MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b7070739c07ae5e0cb4d7d49c81602d9f55bfe65c60c68d566b4eb501daa5a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b7070739c07ae5e0cb4d7d49c81602d9f55bfe65c60c68d566b4eb501daa5a1
SHA3-384 hash: c6a94abdafe81fbf0a272e332427e7f65cd9ffd9c9da89bf23bc5e5391b9d876a5a968e248727c25a595d2b037edda03
SHA1 hash: 649e3bfeb2df29cef40c02c52f0a83268c71f1d5
MD5 hash: ddea72b85b45a27f07c23efe6611ca85
humanhash: cat-venus-two-bluebird
File name:PO09858.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:526'848 bytes
First seen:2021-10-05 09:26:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:ZOPAbbOYRzfhnhTQ+3HwOcc0WHW0CpkYags0QQQME6ZXnDfi00hORy201+wzel0l:Xz/0occ0W20Cpkh9SEWXn3Ie4drR
Threatray 10'740 similar samples on MalwareBazaar
TLSH T12BB4DFA833AFAB05DD398FF4151C91C293B66C371169D7390ED5B1EE1E22B700A91B93
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194967/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/615c2b96b95458900cdc61bd/reports/606fc93d-57bb-45da-841f-eafc3f78e77f/overview
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/674325bb-a5ab-4d33-b8d6-cda7d922bd83
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/864639
Signature
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3b7070739c07ae5e0cb4d7d49c81602d9f55bfe65c60c68d566b4eb501daa5a1/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 08:20:43 UTC
AV detection:
7 of 45 (15.56%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hnyha444a6xf4dfu27kjzalafwpvlp7glrqmndkwnnhlkao2uwqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04468aecad4b1a4865d357bb60a6d86060f9390418e9065ede079c1310b3f8f2
AgentTesla
268ca772e3e7bef1a82759917e3b9c4377869aa7cb04a829397978adf495c340
AgentTesla
28361df2e00fefcda07f805ea5c17613194fd69b28f143d393f8aeb123cc5eb8
AgentTesla
620c140c63e18539f6e94c7310b9705bde63425fc8f10628ef24356a26f7db24
AgentTesla
72684a74349ce5fc82b27e2a5db12508ff040c352f920ed69fc688162f722c74
AgentTesla
b7e958ad3d7b10e4a79344e347a8f012f81e4caeb4007fbe0e6dd816bd48e221
AgentTesla
bec15fdabcc004c876a014db3ddf35482d79b606aac9430446878f9cc90c8161
AgentTesla
cd8487ac5df9ba5e288aeb4bdf2226611dbd1942a55cfdb93bf9d5f37e103ca8
AgentTesla
d70dd46e7665afd47e252273c19314500682a1aede68b0d2dbfb653a96468fe1
AgentTesla
eb9581db02db6a23a836ba53574cf0d01bd50a6d368f10f77889a441bcb911cf
AgentTesla
+ 10'730 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211005-leq95shhbl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
e60c71a3cafa86b370e02270a19023068c2a9491e6e621fac6cda033eb488081
MD5 hash:
132db1617757bd8770383741aa28b9fa
SHA1 hash:
d77cf66e14b5935df3ab42d51131d135a5e897fa
Link:
https://www.unpac.me/results/f0c508a2-ab91-439c-ab20-5b7fb2bab8a9/
SH256 hash:
fe8637d821a39a8b74abce7e043007d38cb9c5cfcb7098af9846cfd98185ac03
MD5 hash:
c380b6831f456ac5cac08c78c0e4dada
SHA1 hash:
3e241a0b9d96c1dfbadd7ee1a8c5ee6d74eba11c
Link:
https://www.unpac.me/results/f0c508a2-ab91-439c-ab20-5b7fb2bab8a9/
SH256 hash:
ac7ecd5be1106f70a338617445c183cefcffbdfca03fe7aeade7cb88697d9357
MD5 hash:
ee9b288502d3cf09dba4c82180dc193e
SHA1 hash:
1d2d88d86bc965269bc6fcf11f0a1e35ff6127b8
Link:
https://www.unpac.me/results/f0c508a2-ab91-439c-ab20-5b7fb2bab8a9/
SH256 hash:
3b7070739c07ae5e0cb4d7d49c81602d9f55bfe65c60c68d566b4eb501daa5a1
MD5 hash:
ddea72b85b45a27f07c23efe6611ca85
SHA1 hash:
649e3bfeb2df29cef40c02c52f0a83268c71f1d5
Link:
https://www.unpac.me/results/f0c508a2-ab91-439c-ab20-5b7fb2bab8a9/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3b7070739c07/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b7070739c07ae5e0cb4d7d49c81602d9f55bfe65c60c68d566b4eb501daa5a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 3b7070739c07ae5e0cb4d7d49c81602d9f55bfe65c60c68d566b4eb501daa5a1

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/194967/

Comments