MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d3d5f6bd531217f0d2e55749b1c749e27088b7e72e83a572c30c754ac1b73aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d3d5f6bd531217f0d2e55749b1c749e27088b7e72e83a572c30c754ac1b73aa
SHA3-384 hash: 8e4c85e8622edf600100bcb753a5af1f9453779a5adcfceff9191385db3e875c0b32829ea54caeda97638c8b33f82e5b
SHA1 hash: 7d35d89e3dc413ce549ad3c828d6212f82f2fedc
MD5 hash: 90ce2b03fadc83952fa639921b1abdbb
humanhash: missouri-kansas-crazy-triple
File name:PaymentAdvice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'411'072 bytes
First seen:2021-01-09 08:58:51 UTC
Last seen:2021-01-09 10:42:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:tvjX+Ev/Nd+3Tisy1UDZhgPRudyuJa8goyEzFMnT1DMmzktb0a7mFsI:BsyqgPRudTbzFMnTVMZfI
Threatray 2'104 similar samples on MalwareBazaar
TLSH 0B6549DC711071DEC85BCE728A641C64AA217CBA571FE207A41335E99A7EA87CF241F3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: ns1003721.ip-92-204-132.us
Sending IP: 92.204.132.74
From: Francis P <francis@sureintl.com>
Subject: Payment Advice
Attachment: PaymentAdvice.zip (contains "PaymentAdvice.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
337
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PaymentAdvice.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-09 08:59:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5e294707-7a8a-462c-aef5-bea22e017ade

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111107/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36046696.12645.2939.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/577247
Signature
.NET source code contains very large array initializations
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d3d5f6bd531217f0d2e55749b1c749e27088b7e72e83a572c30c754ac1b73aa/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-09 03:57:05 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hu6v626vgeqx6djokv2jwhdutytqrc36oluduvzmgddvjla3oova._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b309fba5ed6a5cca9df11aa42633e07a7c64d3b4474849a0ede645dde5c0a50
AgentTesla
2bf325abeef3e5dbce3c2041a7e1bde3ae717a58b2ce07a0286855c22cab4bb8
AgentTesla
97c73eb27f164d01020de5531c96adb305bfdd8e6ec727bfaf65a2fa7b02638a
AgentTesla
9c7002e97c59c4c190abb09e373a5f1010b4790dbcb714e792538e73820d5609
AgentTesla
a7df178348dd3563a0a0a44ec82af4b6bc15bf352337ef690fac078cfee6ec49
AgentTesla
bd8670ff54fdb88e307e5997213a32ee95f922566923e7a645cbf120094cbbdb
AgentTesla
caa1844423cb2047c876df6276fd0e146f08e254897de3c9d51b1c41b3d35f13
AgentTesla
d5269c737f5691eab59bcc8c6ba21a4ad0244e37d87c2fae38543ad15aa6707f
AgentTesla
df107977e92465958c206bf42e33ce394e8573da3c4035b69bfa0d0eaf367914
AgentTesla
df27e1cee5548d6c169e700946c102ffe88442f1dcbdb7bcad449194111ca5f2
AgentTesla
+ 2'094 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/210109-a7r6ajgl82/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
3d3d5f6bd531217f0d2e55749b1c749e27088b7e72e83a572c30c754ac1b73aa
MD5 hash:
90ce2b03fadc83952fa639921b1abdbb
SHA1 hash:
7d35d89e3dc413ce549ad3c828d6212f82f2fedc
Link:
https://www.unpac.me/results/4a27944b-848b-4956-974d-ef34e7c9214e/
SH256 hash:
6bb48003a1e7faf707b1466b6f921285565b25677be5c80f27461dd4249a76d6
MD5 hash:
f301b8ec0675903f2fe156b9592106e1
SHA1 hash:
526ca486d84c62f50144c6795b0c211fc2d046fc
Link:
https://www.unpac.me/results/4a27944b-848b-4956-974d-ef34e7c9214e/
SH256 hash:
64a419709ad219ffc006bda776b650da486d55048d2fa34525f40227da0e5c86
MD5 hash:
88c0ec8398978fa2e4240f02765086ad
SHA1 hash:
5a5c4935b2d70e890c89ad9332365f4f4aa86f3c
Link:
https://www.unpac.me/results/4a27944b-848b-4956-974d-ef34e7c9214e/
SH256 hash:
99383cf209522d5c746abd2df68b75215457e848f2d5a6225dd9677a52d22824
MD5 hash:
8e62f24198a6a25f5a90c1f1871c2d16
SHA1 hash:
f094824b8f69ff456022baea18f1aa3599d541a6
Link:
https://www.unpac.me/results/4a27944b-848b-4956-974d-ef34e7c9214e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d3d5f6bd531217f0d2e55749b1c749e27088b7e72e83a572c30c754ac1b73aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip a249100b48b57e3435b13c5edaed808ac78687ef8baec4fadd98b4d6a261c2ed

AgentTesla

Executable exe 3d3d5f6bd531217f0d2e55749b1c749e27088b7e72e83a572c30c754ac1b73aa

(this sample)

  
Dropped by
MD5 b7d552e641516e78fceda735babbcaf1
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111107/
  
Dropped by
SHA256 a249100b48b57e3435b13c5edaed808ac78687ef8baec4fadd98b4d6a261c2ed

Comments