MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d402a866fb1dc18d7eaaa64013502d3184c25b9f5c93bfa916b5d15cda34a11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d402a866fb1dc18d7eaaa64013502d3184c25b9f5c93bfa916b5d15cda34a11
SHA3-384 hash: 187c4b5d5af2f2afc5a029e173222667c891394b96b37d78c69d6b573eebfab1d0ae505377ef1d238040bc42c0a9ee5c
SHA1 hash: f6e9418f9f1c172518e2fe5cd10b1d94e26c9c30
MD5 hash: 1bece3fc719dffcc6b9d02256a39c0d3
humanhash: snake-black-double-may
File name:1bece3fc719dffcc6b9d02256a39c0d3.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:604'632 bytes
First seen:2020-12-22 12:23:55 UTC
Last seen:2020-12-22 14:24:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:YjRd6qwYPtgOoHGLkgsckgmOu7hplu/VJ1LeNWCvC63PdvmE92r9V0Xt:MRdVzPgyTpARu/sNpp3VvDY
Threatray 81 similar samples on MalwareBazaar
TLSH F4D4BFC7269243B8C84D6E760D7C99C163B5BDC73B2D8A1E254A731B8E321DB7F0A449
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1bece3fc719dffcc6b9d02256a39c0d3.exe
Verdict:
Malicious activity
Analysis date:
2020-12-22 12:35:10 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/1add4c09-56e5-44e6-a37c-266fe32b532d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108839/
Detection(s):
SecuriteInfo.com.Variant.Razy.762646.13913.10490.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Sending a UDP request
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %temp% directory
Deleting a recently created file
Connection attempt
Running batch commands
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/568454
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 333300 Sample: k8Jw01YX3c.exe Startdate: 22/12/2020 Architecture: WINDOWS Score: 100 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected RedLine Stealer 2->45 47 7 other signatures 2->47 8 k8Jw01YX3c.exe 15 3 2->8         started        process3 dnsIp4 29 www.ecb.int 8->29 31 www-ecb-europa-eu.ax4z.com 185.5.82.138, 443, 49736, 49737 SOPRADO-ANYDE Germany 8->31 33 www.ecb.europa.eu 8->33 25 C:\Users\user\AppData\...\k8Jw01YX3c.exe.log, ASCII 8->25 dropped 51 Writes to foreign memory regions 8->51 53 Allocates memory in foreign processes 8->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->55 57 Injects a PE file into a foreign processes 8->57 13 InstallUtil.exe 14 23 8->13         started        file5 signatures6 process7 dnsIp8 35 www.geoplugin.net 13->35 37 api.ip.sb 13->37 39 8 other IPs or domains 13->39 59 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->59 61 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->61 63 Tries to harvest and steal browser information (history, passwords, etc) 13->63 17 cmd.exe 1 13->17         started        signatures9 process10 dnsIp11 27 127.0.0.1 unknown unknown 17->27 49 Uses ping.exe to sleep 17->49 21 conhost.exe 17->21         started        23 PING.EXE 1 17->23         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d402a866fb1dc18d7eaaa64013502d3184c25b9f5c93bfa916b5d15cda34a11/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-09-29 19:48:42 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
082f1317f03b76584194dc5b800ed466cc1fbef34ef63a6019c2dc1de47212ed
AgentTesla
09cb72a7bbb6ed837874193fcecdc231ed9d87752d1d1f668e7afcb2f10440de
AgentTesla
253699419919004fb74774050abd7d0137363801f969ad6a5a9dd96c924308b1
AgentTesla
551022935cb64a9df1e36625a3be468c99a25086b505a4dba1c533f3f749c7a4
AgentTesla
6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d
AgentTesla
70195e1ff5377fe53bd4faecadf3464e16c36d2859385a616ea6f343ff773ee7
AgentTesla
8611b66792009b09d0b2459319d53f4bc276400c55db9ebeb88527526d727156
AgentTesla
aa10af5c6a92dc01b8ba38871c9a1b111cc36a6e0f6d1a039b5ba624bb700a36
AgentTesla
c68e4b825434bac34abd9d5428ea2c30fc60c8b47db17de743782825687547d5
AgentTesla
fe40a261819b8c1f1308aaded3d797fd2ade74c2bb23f51deedc4b5b0c0f2d6f
AgentTesla
+ 71 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201222-d5v3kl6rxx/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
3d402a866fb1dc18d7eaaa64013502d3184c25b9f5c93bfa916b5d15cda34a11
MD5 hash:
1bece3fc719dffcc6b9d02256a39c0d3
SHA1 hash:
f6e9418f9f1c172518e2fe5cd10b1d94e26c9c30
Link:
https://www.unpac.me/results/31c2d1d2-48e7-42a4-abae-345c3e08ca90/
SH256 hash:
511df1cff818216a8fc02ee687499ac958437f6e9c78f30c40a58ad69631141c
MD5 hash:
acebb89c7e045f2d954f6922eaee551e
SHA1 hash:
0db19199d24398f69220d0392daf3da3681a6a46
Link:
https://www.unpac.me/results/31c2d1d2-48e7-42a4-abae-345c3e08ca90/
SH256 hash:
6caaf1c2675f5aeb0cbff71a99c811eac346d2117e788337aa5c007817de5b3d
MD5 hash:
36d09b3570caa5be4df29e175cf0a4d1
SHA1 hash:
1c2d4d9a3b00ddcd7368f2d54b10e5d5f66fce45
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/31c2d1d2-48e7-42a4-abae-345c3e08ca90/
SH256 hash:
51e22a152aba261b45104d9a94d588d1a3817e3bf872891b5c3a2f29b5199dff
MD5 hash:
e84cc74f9ea9ce36f16d3915ff7ab1ab
SHA1 hash:
4b33f3a47ac290aab882fe29a54c1d8925b9636b
Link:
https://www.unpac.me/results/31c2d1d2-48e7-42a4-abae-345c3e08ca90/
SH256 hash:
cbaf42ee45df7fc1ad254d86cf7735a6cee0560ad8235735cd75589c7bd8d9c8
MD5 hash:
fc02c34cbfbe0eac6cd0e5757a21bff3
SHA1 hash:
79dafcadadd6a7302d9f746cfa8eca8fcbfca828
Link:
https://www.unpac.me/results/31c2d1d2-48e7-42a4-abae-345c3e08ca90/
SH256 hash:
418f95a74d0d6740e56583ae0ed241080bd4ea0feba79e4360373da9d052cb19
MD5 hash:
3c82957d6a3668cb9f2e1637ad7f6d41
SHA1 hash:
d07245c87fd6e57a722121a03cb441d04fb2a10a
Link:
https://www.unpac.me/results/31c2d1d2-48e7-42a4-abae-345c3e08ca90/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d402a866fb1dc18d7eaaa64013502d3184c25b9f5c93bfa916b5d15cda34a11

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 3d402a866fb1dc18d7eaaa64013502d3184c25b9f5c93bfa916b5d15cda34a11

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/938136/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108839/

Comments