MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b730885744ae75260212b43010cbd9578df34c88450745169a56a99d2476ffa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b730885744ae75260212b43010cbd9578df34c88450745169a56a99d2476ffa
SHA3-384 hash: c240d1d9c4ce010b6e4c24f67964528cef54e0b3445703d09dd862f2a893ac75368c6132716561351eb1811f9bcc2753
SHA1 hash: 29526a30740ca3d88f2c3c86a8ebae4c4d606d69
MD5 hash: 6bb05672c8f502dba5dcd886c3c83a6b
humanhash: foxtrot-aspen-oxygen-enemy
File name:6bb05672c8f502dba5dcd886c3c83a6b.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:797'696 bytes
First seen:2020-11-03 17:25:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7019f6d8353af8d9769c4901ee56f7f6 (4 x AgentTesla, 2 x Loki, 1 x HawkEye)
ssdeep 12288:X6lf28cLnCpZpA75eLXnEjuAkxXNcohdlCtSTbIi2:K5eU0MXELeXNcYllIi2
Threatray 2'320 similar samples on MalwareBazaar
TLSH F2059E32F6915837D1632A789D0B5768983ABE133D3DA9462BEC1C4C5F3928C3976393
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/82103/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.Dropper.bh.14010.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Changing a file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Moving of the original file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/519670
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 308936 Sample: 6jM4U2DvLP.exe Startdate: 04/11/2020 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected AgentTesla 2->45 47 Machine Learning detection for sample 2->47 6 6jM4U2DvLP.exe 6 2->6         started        9 YYtJku.exe 6 2->9         started        11 YYtJku.exe 2->11         started        process3 dnsIp4 49 Detected unpacking (changes PE section rights) 6->49 51 Detected unpacking (overwrites its own PE header) 6->51 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->53 63 2 other signatures 6->63 14 6jM4U2DvLP.exe 2 5 6->14         started        19 splwow64.exe 6->19         started        55 Multi AV Scanner detection for dropped file 9->55 57 Detected unpacking (creates a PE file in dynamic memory) 9->57 59 Machine Learning detection for dropped file 9->59 21 YYtJku.exe 2 9->21         started        29 192.168.2.1 unknown unknown 11->29 61 Maps a DLL or memory area into another process 11->61 23 YYtJku.exe 11->23         started        signatures5 process6 dnsIp7 31 us2.smtp.mailhostbox.com 208.91.199.223, 49737, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->31 25 C:\Users\user\AppData\Roaming\...\YYtJku.exe, PE32 14->25 dropped 27 C:\Users\user\...\YYtJku.exe:Zone.Identifier, ASCII 14->27 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Moves itself to temp directory 14->35 37 Tries to steal Mail credentials (via file access) 14->37 39 3 other signatures 14->39 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b730885744ae75260212b43010cbd9578df34c88450745169a56a99d2476ffa/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-03 17:04:43 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hnzqrblujltveybbfnbqcdf5sv4n6ngiqrihiuljuvvjtushn75a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0233c43ce1cf759e1d8c8d343b03bfbad84652b12fe32b0e54b7fc7c08bdcc88
AgentTesla
22235f4edec77bf047d6f5f3ea4d7b4abcc5b3468d306cb66b92e49001768fae
AgentTesla
3944c8a551e1b51be2f29adf187b63497c7dab93f88755bc086f4e7fc30a759d
AgentTesla
3f643208ad4025825d073c43dc40f4453df1cae39be3cc31b647236d76657fa1
AgentTesla
46df88abb8b7f783add8e2688ed3fc2632020fc30f6a87172264a4f434af2524
AgentTesla
493ba8398eed500e3af5e0ae2ea45fa5bfdfbc6371bf67a17ee20c050c117927
AgentTesla
67e8fcfa65a48b5ef7288e91ac8ddab1180cf33150471357485511509955413c
AgentTesla
76e9f23704658774f7a6e20425ab60b0575ba40ab95b5ec670b5601a7c3ccb19
AgentTesla
98b586cd2517a8296335f30e0e363ab72b047d10e50cec33f41ed93b6b492ca6
AgentTesla
feb639dabb33ddc8d08dc3065a7a869225419d52be2aa0ec247377607a426ef3
AgentTesla
+ 2'310 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201103-q81pljrp96/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Unpacked files
SH256 hash:
3b730885744ae75260212b43010cbd9578df34c88450745169a56a99d2476ffa
MD5 hash:
6bb05672c8f502dba5dcd886c3c83a6b
SHA1 hash:
29526a30740ca3d88f2c3c86a8ebae4c4d606d69
Link:
https://www.unpac.me/results/2ea4f3cd-835c-4ebe-80d7-5a2cb222143f/
SH256 hash:
4c54b10e2af89312f205d1fe2ef3434966d2d2e862ff7147a4b63cef9aad44ad
MD5 hash:
27afeb26b52e026f1868bccb7896f1a5
SHA1 hash:
04010b99c756f7cc8d8e3eb82922a6faffac06ab
Link:
https://www.unpac.me/results/2ea4f3cd-835c-4ebe-80d7-5a2cb222143f/
SH256 hash:
25009974c4033b461189bb475e17b24ade13b796f6573f0d9457e47b6e796f11
MD5 hash:
d6d16000e52c38f7b3520229a752b9eb
SHA1 hash:
b4ae37fa24e7743b354323c08af6cc48c9c1af1f
Link:
https://www.unpac.me/results/2ea4f3cd-835c-4ebe-80d7-5a2cb222143f/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 3b730885744ae75260212b43010cbd9578df34c88450745169a56a99d2476ffa

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/82103/
  
URLhaus
https://urlhaus.abuse.ch/url/783010/
  
Delivery method
Distributed via web download

Comments