MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b5ac4dabb34a13b2deef8dd1844b125c592e6eac2801a2c69c09b4b44675320. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b5ac4dabb34a13b2deef8dd1844b125c592e6eac2801a2c69c09b4b44675320
SHA3-384 hash: 054a666a2b7bb9d7359fd97e465544930c6ef9a9310df98d73ac598a3f8fa28a60bc75bc874da7538977af6f8e740460
SHA1 hash: 9560a9e307e3220a9d4736f8777a576a09f4d514
MD5 hash: 38d70f854c058261923d4e38b26d0b3a
humanhash: jig-cup-dakota-cold
File name:PURCHASE ORDER #PO-004-023.DOC.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:585'216 bytes
First seen:2023-04-20 08:21:54 UTC
Last seen:2023-05-13 22:55:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'614 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:XY/AbtfaGLsltdtfXZO1xPY3fE57qdbA9p6KPZnZ1lLDbXXam3rtRI4f2VCZkPve:XYAaGLy93fweciKBnZ195RJf2iHmk
Threatray 380 similar samples on MalwareBazaar
TLSH T10CC4F1B873C0974ED9052BFD5E046C4827F28CF9C0D5CE8ECA66A48B4DFD7614644EAA
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
277
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9560A9E307E3220A9D4736F8777A576A09F4D514
Verdict:
Malicious activity
Analysis date:
2023-04-14 14:27:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a9301d9a-df17-47a5-8b67-3b308b935009

