MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3cbc16e758d2dd21158d4a2b832b42f53a2acc99763e5f1201eed468ac52403e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3cbc16e758d2dd21158d4a2b832b42f53a2acc99763e5f1201eed468ac52403e
SHA3-384 hash: 244bd2427dae8c2586d1597ab9f7929c27c82921836e9831897d3a097d0ee51d4cc542925dffff20ad638a52d000d2d4
SHA1 hash: 7079e670eb3d99b090e7658a05137f266b36b287
MD5 hash: 84db6d6d5b5934bb849939080ad4287a
humanhash: april-undress-equal-stairway
File name:84db6d6d5b5934bb849939080ad4287a.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'155'584 bytes
First seen:2021-07-01 10:18:06 UTC
Last seen:2021-07-01 10:59:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:hHjUyIvbr3Jptm7uhzhMelSKESxB4/vln4kylsKyLykhx:hjUPdSuhzhhoKESg/vFXylsKyOkhx
Threatray 6'289 similar samples on MalwareBazaar
TLSH 0E35D01BF7099A45C9942238DCFFC2B41375ED877D128B1B2E987AED3C72312C9516A8
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
84db6d6d5b5934bb849939080ad4287a.exe
Verdict:
Malicious activity
Analysis date:
2021-07-01 10:23:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0575c458-84ee-4276-86fd-a13240b8647f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169114/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.10162.7590.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3a29b6ad-e83f-4d8c-942b-20a95c598472
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/810471
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 442883 Sample: XEHPL0pacK.exe Startdate: 01/07/2021 Architecture: WINDOWS Score: 100 26 Found malware configuration 2->26 28 Multi AV Scanner detection for dropped file 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 7 other signatures 2->32 7 XEHPL0pacK.exe 7 2->7         started        process3 file4 18 C:\Users\user\AppData\...behaviorgraphJzeDUQYDmp.exe, PE32 7->18 dropped 20 C:\Users\...behaviorgraphJzeDUQYDmp.exe:Zone.Identifier, ASCII 7->20 dropped 22 C:\Users\user\AppData\Local\...\tmpEB1E.tmp, XML 7->22 dropped 24 C:\Users\user\AppData\...\XEHPL0pacK.exe.log, ASCII 7->24 dropped 34 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->34 36 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->36 38 Uses schtasks.exe or at.exe to add and modify task schedules 7->38 11 XEHPL0pacK.exe 2 7->11         started        14 schtasks.exe 1 7->14         started        signatures5 process6 signatures7 40 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->40 42 Tries to steal Mail credentials (via file access) 11->42 44 Tries to harvest and steal ftp login credentials 11->44 46 Tries to harvest and steal browser information (history, passwords, etc) 11->46 16 conhost.exe 14->16         started        process8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3cbc16e758d2dd21158d4a2b832b42f53a2acc99763e5f1201eed468ac52403e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-01 10:18:11 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hs6bnz2y2loscfmnjivygk2c6u5cvtezoy7f6eqb53kgrlcsia7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
034f779a5a2a0436348e9a12d33fc925c688300c26561d8f413ffbfa89dd6c8e
AgentTesla
4cf2cd795a677e2fe744c4bad3d8ba2450e84cfeefae6550c677107ba633459c
AgentTesla
5c1acbd40fb6b82586354bd863d53e71d6cbc6f6271f0f8da6f3692c4446ebe6
AgentTesla
7b0340db069b8349072b08b00b101e2f980baecddc4f8038aff3068bb23ab949
AgentTesla
83a086432a8a3d8b65e2a0a4d5d139553cfaef97856424fccb4b11a813518ae1
AgentTesla
8c63a7665a27d47e20bd74c4aaba5cf4a76d981bfd52820f935efd097dcfda3d
AgentTesla
8ef4a31bc2a6eacd381e90d8873c55da95a1ed26ec3240d38bfec7b0a25a6e6f
AgentTesla
92889220ff2fe0e3b445048cc70bd5a08553abb547f454d3b7ecbb2b23afd9e2
AgentTesla
98cea7e20d6760aa8052e7be2968a74df11f602bf9860243631f1a56140fa13c
AgentTesla
a1629f14833195672e2b59b90d643fa90376f9ab7ceef315f08e0835860234c9
AgentTesla
+ 6'279 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210701-kqsgnp82ax/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
1c5e0a0d909d1da24af87967a1e154c8aa490a1f99c6624e7214d20eb84f4fec
MD5 hash:
81faf15c7e3c9446d906659f7c7a9f16
SHA1 hash:
d7e05a22b109ce608109dc509029a7fe22b4b8bf
Link:
https://www.unpac.me/results/005e9115-1994-4647-b25e-7c54a84f5eb5/
SH256 hash:
bd588e7f78f9f779230e45ef478310585b416025c01bdf40618f52215415c3dc
MD5 hash:
03228b1d28f81b5c27fe74195faa04cf
SHA1 hash:
b762fb0ba7a5db788da90942415ca135fbcf5760
Link:
https://www.unpac.me/results/005e9115-1994-4647-b25e-7c54a84f5eb5/
SH256 hash:
b0382c4422d95bc98efe02dd76e06508ca21c8e6ca4696c5e9123559542dfd58
MD5 hash:
27462e5bb59b127d782b347cd9f89e64
SHA1 hash:
93834c26de05a60da08e1ba28351f21e889196ee
Link:
https://www.unpac.me/results/005e9115-1994-4647-b25e-7c54a84f5eb5/
SH256 hash:
3cbc16e758d2dd21158d4a2b832b42f53a2acc99763e5f1201eed468ac52403e
MD5 hash:
84db6d6d5b5934bb849939080ad4287a
SHA1 hash:
7079e670eb3d99b090e7658a05137f266b36b287
Link:
https://www.unpac.me/results/005e9115-1994-4647-b25e-7c54a84f5eb5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3cbc16e758d2dd21158d4a2b832b42f53a2acc99763e5f1201eed468ac52403e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 3cbc16e758d2dd21158d4a2b832b42f53a2acc99763e5f1201eed468ac52403e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1416017/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/169114/

Comments