MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3afa2f6a6fa28303c9fd4bc4f9c6f5c7ba36c0c58a8d161c106228a919d2d8ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3afa2f6a6fa28303c9fd4bc4f9c6f5c7ba36c0c58a8d161c106228a919d2d8ed
SHA3-384 hash: 1818fb2654910db310dff05b33f313a19e8c3baf4025040e3d61f4decb1cb19b4552729c430c17d1d4788ad259c2ca50
SHA1 hash: 254f502d0e9709f95bbe045a4516afef612ce9e7
MD5 hash: e249c3cf931a39ce861670aca977b737
humanhash: six-queen-mars-august
File name:e249c3cf931a39ce861670aca977b737
Download: download sample
Signature AgentTesla
Create hunting rule
File size:240'183 bytes
First seen:2021-08-23 19:08:04 UTC
Last seen:2021-08-23 22:12:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ef74f7b87fa15b6df54d064a5b8ef31 (10 x AgentTesla, 3 x Formbook, 1 x AZORult)
ssdeep 6144:x9P+k59oF8WaZbzbFXKSh1KGhDwoNzgc/P/97gPiS:x8k9DWaZpXL1KWDwdId6V
Threatray 8'801 similar samples on MalwareBazaar
TLSH T1763402264BECCB77E88506B99AC8987833396FBDB16F183AEB05F119B171DC14C60635
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
310
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e249c3cf931a39ce861670aca977b737
Verdict:
Malicious activity
Analysis date:
2021-08-23 19:11:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/df927de9-783e-4cad-b490-b1a8c90a3b38

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/181615/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.6636.4552.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ffcb2d0d-d719-468e-88da-03415d101595
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/837787
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3afa2f6a6fa28303c9fd4bc4f9c6f5c7ba36c0c58a8d161c106228a919d2d8ed/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-23 19:09:05 UTC
AV detection:
27 of 46 (58.70%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hl5c62tpukbqhsp5jpcptrxvy65dnqgfrkgrmhaqmiuksgos3dwq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
31ab2bfd738bd5e28af20fbf5833b7173fffa70ffe4453a6710f73999c9516b4
AgentTesla
6bf069abd9545acb9c28ea325847c2c00cb8eaf93b6ebacf06b0d38d363573ba
AgentTesla
78ac5419d87578e87f5b0aa9e99714044cdea7632329064f467db8f95e5eaa19
AgentTesla
abe6a77fefdede7de287d151689f87a3f59eb496d94351f4085b3bc1a6b755c2
AgentTesla
b5648af3a78134f62d9385b8cb2408f155f7c253f515f08143ff19ed74992fcc
AgentTesla
e3ef14eb257c49d94dab868e5f31cc0d692b9244ec6e95157aad074400be23d5
AgentTesla
ef5bbee3204de76c05424d5b000743e94acadff8a67a97d95ff3bdb3496b3190
AgentTesla
+ 8'791 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210823-gl6p9eheln/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
1fe811b51da1ee49d78049993ccd8a7c2522d58e8bda3e118c447c4aaeec4f83
MD5 hash:
aedcc7f1f1fab41550ed505cd13a2fbd
SHA1 hash:
9530cdf3a1779272b54e71dbcc3f74b326af1fbd
Link:
https://www.unpac.me/results/06fb6c7a-8b14-46f3-9340-83816060e25e/
SH256 hash:
3afa2f6a6fa28303c9fd4bc4f9c6f5c7ba36c0c58a8d161c106228a919d2d8ed
MD5 hash:
e249c3cf931a39ce861670aca977b737
SHA1 hash:
254f502d0e9709f95bbe045a4516afef612ce9e7
Link:
https://www.unpac.me/results/06fb6c7a-8b14-46f3-9340-83816060e25e/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3afa2f6a6fa2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.13
Link:
https://yomi.yoroi.company/submissions/3afa2f6a6fa28303c9fd4bc4f9c6f5c7ba36c0c58a8d161c106228a919d2d8ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 3afa2f6a6fa28303c9fd4bc4f9c6f5c7ba36c0c58a8d161c106228a919d2d8ed

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1557941/
Cape
Cape
https://www.capesandbox.com/analysis/181615/

Comments


Avatar
zbet commented on 2021-08-23 19:08:05 UTC

url : hxxp://psm-ir.com/gemni/nd.exe