MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ca46cbfdb8930e476e9452091a56cf37a28f848a88435463c6b08c787ea59ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ca46cbfdb8930e476e9452091a56cf37a28f848a88435463c6b08c787ea59ad
SHA3-384 hash: ff43475a3453ead4a95c833344a6d1545905b17aa9db30c38388cebf405ee68059168b3db4738a1d2fae0b3dd9c02693
SHA1 hash: 669f51b88ac34c10eba38a75465aee3cf708077f
MD5 hash: dc9cde2ad579040be65335f921aa9f98
humanhash: sodium-fruit-rugby-alabama
File name:PO6738223.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:728'064 bytes
First seen:2023-09-29 11:36:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:ScfAckj5sVCwE25gCufGVu+k7ygadFCFy7ACwJSk0/FAa8P9q2l6nDk85W:fkeVzz5Efiub72403wUk0/FiPEtn
Threatray 4'910 similar samples on MalwareBazaar
TLSH T173F402039B891292E1BA62756A71013003BB6916DD3ADF5C0DCCA48D1FFFBA1B554FA3
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 229878f8b4f031c4 (24 x AgentTesla, 5 x Loki, 4 x Formbook)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/451957/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6516b6ad0870810f01892898/reports/1a0b70e4-5827-4eb7-ae9a-fb1a2fb6347c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/3ca46cbfdb8930e476e9452091a56cf37a28f848a88435463c6b08c787ea59ad
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/18dc2655-ce36-4b14-926e-08b57fb9d0b5
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1316530
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ca46cbfdb8930e476e9452091a56cf37a28f848a88435463c6b08c787ea59ad/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-09-29 06:37:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hssgzp63reyoi5xjiuqjdjlm6n5cr6civccdkrr4nmempb7klgwq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c5191bdd545d9c2abb7809fa5a342adcf3e766bc4c4e320f5799b4430bbb203
AgentTesla
113e16425e010952150f3c1f7ae615602cd4ca30826b0e7518aa058341058a94
AgentTesla
2628313da5e34653481666207066dd34c810d7285cebf4b1ecea700ba8aed211
AgentTesla
59b1624b294226b93b186dc503efd7c48937542eec03b0d32d27034729c2a733
AgentTesla
820df4a19df250b71093f35ad7e6a1e4c7bdfc58c6745cbdbb29bca9ee218487
AgentTesla
984be8706b65a53d26f032b9471751943cbf5e35d8c4baabcac153053949e283
AgentTesla
c6a0026a78d283724646d2cd5db9fa459a0bd306e19e50c6c23826603b6438df
AgentTesla
d85278c4099b913c69779c4b69a0c85cbb0d7cbe72ae9a324b798a0fd2e02fb7
AgentTesla
eb47fa04d84b315142efd50e7bbee163d5cf49de82c961022f4199847e111d78
AgentTesla
f6179cbf2bc8c51ab1acf7f5b4fce4857a27d6edc8ddc8d37a99476596d1e0cd
AgentTesla
+ 4'900 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230929-nql6nsbe69/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
5ab11a933c95891b62f1ba94f38cdf01ded8f19061946601670c430d084dd007
MD5 hash:
24e1d07ed94115e19deac95b30c3af96
SHA1 hash:
bb6c15b4d1cbc2b3307a58af6d0c3d5ec6ce4e09
Link:
https://www.unpac.me/results/3c1c251b-4107-4a06-b16c-5ef5f4ee3d43/
SH256 hash:
fb6669feaeb355648df550657a56657e7aed3b09e03dcf83bd8911568111f607
MD5 hash:
6049b33240aac2a4dfdc9125def765fa
SHA1 hash:
9a8cb44c8aa82054dee1d2c8a61d6948a6079400
Detections:
win_agent_tesla_g2
Create hunting rule
Link:
https://www.unpac.me/results/3c1c251b-4107-4a06-b16c-5ef5f4ee3d43/
SH256 hash:
bc6e1487bee00a8fd2b639ee4e60867d7e409bd3cb6be1451f5ddbce26340766
MD5 hash:
fe233bfa89c7e26811c45fec198f7937
SHA1 hash:
6f0af0f155b841786f43b01e0c1c033aa277cdbd
Link:
https://www.unpac.me/results/3c1c251b-4107-4a06-b16c-5ef5f4ee3d43/
SH256 hash:
ff7cdc0ae138231b24b4bf24e4865b43f33079838e8f04b293c786953154d0ed
MD5 hash:
7c6f480032e6e26459f71c45e7baa56e
SHA1 hash:
41215d8fc81cc1817e6145db208d73864d56fcbc
Link:
https://www.unpac.me/results/3c1c251b-4107-4a06-b16c-5ef5f4ee3d43/
SH256 hash:
9d82b529a45bc8b607bc5b4c6ee9bd2dc2022cdcb1cca444af0ebe9b46c2fbf3
MD5 hash:
5a6f5c961871c5971bd0bb43f6e576bd
SHA1 hash:
10a3eaab0721abf01e85907eb0d82bf3276e341a
Link:
https://www.unpac.me/results/3c1c251b-4107-4a06-b16c-5ef5f4ee3d43/
SH256 hash:
3ca46cbfdb8930e476e9452091a56cf37a28f848a88435463c6b08c787ea59ad
MD5 hash:
dc9cde2ad579040be65335f921aa9f98
SHA1 hash:
669f51b88ac34c10eba38a75465aee3cf708077f
Link:
https://www.unpac.me/results/3c1c251b-4107-4a06-b16c-5ef5f4ee3d43/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3ca46cbfdb89/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/3ca46cbfdb8930e476e9452091a56cf37a28f848a88435463c6b08c787ea59ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 3ca46cbfdb8930e476e9452091a56cf37a28f848a88435463c6b08c787ea59ad

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/451957/

Comments