MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d38040b15c1ec1b47b63b58e32d4484707979fa2a7eb43cf25414fa04299414. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d38040b15c1ec1b47b63b58e32d4484707979fa2a7eb43cf25414fa04299414
SHA3-384 hash: 2846efbaea89fa8040f350ec67ddb7d47982069f21d33929ce3fa710d3308b9ceb9a281aca9351dd98b14dc97d9475be
SHA1 hash: 1b227d1bd324051d66871ac8633c3ec68e24b635
MD5 hash: 59b7ac7f307d5e3b35838f2e006e8279
humanhash: cold-nineteen-green-uncle
File name:SecuriteInfo.com.Trojan.PackedNET.2679.18461.20562
Download: download sample
Signature AgentTesla
Create hunting rule
File size:677'376 bytes
First seen:2024-02-13 17:23:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:2TvPeQ5vziBuy4tdczN7ht9DhXeJO/hkDc0pS4N9vqPE+KM3CBfAQzFqRNn/iD:QriBP4tdcxtDpeY/hkDc0pjNcc+f3CB7
Threatray 5'757 similar samples on MalwareBazaar
TLSH T13BE4232066E0EB2ECCBD4FB922B11940837C58978594EB161FC434E91DB77838AB5F57
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
348
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
ORDER #4059212650 - 2.13.2024.jar
Verdict:
Malicious activity
Analysis date:
2024-02-13 10:32:59 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/e1c30a16-5886-4901-8f0c-496cbbfeffe3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/476026/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2679.18461.20562.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed shell32
Link:
https://www.filescan.io/uploads/65cba5bd54f1a1b63b6d2d70/reports/54080238-d06c-4cd9-934f-a7b1b9222733/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/3d38040b15c1ec1b47b63b58e32d4484707979fa2a7eb43cf25414fa04299414
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a638bc97-f62a-4a19-8501-9733681c9b9b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1391429
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3d38040b15c1ec1b47b63b58e32d4484707979fa2a7eb43cf25414fa04299414
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d38040b15c1ec1b47b63b58e32d4484707979fa2a7eb43cf25414fa04299414/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2024-02-13 09:49:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hu4aicyvyhwbwr5whnmoglkeqryhs6p2fj7liphskqkpubbjsqka._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
141a5b247877921ff5e4b58b0aeaa36e6e4de38d87599ee6956308e2b70589a5
AgentTesla
1d79756d1b41dd8556576d53dcce29b47791ad27316c62cc0e256d75dde3e52c
AgentTesla
23c5a80cfa31db9c405065513f6f2e4cb394a7ef046bedc82d817a460829a67d
AgentTesla
3d38040b15c1ec1b47b63b58e32d4484707979fa2a7eb43cf25414fa04299414
AgentTesla
ace13ea91164ad1af7e08b21e1f88045238aea4a71236286f5906ed61cd0e389
AgentTesla
cfadc51764727f6575af7a0c5ca579c99bc062ce94d67dbb844f4a44bd1d1711
AgentTesla
ea652ce006bdff45184664a2c691ca5c6256fc1a686dfa8721cf5a9d2e1f4593
AgentTesla
+ 5'747 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240213-vyp1vseh59/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
971c821aa19832e04f1dd44b19cdb909d36d27be2f9e62edd10bf7887a43d15a
MD5 hash:
6d7a285502323918820b8513b5f33d75
SHA1 hash:
9633177bbb29c2563fec4a7dd381f4a278588437
Link:
https://www.unpac.me/results/c60a1495-e2df-4913-946b-1b2abb34e0fb/
SH256 hash:
4b8c02460748b2a55899df6719c2b16ae9420da331f2b41e64cf9682c12c3dff
MD5 hash:
bea692d6f4c36a9954fe7a2a9b4c3ab8
SHA1 hash:
76fbe18734ea87023aab845b4c0de4764016b525
Link:
https://www.unpac.me/results/c60a1495-e2df-4913-946b-1b2abb34e0fb/
SH256 hash:
d85df389dfdf0b4adfa051d689bbc43eb301759aa27c3ffb794ca3bdb62fe545
MD5 hash:
666064f4878bb66e4e4ae44b1dd24da4
SHA1 hash:
387ec49eac7e41eda2c9ffb8932619bca4c56eee
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/c60a1495-e2df-4913-946b-1b2abb34e0fb/
SH256 hash:
8b73e43fd9af6a3adc6fda211be8d0c492a690c4f68b8eb2c09419d95c8f78ca
MD5 hash:
b2ca2b9354a27077c9945281ac8a3dd9
SHA1 hash:
01a448d2ce59f90e40cf936c1aa574d0f3273074
Link:
https://www.unpac.me/results/c60a1495-e2df-4913-946b-1b2abb34e0fb/
SH256 hash:
3d38040b15c1ec1b47b63b58e32d4484707979fa2a7eb43cf25414fa04299414
MD5 hash:
59b7ac7f307d5e3b35838f2e006e8279
SHA1 hash:
1b227d1bd324051d66871ac8633c3ec68e24b635
Link:
https://www.unpac.me/results/c60a1495-e2df-4913-946b-1b2abb34e0fb/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3d38040b15c1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d38040b15c1ec1b47b63b58e32d4484707979fa2a7eb43cf25414fa04299414

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/476026/

Comments