MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b7316582c9b3d382e1050a88b6a07640c45de22be0f547c6bb04866e394e2b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	3b7316582c9b3d382e1050a88b6a07640c45de22be0f547c6bb04866e394e2b8
SHA3-384 hash:	16291450c477c1ca3557202b4ac1d4ae071136b28766b2e9332c413d833a2591964c9263441e900f02cf38c568254e8e
SHA1 hash:	7d6b73844c2bc14c1b1a88b43922d605e3d5c8f8
MD5 hash:	6d438ecb10ecfbe8f9ad910aeea5a2ae
humanhash:	purple-fillet-connecticut-table
File name:	IMG_056_102.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	486'824 bytes
First seen:	2021-05-11 10:37:28 UTC
Last seen:	2021-05-11 12:08:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:sRrRE272MKkwOuK/hYwkNztBMnyG+neYKCN:sHEw2OlZVwzDJG6eYKCN
Threatray	4'990 similar samples on MalwareBazaar
TLSH	49A4125222A8D461E68E883E6FC06ABC06976D808771854738FC3D96BFB7FC15167B0D
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

144

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/155042/

Detection(s):

SecuriteInfo.com.Artemis6D438ECB10EC.10700.18748.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun by creating a file

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/778514

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Creates an undocumented autostart registry key

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/3b7316582c9b3d382e1050a88b6a07640c45de22be0f547c6bb04866e394e2b8/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-05-11 10:38:23 UTC

AV detection:

15 of 29 (51.72%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hnzrmwbmtm6tqlqqkcuiw2qhmqgelxrcxyhvi7dlwbegny4u4k4a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

6b75182568a1cf2fef851977be460536fe4a0af4aaf05b41a253c53f2af276fc

AgentTesla

798cecbce0139e502fd6b23a7d147480d25a168d93131ba2e59f5b81ddbebb28

AgentTesla

7a60f0565a5e3f4310090a6519ff72571a32d30bd4f89b641ce3aaccaab30b45

AgentTesla

89e80aaeb7d157eb24c0ad0f6336d0c496e8a706eb74e987b5bd4084d5abc7cd

AgentTesla

8d33ac3a6ed3e4e8608757bf57424e201c94f5418eb24d7a921fc9116d595c88

AgentTesla

9898c37e93d4e9a054c013f34ca57c1aa9130112c9104386219f94e1125d0b97

AgentTesla

9af09f28e2254b8b942f1a81403815fdbbad3e38b5c509aed0cef2ccac413ef6

AgentTesla

e64b92bf32ded15a31b4d29b24e7bcd4f20a8af4a62832384bc7e027a9ea41bd

AgentTesla

f1f5174c7267e492c229c159fcbcd8e0c11678a9bca170066efbd9824d77b030

AgentTesla

+ 4'980 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210511-9w2g9s7yg6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.91

Link:

https://yomi.yoroi.company/submissions/3b7316582c9b3d382e1050a88b6a07640c45de22be0f547c6bb04866e394e2b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/155042/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample