MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3be752d12bfef05ebb3fdd132ac61a8b68ce444e761abfcde841a02522328ec4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3be752d12bfef05ebb3fdd132ac61a8b68ce444e761abfcde841a02522328ec4
SHA3-384 hash: a706480b94791e3268691a611fffc50e4b3496eddfc2add8541e7dd06ce346954c7862a823c5a391414ab8c6d3c8cb58
SHA1 hash: aca0007403cc0163ee0a6b85d714a0f4b7d2dcfe
MD5 hash: 23cd9bca5c2fafca8be289192e132868
humanhash: ceiling-earth-potato-lamp
File name:e-dekont_html.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:850'432 bytes
First seen:2023-06-20 13:42:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:i2qlTQcqPM7q6bpw4dcZda/igw9wwDxxsTJF8L0m7R/01sIIBghpIpIKUkIU/:TcJzu4CZdOkwWsTX8wm1/qNIBg3IlBj
Threatray 1'234 similar samples on MalwareBazaar
TLSH T18105F10122A80F57E13E87FC4450237097FD6A5A706BD74ACEC3B0DE6EA5FC24A59A17
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e-dekont_html.exe
Verdict:
Malicious activity
Analysis date:
2023-06-20 13:45:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aa2192f8-6d35-407e-a501-37eb3e5d77b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/401113/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.30166.19366.12397.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo packed
Link:
https://www.filescan.io/uploads/6491ace863e40cba68018cd4/reports/bfb2e637-006f-4444-810d-c62096914e39/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/3be752d12bfef05ebb3fdd132ac61a8b68ce444e761abfcde841a02522328ec4
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/462c3a69-b50c-46ba-b6d9-81a4f30c775d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1258279
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 891308 Sample: e-dekont_html.exe Startdate: 20/06/2023 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Found malware configuration 2->55 57 Sigma detected: Scheduled temp file as task from temp location 2->57 59 6 other signatures 2->59 7 e-dekont_html.exe 7 2->7         started        11 jSEpsOjTwvqwtg.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\jSEpsOjTwvqwtg.exe, PE32 7->35 dropped 37 C:\...\jSEpsOjTwvqwtg.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmpB89D.tmp, XML 7->39 dropped 41 C:\Users\user\...\e-dekont_html.exe.log, ASCII 7->41 dropped 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->61 63 May check the online IP address of the machine 7->63 65 Uses schtasks.exe or at.exe to add and modify task schedules 7->65 67 Adds a directory exclusion to Windows Defender 7->67 13 e-dekont_html.exe 15 2 7->13         started        17 powershell.exe 18 7->17         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        69 Multi AV Scanner detection for dropped file 11->69 71 Machine Learning detection for dropped file 11->71 73 Injects a PE file into a foreign processes 11->73 23 jSEpsOjTwvqwtg.exe 11->23         started        25 schtasks.exe 11->25         started        signatures5 process6 dnsIp7 43 api4.ipify.org 173.231.16.76, 443, 49702 WEBNXUS United States 13->43 45 api.telegram.org 149.154.167.220, 443, 49703, 49705 TELEGRAMRU United Kingdom 13->45 47 api.ipify.org 13->47 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        49 104.237.62.211, 443, 49704 WEBNXUS United States 23->49 51 api.ipify.org 23->51 75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->75 77 Tries to steal Mail credentials (via file / registry access) 23->77 79 Tries to harvest and steal browser information (history, passwords, etc) 23->79 33 conhost.exe 25->33         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3be752d12bfef05ebb3fdd132ac61a8b68ce444e761abfcde841a02522328ec4/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-06-20 07:06:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
34
AV detection:
8 of 37 (21.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hptvfujl73yf5oz73ujsvrq2rnum4rcooynl7tpiigqckirsr3ca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
339ae2cba0f3ce8bf4b3098daf78d5e4bfadeeae26762c697bdb63788927ee77
AgentTesla
6689c58325956e0d5afe938fc8139589f85d44ff8733a6080c123eac34219e5b
AgentTesla
6d9fe81f7f3e7e01b2f0ed86012b129172bbc4a3f3155339f8d2f14bfea2152b
AgentTesla
7e38d8f8a3433cbbb08248807ac6ceae67206bf6aabd7dc0f51f146779adf51b
AgentTesla
af87ecc512fe3271689f7674ab31070633ac5a85b3a5b2ac585068f3127b77c7
AgentTesla
d01060cd9a636414bd6e2e09712a5d12808fe8d3822ac1bb1e5bc90eb7f9f69c
AgentTesla
d964a65d39458176447fdb930e03e6534c19dcc556abde4cb522fa2aeb8289e8
AgentTesla
da9ce816092043ded7f22e3368f1beaa75577190bdab4da16936d7c1bf774e84
AgentTesla
+ 1'224 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230620-qz83xacd44/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5994874636:AAFAs60FDcN9tT4SP4mwAZ5jakwLFqQV0hk/
Unpacked files
SH256 hash:
bf30f7032a6e2fdd6a872718de569645dda2c9e734a4f90a77e5af9a58d75812
MD5 hash:
29432c0db5445ce74b8a1042234187af
SHA1 hash:
fdc1bce5c868fbaed48ff27b3cc73b752bc66e75
Link:
https://www.unpac.me/results/5c595f8e-6e4c-414f-8ca1-e35b06f99245/
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/5c595f8e-6e4c-414f-8ca1-e35b06f99245/
SH256 hash:
7a29e00726e377efae67936e97251c616d88398333a3557f9ef34581fadffb90
MD5 hash:
67f6023ec7fed71737306c2262c1bc7e
SHA1 hash:
cc244b7e23a934d7541e11be9d8af6375ce14669
Link:
https://www.unpac.me/results/5c595f8e-6e4c-414f-8ca1-e35b06f99245/
SH256 hash:
6c2dc6a7ad6974c1ef6204a3a4eecaa11ede048df526d47731e9a1da208e5d7e
MD5 hash:
6696b8857e02b4e5a06b3b9e95017b9c
SHA1 hash:
519e5ace2944dfb7f944ab9924546335aef9d3e6
Link:
https://www.unpac.me/results/5c595f8e-6e4c-414f-8ca1-e35b06f99245/
SH256 hash:
a1c7eb7d1ba58c07cbac73c25ffbf0374d7223dddd3fb6cad45d3a854a5209ab
MD5 hash:
0acfac0078e0d98c617c6af11ad09db3
SHA1 hash:
0b665fcf7864ba6d705c8286175991375f14c130
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/5c595f8e-6e4c-414f-8ca1-e35b06f99245/
SH256 hash:
3be752d12bfef05ebb3fdd132ac61a8b68ce444e761abfcde841a02522328ec4
MD5 hash:
23cd9bca5c2fafca8be289192e132868
SHA1 hash:
aca0007403cc0163ee0a6b85d714a0f4b7d2dcfe
Link:
https://www.unpac.me/results/5c595f8e-6e4c-414f-8ca1-e35b06f99245/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3be752d12bfe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/3be752d12bfef05ebb3fdd132ac61a8b68ce444e761abfcde841a02522328ec4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/401113/

Comments