MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a819a1cbc8d0a2f94bae5aa3545cb686763d8136a43914193f09f9e53b7c066. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a819a1cbc8d0a2f94bae5aa3545cb686763d8136a43914193f09f9e53b7c066
SHA3-384 hash: c9c2cd0a4a5a2dbb9a30bf76ec7b92ad3f76a5d96ba6dc124ef3c2f2db6970c9d6ac763525a86978d591285de4a28271
SHA1 hash: 26240b6aba719e4f3f3d36bb27a9e77f5c4179d5
MD5 hash: 8f1479f58a650a00c55d6e99866e73a9
humanhash: cold-potato-early-cardinal
File name:Image.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:818'176 bytes
First seen:2021-02-22 07:07:40 UTC
Last seen:2021-02-26 18:49:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:DHzJEnZlvN86VLK5XQN7cE+HXsoXnsJ7hKy5Jdb7w:jzJEB+hQNQE+HXTA7hj
Threatray 2'740 similar samples on MalwareBazaar
TLSH A7059E1162A8667CE97BA7396A34404FC7F2BD67EA36C64F3D90318F4D71A418732722
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
13
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ab.exe
Verdict:
Malicious activity
Analysis date:
2021-02-21 22:42:02 UTC
Tags:
rat agenttesla trojan
Link:
https://app.any.run/tasks/59190a2b-5e09-4abd-8954-3df5b36517a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118208/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36381147.26521.8437.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/613693
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3a819a1cbc8d0a2f94bae5aa3545cb686763d8136a43914193f09f9e53b7c066/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-02-21 19:47:05 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hkazuhf4rufc7ff24wvdkrolnbtwhwatnjbzcqmt6cpz4u5xybta._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1d0aa1485b2e4d3e411e2d2e9ddfc3763120082cc039972770d5aa882fd4cb87
AgentTesla
3522ddfe2f7474bb41cef6015aace8681c77d2c6570d0600eab409caff68a251
AgentTesla
636e96438bf8b2c34f6d80f0030c5b3b93029d13bdbb892a75e3d26942c80b46
AgentTesla
7047ffe9f593c5caf62a74b731651ec92da3b5b29df4d042b935d10b29f49e85
AgentTesla
a5b4a1aa53134e93a392b7b90cc7c5d4a939d4f61bdf330de08d49fa1b4356ed
AgentTesla
b20c3245ef7cde5dc9429ef1bcef75cba906df8c09b28b29ac882f62135491a7
AgentTesla
b3efff040730dd6af8c66d93e0c2bb96273051264abb10182c1c5831b5d7ffcc
AgentTesla
efc33e49a1f2bb8a2caf20a3609c44170c3739c90c1e2f4f236961e13279a3b3
AgentTesla
f45d2efc6e407a17cbe129622fddf8a26e108d39f5fd05a164525d95ad8a3218
AgentTesla
f90cf6686fcfe69bb074cf65a5b7e19c8e97b1351377faa7a2477577d4171de8
AgentTesla
+ 2'730 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210222-mbj6bcywmn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
e624003658c4f8b349f567c82229fd15d1e63d3d20fe6f7b4388403038cd2a44
MD5 hash:
b6ce7c1d81b9271eab825ea63de154c3
SHA1 hash:
0e7b89555314f8908c1098b652c9bf50e5ecc27b
Link:
https://www.unpac.me/results/9dade5f6-3984-4969-90fb-82180467cad6/
SH256 hash:
3a819a1cbc8d0a2f94bae5aa3545cb686763d8136a43914193f09f9e53b7c066
MD5 hash:
8f1479f58a650a00c55d6e99866e73a9
SHA1 hash:
26240b6aba719e4f3f3d36bb27a9e77f5c4179d5
Link:
https://www.unpac.me/results/9dade5f6-3984-4969-90fb-82180467cad6/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

cc8fae8f71d1dca6c99f7739e275c96ebc01237a206985d1fed7a97a75e407dd

AgentTesla

Executable exe 3a819a1cbc8d0a2f94bae5aa3545cb686763d8136a43914193f09f9e53b7c066

(this sample)

  
Dropped by
MD5 824a38fedfb257f8ebebb0c05d6b274e
  
Dropped by
SHA256 cc8fae8f71d1dca6c99f7739e275c96ebc01237a206985d1fed7a97a75e407dd
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118208/

Comments