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383654/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6440f63226946732736fffa1/reports/48b9a81a-7e50-4bcd-98ef-0bc922771595/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3b5ac4dabb34a13b2deef8dd1844b125c592e6eac2801a2c69c09b4b44675320
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ae535257-5a78-4b5a-b95a-189a2f7b0e5a
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1217765
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 850706 Sample: PURCHASE_ORDER_#PO-004-023.... Startdate: 20/04/2023 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 11 other signatures 2->70 7 PURCHASE_ORDER_#PO-004-023.DOC.exe 7 2->7         started        11 KGdTcL.exe 5 2->11         started        13 dRSoYp.exe 5 2->13         started        15 dRSoYp.exe 2->15         started        process3 file4 52 C:\Users\user\AppData\Roaming\KGdTcL.exe, PE32 7->52 dropped 54 C:\Users\user\...\KGdTcL.exe:Zone.Identifier, ASCII 7->54 dropped 56 C:\Users\user\AppData\Local\...\tmp8815.tmp, XML 7->56 dropped 58 C:\...\PURCHASE_ORDER_#PO-004-023.DOC.exe.log, ASCII 7->58 dropped 80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->80 82 Uses schtasks.exe or at.exe to add and modify task schedules 7->82 84 Adds a directory exclusion to Windows Defender 7->84 86 Injects a PE file into a foreign processes 7->86 17 PURCHASE_ORDER_#PO-004-023.DOC.exe 17 5 7->17         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        88 Antivirus detection for dropped file 11->88 90 Multi AV Scanner detection for dropped file 11->90 92 Machine Learning detection for dropped file 11->92 26 KGdTcL.exe 11->26         started        28 schtasks.exe 11->28         started        30 dRSoYp.exe 13->30         started        32 schtasks.exe 13->32         started        34 dRSoYp.exe 15->34         started        36 schtasks.exe 15->36         started        signatures5 process6 dnsIp7 60 api.telegram.org 149.154.167.220, 443, 49699, 49701 TELEGRAMRU United Kingdom 17->60 62 192.168.2.1 unknown unknown 17->62 48 C:\Users\user\AppData\Roaming\...\dRSoYp.exe, PE32 17->48 dropped 50 C:\Users\user\...\dRSoYp.exe:Zone.Identifier, ASCII 17->50 dropped 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->72 74 Tries to steal Mail credentials (via file / registry access) 17->74 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->76 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 28->42         started        44 conhost.exe 32->44         started        78 Tries to harvest and steal browser information (history, passwords, etc) 34->78 46 conhost.exe 36->46         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b5ac4dabb34a13b2deef8dd1844b125c592e6eac2801a2c69c09b4b44675320/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hnnmjwv3gsqtwlpo7dorqrfrexczfzxkykabuldjycnuwrdhkmqa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04a42e9d0b1c019989d91249331e0920703296490ab8a565bed15e1a0e1742fc
AgentTesla
07191de70521a8e76624cfafc6eba3edd19d7784c4c4c683b55f3fd16e377b38
AgentTesla
48834270a70765c001a06f747884bc5289db6859b56609d0a7f2d1fd30cbb18e
AgentTesla
673a75c1f1f0092d9c281898b7e218b8c1440faa70990a5060bf8e560687e4b9
AgentTesla
702731122c8b3822ceb48373d0927109dceaad9de6bddb3ea451c3d406be5518
AgentTesla
80d41016c2bf67df26677e38cbb13ab1ea552e4bad0e8ecb5e6e462297a7694f
AgentTesla
ce3c9c47d811745d5534bf268331382438b274a112d2327396cdc8623e82f98b
AgentTesla
e79b787e97db18226583aa9c61b0b6bb5de29945714c74636eca2cdf4947cb11
AgentTesla
f57536badf2858c34c301bc1fd7e237a1f700f3e48c6563cdf4ada287d1151f2
AgentTesla
f8d91c8bc33c75ab7794e0c0a8498110cf03403daed2caf77a47975402be2e48
AgentTesla
+ 370 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230420-j9kdzaae7y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5829039825:AAHUTzihFHkYnCe5S3O2k7aL4dVLIHvYzbo/
Unpacked files
SH256 hash:
20771fb69694c0c5562ff74b0f441ca07b434fad673e5cb9e2d620983748b1c9
MD5 hash:
89ef592c6883f612c301a4a995296edb
SHA1 hash:
b745ed5f6d0cd9414e0c3cd779ab7288f3dfed3b
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/d0580a4f-49a6-4b69-a3ec-b2fe48477f75/
Parent samples :
3b5ac4dabb34a13b2deef8dd1844b125c592e6eac2801a2c69c09b4b44675320
b056411adcff1f851fbc546d40ccb20c45c5d4dc07ffde472514e10b2e632bad
321cacca1d81268ded64db8dfe9325631165d5000d4d2966564f6c6f7fb383d1
1bfb950deb3e17f180908c445173783b996cd3ef9c3b61b59b8ac67d96bde30d
SH256 hash:
edc0581178fe7021c83e411a40c79d47a242705bcab71593027b641a31987c5b
MD5 hash:
674c7ff7b3ae8f5370af284fff6110dd
SHA1 hash:
5e97a7df6bc5abc46ecdd5c115d4a7d719fdaed7
Link:
https://www.unpac.me/results/d0580a4f-49a6-4b69-a3ec-b2fe48477f75/
SH256 hash:
313e0c33c3815ed0b7e2afff8852027e17cf3b187a7ac1d861a80e026c770de4
MD5 hash:
e6f6019d84e912eba66189e1232ff0c8
SHA1 hash:
48cbd94aa1b63e4858d23f27bd4416c9d2c8933a
Link:
https://www.unpac.me/results/d0580a4f-49a6-4b69-a3ec-b2fe48477f75/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/d0580a4f-49a6-4b69-a3ec-b2fe48477f75/
SH256 hash:
7fabbf05aceae1dbd55cd512f7ceebef90e012cbc10c4e2276146c05bf566280
MD5 hash:
39931e408b884fcf60845366d9dc0832
SHA1 hash:
075951b6431e848c4ebe986fa0f25e18423af9f2
Link:
https://www.unpac.me/results/d0580a4f-49a6-4b69-a3ec-b2fe48477f75/
SH256 hash:
3b5ac4dabb34a13b2deef8dd1844b125c592e6eac2801a2c69c09b4b44675320
MD5 hash:
38d70f854c058261923d4e38b26d0b3a
SHA1 hash:
9560a9e307e3220a9d4736f8777a576a09f4d514
Link:
https://www.unpac.me/results/d0580a4f-49a6-4b69-a3ec-b2fe48477f75/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3b5ac4dabb34/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/3b5ac4dabb34a13b2deef8dd1844b125c592e6eac2801a2c69c09b4b44675320

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 3b5ac4dabb34a13b2deef8dd1844b125c592e6eac2801a2c69c09b4b44675320

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383654/

Comments