MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 19

Intelligence 19 IOCs YARA 5 File information Comments

SHA256 hash:	3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671
SHA3-384 hash:	f755a0f7606e788f4424eae29a7239f6d1c3312889b667f1022194e3405e449a7fecb435be0eb172ef05d9c1c15598aa
SHA1 hash:	5a6553bea21e2df2307ed5c843072bcb023566be
MD5 hash:	bd1050f3642d22733a30cd101f591713
humanhash:	indigo-rugby-carolina-sixteen
File name:	Bestellung 0030520574.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	749'056 bytes
First seen:	2024-07-15 06:30:05 UTC
Last seen:	2024-07-31 10:19:16 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:tmoDWx2PQfRcudR5C3T+Lc7vaVs95ucinaj13Tp8K2:tHawMR9/gDR5yrQx2K2
TLSH	T19DF4124237EC6B54E4BA57B49574821067B3B1662A72E32E5EC430CD0DB77C09F06BAB
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	78dc9adce086c460 (9 x Formbook, 1 x SnakeKeylogger, 1 x AgentTesla)
Reporter	lowmal3
Tags:	32x-2024-07-15 AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

331

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe

Verdict:

Malicious activity

Analysis date:

2024-07-15 08:42:32 UTC

Tags:

evasion stealer agenttesla ftp exfiltration

Link:

https://app.any.run/tasks/e5bc92b9-0ec1-46bd-b29c-f62ab2c47c97

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Sanesecurity.Rogue.0hr.20240715-0636.UNOFFICIAL

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6694c1f5cadc6250d0555a79win7simulatehigh_evasion

Tags:

Banker Encryption Execution Generic Gensteal Dexter

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Sending an HTTP GET request

Reading critical registry keys

Stealing user critical data

Adding an exclusion to Microsoft Defender

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6694c22d98b20a66261cf1c0/reports/0b611624-5021-4ea5-9a6a-bb2e99f67802/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1e53eca5-71f1-4159-8d2e-834575df5b28

Result

Threat name:

AgentTesla, PureLog Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1473319

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2024-07-15 04:04:42 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hp6lj54yxjr2dumiq7fwpsioba6vkynfqe3krev5tfcffddqozyq._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla execution keylogger spyware stealer trojan

Link:

https://tria.ge/reports/240715-g9jfkasejj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

AgentTesla

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2fa1afcd-09af-43f1-a68d-3a3c110fb3b9

Unpacked files

SH256 hash:

58647973a81508d3bc7c0449f593f28565de79f62ca8cecd9d71a2695737b137

MD5 hash:

acd5f5334ee02912ff9a620261c35ffb

SHA1 hash:

8a30d9343f72f1d9bab103774c94ab977675c17a

Link:

https://www.unpac.me/results/4f73993a-fc16-4b29-ba51-edcadeec22c7/

SH256 hash:

27379f8e292c673f647b2c15cf0f49551ac840aee1bbfac0de4eaebe80444f39

MD5 hash:

5df6cc61f2c40fcfd59ef50456d4f939

SHA1 hash:

88702bf699e83eff534e1ede69c54f0cc3507d6b

Detections:

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

MALWARE_Win_AgentTeslaV2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/4f73993a-fc16-4b29-ba51-edcadeec22c7/

Parent samples :

9425ce0b45470f864d3480c481ba15256a14326b83cd511dc6de8f060735252d
40317f210d1785b8daaab8aa3d3e9375e2dac7197f490ff0cf0a5946c809bdd4
3d3bbefe3649e755efcae85beea48af371b2375111e78edc4210bfd28f267365
f17b71582e6bcd27cb480ed09318139aae8a42ba99bd2dd89fb879cbd99ef4e9
f97fd213f635f47352e1c91f775873ffa1b7e8234bd3d6ceba3768b660294c49
8663c50531fdd842b6db773429fd2d963a2a9d484e09325d18c0ad2a3f1e4338
6b1b19d90b7b671f6e4ab9be73fc0355b4b5c03f2d1947f0e32eb8d7e35f36df
ab92bcdeac6ebabe41a3e5114379fe8ba179f665ed9811fac701c29c74b37bbc
3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671
2b1262c7947a2df4228748a5764446b9a2b1d3e3e9df4517a6ee2b5ca6c73fab
4a88d515600a389b686c2674cb10d053720eab06b16bd6c8ad99e06157980283
c17e06753e71aa66826658cc44f2e620b39d0e52b26d7dc5747ad5966f0ae0a3
2b52adaf5b7b699d02ff68f82879d2379b82ca9ac41c0ae32edfa9d549eef62b
f4890d26e1178637e5cfc88593b9eb3eef9fe3e6e573d3071013522edda4b2d9
16613cc199b2ff7483991ca93cfab547dee76472d5e04d898f75a4b75fd9516a
5e76293782e965bac8459c0c74ac3d7c0144d618ae141bcfecf93c83039edf84
7d66e91a1d365a9fe81b281da7beafa77918af41a5de7b22df6b17571d578c09
17a0ea433e1d3035d983f335f1135d3d2e5e9d7752c8ff27216fb994d6b239a7
9bda9d3b9beff81538faa4c9156c9b9e1756f789e8fc034601c449a25ddd22df
a0dbab52b11faa8a506303a66c984966164d928537aef52f8049eb4fe1e85f5a
c50345954419964c0d0e3f3c17b9e36b1a57ce73e4a9bd12846518419b39df6d
d3f15485f2bdde820d20e620dfb1a427ceddcc124df5317cc22ba1fc97aa2cea
f2f7a78a50e30ea654a93e6bdc7e53ab6a6b50b5018dfd36a9599bb9725bcbbe

SH256 hash:

1bb4840538b8a367866894b14c4aa62c2905fe4ec8ebd633fb8c8c8864a37293

MD5 hash:

222df17caf2704d5edc6772d672cd705

SHA1 hash:

27851dd2812599b460335dd978110260fda327e1

Link:

https://www.unpac.me/results/4f73993a-fc16-4b29-ba51-edcadeec22c7/

SH256 hash:

1914c8b4758afa32360cf0d8bdb9e22702af25252404dacd6188c7574948feff

MD5 hash:

4c88049b15b8948db110a66c4210bf1b

SHA1 hash:

057d27b8dd4ef39aaad8b9154244397a5ff2110e

Link:

https://www.unpac.me/results/4f73993a-fc16-4b29-ba51-edcadeec22c7/

Parent samples :

d43fa50daa883b42bb53678fcb1a9e956bbdb6bb6256ddaefcf5e4dadad450dd
0955e1c717cfb3cc4b97d2e22f2e1f6493b6afa62f94e8d068baa3946f47f820
5474194c07b4f0b5144069d189cd55adfd2e9e8e89bbbdba6153e173a094ff42

SH256 hash:

3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671

MD5 hash:

bd1050f3642d22733a30cd101f591713

SHA1 hash:

5a6553bea21e2df2307ed5c843072bcb023566be

Link:

https://www.unpac.me/results/4f73993a-fc16-4b29-ba51-edcadeec22c7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample