca011e298d95f64a6830f1eb347c204dd566
MD5 hash:
f5dbdbb285aeb915ef3add091be4353c
SHA1 hash:
5e70b0cb80cacec0a14d0ea2e8427ea5bbc0c672
Link:
https://www.unpac.me/results/2d22aca1-4b1b-47ea-9366-6731e1964808/
SH256 hash:
3905a71c3e23f4845d1201f74ac1c9c041b0254ff486a3ea4fc2bb7119631ce9
MD5 hash:
a9b63c434e205092b3373e35c051a04a
SHA1 hash:
1b8d4e51f63e23b881159d168b5c0e70012c7e6c
Link:
https://www.unpac.me/results/2d22aca1-4b1b-47ea-9366-6731e1964808/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3905a71c3e23/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/3905a71c3e23f4845d1201f74ac1c9c041b0254ff486a3ea4fc2bb7119631ce9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 3905a71c3e23f4845d1201f74ac1c9c041b0254ff486a3ea4fc2bb7119631ce9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/209278/

Comments