MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d47fc89c543f3a8f9fa0ac9f798dd830987acca707f093ca94b70884d2ca169. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d47fc89c543f3a8f9fa0ac9f798dd830987acca707f093ca94b70884d2ca169
SHA3-384 hash: 85f7ea72fe0c2a473d22d93f564a3d4f2440d834d3c0e92a3d6550438a7da0735d71fd7392c1f06a80c773e3b6d860c8
SHA1 hash: 5dcc6ca575115a15b2b10e4cbcaf46cf38d10971
MD5 hash: 60e62a0a65f71bb07c9535d3cd209b46
humanhash: spring-washington-spring-princess
File name:60e62a0a65f71bb07c9535d3cd209b46.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:874'496 bytes
First seen:2021-04-16 14:50:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:j52pJBpYpc+t25K7s5EW+yFegaGmPP2hnTLyaD3Wrsyrm6XuHRYgA9WZ:j52tc7VgFPaTPQPKrsqm6hgcWZ
Threatray 4'002 similar samples on MalwareBazaar
TLSH 77059D2036E5920CC8BE5B340875438417B6BD56BA11C6CD7CD7325C9E3EB97CB21BAA
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.lpsinvest.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL INVOICE.xlsx
Verdict:
Malicious activity
Analysis date:
2021-04-15 19:30:22 UTC
Tags:
encrypted trojan exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/26ee79e0-be84-41e0-adcb-fcc69e21db39

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/136230/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.646-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/681182
Signature
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3d47fc89c543f3a8f9fa0ac9f798dd830987acca707f093ca94b70884d2ca169/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-04-15 21:38:48 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hvd7zcofipz2r6p2ble7pgg5qmeyplgkob7qspfjjnyiqtjmufuq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02b07b8086d052cca5b1f10089f93da604dfdf71d09f0370750f371e50bb0221
AgentTesla
32307715c2ea407e10a73d3e02ea634c7f1195b20c69a5f4c19fe7c3a1bb34ea
AgentTesla
5b7770f02c562dffdbe0cd638e288adba8f340c7231ef30fa2860b7f4b9dfa80
AgentTesla
744621e57306f68b872c0f22f8da760d1a7af2069c28ca45c58de31a38542695
AgentTesla
7e1984261f01fdffcafc839d5fcfc819173f533e424d1d84835c39ce68dfcf1e
AgentTesla
92301e389bb037a484b2bd9973642c3c9a7415104c33009b17fbd816590db8f2
AgentTesla
a58efdd81c45fdc2c71f47af41f151795c5f92747409d9ba4114430b778c9a44
AgentTesla
d2f99cc9154356e6611a695336854cebafdfe613f20f5cd828a25ee0289126e4
AgentTesla
f64809e849ccb011853e0fde4d0bf866ce6810265de88bb1f36e102fcd4edc31
AgentTesla
f9de889dff0ad6b4714adcf2d015d6bbf8391d5f86622daa2b5345be4eeb8cb1
AgentTesla
+ 3'992 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210416-6tb2pmh9bs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
5e0f3da625a479a5e7e807b5f09c889d95474139410b312ba3a39bcb05976729
MD5 hash:
3d20c2ea9ac04e1707f853bb1780bc18
SHA1 hash:
805e90b023eb92d44bbe11daefce6edbe872cb74
Link:
https://www.unpac.me/results/7e1c7ac0-6f69-45d7-813e-8bc2cc45c827/
SH256 hash:
3d47fc89c543f3a8f9fa0ac9f798dd830987acca707f093ca94b70884d2ca169
MD5 hash:
60e62a0a65f71bb07c9535d3cd209b46
SHA1 hash:
5dcc6ca575115a15b2b10e4cbcaf46cf38d10971
Link:
https://www.unpac.me/results/7e1c7ac0-6f69-45d7-813e-8bc2cc45c827/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d47fc89c543f3a8f9fa0ac9f798dd830987acca707f093ca94b70884d2ca169

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 3d47fc89c543f3a8f9fa0ac9f798dd830987acca707f093ca94b70884d2ca169

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1123356/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/136230/

Comments