MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b6875a9b5a76d37087201c2514ad4b6a4235cfe0364c72370026d40ae90865f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	3b6875a9b5a76d37087201c2514ad4b6a4235cfe0364c72370026d40ae90865f
SHA3-384 hash:	7be8cfd8f74deac3ef5afd55978f191043302493de4926982e46b9d194483027d1d509db4c90f82f83553a233af80703
SHA1 hash:	6c30d6d9f2f1183a76c65ca902fe692e2616d6ef
MD5 hash:	f72f18eaee8a7b92ec068b2424257778
humanhash:	sink-saturn-oranges-red
File name:	file
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	2'964'480 bytes
First seen:	2023-11-17 16:12:15 UTC
Last seen:	2023-11-18 14:03:00 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:DKD/LTIMswDDluMIolfGu1BOu5dMj3iyIxAVS1rVXHi3waN58xVbps13iIvnHWvV:u3TnDWolfGKBOu5dE3YxzRa8xVba3
Threatray	63 similar samples on MalwareBazaar
TLSH	T115D54A5B7A010C63CDCE11F1A7ED09889A90C866170CED9A36D367CEA78DAE3577D183
TrID	40.9% (.EXE) Win64 Executable (generic) (10523/12/4) 19.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.0% (.EXE) Win16/32 Executable Delphi generic (2072/23) 8.0% (.ICL) Windows Icons Library (generic) (2059/9) 7.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	787064c4c4f808c4 (1 x AgentTesla)
Reporter	andretavare5
Tags:	AgentTesla exe

andretavare5

Sample downloaded from http://yashoda.brandwizz.in/netTimer.exe

Intelligence

File Origin

# of uploads :

# of downloads :

316

Origin country :

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

New Text Document.exe

Verdict:

Malicious activity

Analysis date:

2023-11-18 14:45:33 UTC

Tags:

loader stealer vidar stealc hijackloader redline lumma opendir risepro raccoon recordbreaker amadey botnet formbook xloader miner agenttesla kelihos trojan lokibot systembc proxy autoit spyware privateloader

Link:

https://app.any.run/tasks/5bc35b21-8151-4f2b-bf6a-ba981bac8773

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/458975/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2228.5838.29211.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/65579110841d05dc63d45c5d/reports/cfc9ce19-ee1a-4223-aa8a-1135582fa4ab/overview

Verdict:

Malicious

Labled as:

MSIL/Packed.DotNetGuard

Link:

https://www.hybrid-analysis.com/sample/3b6875a9b5a76d37087201c2514ad4b6a4235cfe0364c72370026d40ae90865f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/19490997-7e6c-4cd6-9cfd-163c374e7755

Result

Threat name:

Phonk Miner

Detection:

malicious

Classification:

evad.mine

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1344242

Signature

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected Phonk Miner

Behaviour

Behavior Graph:

Download SVG

Score:

52%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/3b6875a9b5a76d37087201c2514ad4b6a4235cfe0364c72370026d40ae90865f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3b6875a9b5a76d37087201c2514ad4b6a4235cfe0364c72370026d40ae90865f/

Threat name:

Win64.Trojan.CoinminerX

Status:

Malicious

First seen:

2023-11-17 16:13:06 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

11 of 23 (47.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hnuhlknvu5wtocdsahbfcswuw2scgxh6ansmoi3qajwubluqqzpq._file

Verdict:

suspicious

Label(s):

agenttesla

AgentTesla

4e5379b783c36ca07f22c4203d203616228c1cd4411c11aa52808033e24d2ece

AgentTesla

b2f4f507571ff0b863c431e03fc40893e651f2a887ed1db62f16ff84ad61aa07

AgentTesla

d273d63ec7562e27003ad53db329429452d86faef87b6d64b72875cdb1dd3cee

AgentTesla

f07483b6c09732c8d5e094bd2e2b405477ddbf8e220c12bd7982bc132cf44a04

AgentTesla

f40c9f68a47c4aa0dc1e383cd32527cc7f3609a5bffededa16c915687eeefd4b

AgentTesla

fec6af49d1a7c7b4bf3af5e663b80ff142788e7d79b312a2180ec7b8b89f18d9

AgentTesla

+ 53 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/231117-tn3crsbh5s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Unpacked files

SH256 hash:

3b6875a9b5a76d37087201c2514ad4b6a4235cfe0364c72370026d40ae90865f

MD5 hash:

f72f18eaee8a7b92ec068b2424257778

SHA1 hash:

6c30d6d9f2f1183a76c65ca902fe692e2616d6ef

Link:

https://www.unpac.me/results/b50bb0c3-e0dd-421b-9675-97103931a372/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3b6875a9b5a76d37087201c2514ad4b6a4235cfe0364c72370026d40ae90865f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2730656/

Cape

https://www.capesandbox.com/analysis/458975/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample