MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b657298a18c54b3d55c3e5001fff9b6933b6f58bd3dd0b4a73de1307328917d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	3b657298a18c54b3d55c3e5001fff9b6933b6f58bd3dd0b4a73de1307328917d
SHA3-384 hash:	aea578a0e2d23886aeaa4e52af36a86dd66142b8235811f30792d11147d773a3bca8802cb044b472c9b2c686a9564dfd
SHA1 hash:	6e49f39797973bb8e84c948513650e162a959fb1
MD5 hash:	e957183ceeb1273fa622cea7c131bce6
humanhash:	low-green-lithium-yankee
File name:	V3VBer0SWvCpdTY.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	879'104 bytes
First seen:	2021-07-12 11:37:29 UTC
Last seen:	2021-07-12 12:42:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:Ite3ocREXN5GnTOdU+CHpZszK/WrFouyDAju+P60uh4hoH3qh85FIH8vO8ug:It8ocRr/WeAjlP6agE85qcz
Threatray	6'600 similar samples on MalwareBazaar
TLSH	T10C155B2C33BDA249F13BFFB4DF64A6049FE675669725D54E2DD0028E1420E80EE76932
Reporter	malwarelabnet
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

127

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

V3VBer0SWvCpdTY.exe

Verdict:

Suspicious activity

Analysis date:

2021-07-12 11:42:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d595218e-ca36-426c-901e-e60a64099143

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/171059/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.925.12579.561.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/22e7fb91-08d2-4a0c-9827-bda3743d731c

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/814784

Signature

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3b657298a18c54b3d55c3e5001fff9b6933b6f58bd3dd0b4a73de1307328917d/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-12 10:09:11 UTC

AV detection:

17 of 29 (58.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hnsxfgfbrrklhvk4hziad77zw2jtw32yxu65bnfhhxqta4zisf6q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

311c2667d094e51f0ad2596333a243ca6296d25c07223abf95af0256ed7aeb97

AgentTesla

4ce8eece17b8084a16d4293aed757d051178c37d56b1b0ce8b9aa0af9c861251

AgentTesla

8021c889d10d4c4f3b8f6f57c133a0555dac514a5b9e280c3b9ab34c2e2ecb50

AgentTesla

8cafbdf8e6cad776ad993ca3bdd470f5fc7d7fa1e2853df483f951204022943e

AgentTesla

9cf2a057f02576f4223e7c2f8ef4c217944385df4cd3180029ff96b80122d752

AgentTesla

a3e84da58dbdc9813c1a8bd17a5b07e39f8d1322b8ee7d70bd5fe61b481ac492

AgentTesla

a83fc1372384a42b479adbba691e5de280f53df2045b1b7246d05f6003dac8af

AgentTesla

c08e280570de9dc368e7fa90a6da1f047c059e70bff357ef99e4b3fac88b4b54

AgentTesla

f7354cf388d41e31f397e2aa0f40546ddd0b929a8aaf5ced7af3288aec34f236

AgentTesla

+ 6'590 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210712-c6a3ycf6ka/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

5f5257e30cfc2caab058013ffc60f90fb8a5d780a14834e1371054290b7658e4

MD5 hash:

b0e14c3526d6623ae9b7b5f5e0efde76

SHA1 hash:

f7d127bff2dfb1100ebd55fdd12dfb7a2b382fdc

Link:

https://www.unpac.me/results/75cab0da-f5bd-4da7-814b-98d26153f846/

SH256 hash:

e74fd412892a030fbe672627461d2b62747c8c92b48a03b38c5a6e89049b911d

MD5 hash:

66fc3a5758c83f13b93692831bfbb6b5

SHA1 hash:

e2402bb310faa8c605ada810cf84bc0a0ae9a364

Link:

https://www.unpac.me/results/75cab0da-f5bd-4da7-814b-98d26153f846/

SH256 hash:

24e212ba9fd7ff256b083ddaa830c032bd69f18e9fdd5bd608bb4256cfa8f3d7

MD5 hash:

81b70032a700c4995789b238315f695f

SHA1 hash:

4092e5540f7aca31e0a8b7adc44963aea53fcc62

Link:

https://www.unpac.me/results/75cab0da-f5bd-4da7-814b-98d26153f846/

SH256 hash:

8b4b32504f80a6c0d80bda8b5e8e664999b45a3be091db70130f9beb13735a9e

MD5 hash:

cbc452babf68dc27ad8cd48964ac2fec

SHA1 hash:

3318a2a372a4a1b30162c011ed98f86a1e4e60f4

Link:

https://www.unpac.me/results/75cab0da-f5bd-4da7-814b-98d26153f846/

SH256 hash:

3b657298a18c54b3d55c3e5001fff9b6933b6f58bd3dd0b4a73de1307328917d

MD5 hash:

e957183ceeb1273fa622cea7c131bce6

SHA1 hash:

6e49f39797973bb8e84c948513650e162a959fb1

Link:

https://www.unpac.me/results/75cab0da-f5bd-4da7-814b-98d26153f846/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/3b657298a18c54b3d55c3e5001fff9b6933b6f58bd3dd0b4a73de1307328917d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/171059/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample