MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a361c768a1ebfd17d5b44a2d4915301c9f06640720f0644fd9809b48b12c4c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a361c768a1ebfd17d5b44a2d4915301c9f06640720f0644fd9809b48b12c4c3
SHA3-384 hash: 726949fbc2aa2171488ba69d7c648b968e76ee36c7cb723e7768222a57a6302177546597ae42e3cc9656c5f0ff0260f9
SHA1 hash: c7646e16532dcba244921ed5b0f1efa9e7cb1dbc
MD5 hash: 4805179e370047f8b96ed8950d9bf6e5
humanhash: nineteen-sweet-cardinal-fish
File name:FİYAT TEKLİFİ TALEP RFQ_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:604'160 bytes
First seen:2021-12-16 14:17:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:h8PapPapPaVt9uhqOtFI50r/OyqTEr4RIOia+YWjaEfnsGuSK3:h8P8P8Pitwcq/uR/SsdSK3
Threatray 13'457 similar samples on MalwareBazaar
TLSH T15DD4E00132A9DB12D4B9ABF88C60A0B407B67C66A57AEB0F1DC17DEF36B4F804550B57
File icon (PE):PE icon
dhash icon e4dcd8c4d4d4c4d4 (95 x AgentTesla, 51 x Formbook, 12 x RemcosRAT)
Reporter pr0xylife
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/214608/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61bb4a9f8541392eb4eaa7c0/reports/707fa693-a394-4254-b1f9-c719bc3bef7e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/232ebc32-6e6c-46fc-a2f6-9877009b007a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/908563
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 541041 Sample: F#U0130YAT TEKL#U0130F#U013... Startdate: 16/12/2021 Architecture: WINDOWS Score: 100 58 etites.com.tr 2->58 60 mail.etites.com.tr 2->60 70 Found malware configuration 2->70 72 Yara detected AgentTesla 2->72 74 Yara detected AntiVM3 2->74 76 12 other signatures 2->76 8 F#U0130YAT TEKL#U0130F#U0130 TALEP RFQ_PDF.exe 7 2->8         started        12 RmxqUKg.exe 2->12         started        14 RmxqUKg.exe 2->14         started        signatures3 process4 file5 50 C:\Users\user\AppData\...\fteEWbNiqSKQD.exe, PE32 8->50 dropped 52 C:\...\fteEWbNiqSKQD.exe:Zone.Identifier, ASCII 8->52 dropped 54 C:\Users\user\AppData\Local\...\tmp9A6A.tmp, XML 8->54 dropped 56 F#U0130YAT TEKL#U0...LEP RFQ_PDF.exe.log, ASCII 8->56 dropped 78 Adds a directory exclusion to Windows Defender 8->78 80 Injects a PE file into a foreign processes 8->80 16 F#U0130YAT TEKL#U0130F#U0130 TALEP RFQ_PDF.exe 8->16         started        20 powershell.exe 24 8->20         started        22 powershell.exe 25 8->22         started        24 schtasks.exe 8->24         started        82 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->82 84 Machine Learning detection for dropped file 12->84 86 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->86 26 powershell.exe 12->26         started        28 powershell.exe 12->28         started        30 schtasks.exe 12->30         started        32 RmxqUKg.exe 12->32         started        signatures6 process7 file8 46 C:\Users\user\AppData\Roaming\...\RmxqUKg.exe, PE32 16->46 dropped 48 C:\Users\user\...\RmxqUKg.exe:Zone.Identifier, ASCII 16->48 dropped 62 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->62 64 Tries to steal Mail credentials (via file / registry access) 16->64 66 Tries to harvest and steal ftp login credentials 16->66 68 2 other signatures 16->68 34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        44 conhost.exe 30->44         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a361c768a1ebfd17d5b44a2d4915301c9f06640720f0644fd9809b48b12c4c3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-16 14:18:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hi3by5ukd275c7k3isrnjektahe7azsaoihqmrh5tae3jcysytbq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
57b2a44351febaa40160b21423b5f084f15802290e82910cd3d94331eb3e3791
AgentTesla
99ed8a3d3d579ffcbca302f6c584fb044b260495a92d85bc1af66bd295bc402d
AgentTesla
9a6023a8b502b7fe13fbd7c5007c69d02fcd90e98f5206acea450cbe37bd6f1a
AgentTesla
dc3c0dc5884f2252d2632da5c719e49080197ae9e06dd7438a31c65b800d3f84
AgentTesla
e4583733e01055358850303d6eeb2a936d5e8bfadd4b34387656e8d617405f2d
AgentTesla
e7d489df6c41d065986388f6673e9b179acf89d87acf58ca8a015d778a6c8dff
AgentTesla
ef0a4d74505ed6671e8a1de8c1c3d91d87aa06a0fa63467b3bbdbb241eb9c1e0
AgentTesla
f4bb5c1806e72df06936c0b9b1fefe3cfe5cf68604bdaa36ffbc61a2860aa6b9
AgentTesla
f7e04a704089ed7e79b3642e223363084ed1b482cf417295b64e71ab087edc61
AgentTesla
+ 13'447 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211216-rl9yqaccd6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Unpacked files
SH256 hash:
604d25d40ac23880e64999fb7d3e5ee835cb2631fcb8eef6f7cde72b45b3f278
MD5 hash:
1d368c8ac8bf5d4d0d5169b264ed50c7
SHA1 hash:
96e9090392f6bb43f94b7ed48e0c5443140ca22a
Link:
https://www.unpac.me/results/669fe05a-0064-4975-846f-390946553edc/
SH256 hash:
ce0ca20865e085d512a5bf491e42e4e121674c529ea79a3d4fb2fbe24621ec44
MD5 hash:
fa195c7196c7e46298e86e8fc25403ba
SHA1 hash:
5c2050366eb54ff6628442e3a0fbb6173b9bbb40
Link:
https://www.unpac.me/results/669fe05a-0064-4975-846f-390946553edc/
SH256 hash:
9f5763966bacdc6de3944a6e06a49b05869c38f2e98b32cb93b483a480a6ffff
MD5 hash:
3418c620c4b9dd4533a88f1ba5ec3ff1
SHA1 hash:
12f6aaf1c90030c4063d42a27b2e7000a08b6e74
Link:
https://www.unpac.me/results/669fe05a-0064-4975-846f-390946553edc/
SH256 hash:
3a361c768a1ebfd17d5b44a2d4915301c9f06640720f0644fd9809b48b12c4c3
MD5 hash:
4805179e370047f8b96ed8950d9bf6e5
SHA1 hash:
c7646e16532dcba244921ed5b0f1efa9e7cb1dbc
Link:
https://www.unpac.me/results/669fe05a-0064-4975-846f-390946553edc/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3a361c768a1e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a361c768a1ebfd17d5b44a2d4915301c9f06640720f0644fd9809b48b12c4c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/214608/

Comments