MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3df4a60f664b3a105d0562b885a6ec1a63956917b7c2325357e09e81e6d50899. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3df4a60f664b3a105d0562b885a6ec1a63956917b7c2325357e09e81e6d50899
SHA3-384 hash: c8a8c4431ee6706a5c17aff69445e2f7ed1bb00d9c1a63a91a5550a510eee8676e3b1732b0d5c1541fc038bfe98c1991
SHA1 hash: 745da4da0e07a320c35802f44bff4aa3c7b3a78a
MD5 hash: 782bf801f3d7bf7d3b9fab0337b8023c
humanhash: island-grey-nineteen-artist
File name:PO Request _ WELLTEC DIESEL Co., LTD.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:719'360 bytes
First seen:2023-09-05 06:48:23 UTC
Last seen:2023-09-05 07:33:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:0ot830ODHrP6/CVBPvNCcE7Rj8atRUx8TFHYgYRsI/z4Vvz9klpjkDwMD8H:0oE36iBPe3tixQIP4VvZwpjkDV8
Threatray 1'229 similar samples on MalwareBazaar
TLSH T1B1E40280F2BC9F53EEBAA7F65828215407B65D9B6431E7480ED6F4D71AD0BA00581F3B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
295
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
PO Request _ WELLTEC DIESEL Co., LTD.exe
Verdict:
Malicious activity
Analysis date:
2023-09-05 06:49:52 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/8d3fa94e-d22f-4363-9a77-2591db2e01ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/446251/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64f6cf602a262962b7937eaf/reports/9b1265df-e7ea-40d7-a1f2-dee1b0555db3/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/3df4a60f664b3a105d0562b885a6ec1a63956917b7c2325357e09e81e6d50899
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8e69abd9-18a3-4e8f-a379-694d0646dca7
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1303321
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1303321 Sample: PO_Request___WELLTEC_DIESEL... Startdate: 05/09/2023 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Found malware configuration 2->47 49 Sigma detected: Scheduled temp file as task from temp location 2->49 51 7 other signatures 2->51 7 PO_Request___WELLTEC_DIESEL_Co.,_LTD.exe 7 2->7         started        11 sLTein.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\Roaming\sLTein.exe, PE32 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp1964.tmp, XML 7->35 dropped 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->53 55 Uses schtasks.exe or at.exe to add and modify task schedules 7->55 57 Adds a directory exclusion to Windows Defender 7->57 13 PO_Request___WELLTEC_DIESEL_Co.,_LTD.exe 2 7->13         started        17 powershell.exe 20 7->17         started        19 schtasks.exe 1 7->19         started        21 PO_Request___WELLTEC_DIESEL_Co.,_LTD.exe 7->21         started        59 Multi AV Scanner detection for dropped file 11->59 61 Injects a PE file into a foreign processes 11->61 23 sLTein.exe 11->23         started        25 schtasks.exe 1 11->25         started        signatures5 process6 dnsIp7 37 h12.hksx.com 202.181.239.232, 49720, 49721, 587 HKCIX-AS-APHongKongCommercialInternetExchangeHK Hong Kong 13->37 39 mail.absbldg.com 13->39 41 192.168.2.1 unknown unknown 13->41 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        43 mail.absbldg.com 23->43 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->63 65 Tries to steal Mail credentials (via file / registry access) 23->65 67 Tries to harvest and steal browser information (history, passwords, etc) 23->67 31 conhost.exe 25->31         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3df4a60f664b3a105d0562b885a6ec1a63956917b7c2325357e09e81e6d50899/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-05 06:19:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hx2kmd3gjm5baxifmk4iljxmdjrzk2ixw7bdeu2x4cpidzwvbcmq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08d76dc0333ccb04c7d58c27c319a6dfbcb0f6c91e232b6205e893272574eac2
AgentTesla
1182ef3f55a149c1a676f27653cc1a8ec6589e56c9dfa450f2f7731cd63c61a6
AgentTesla
1d764be70840124eb68ad9bbdccb996bc56ccea2d4bd804ebf99141629dd0b0b
AgentTesla
4e6fda468f16cee9f106def8f3217930ba442d79daa41cde7dd5b6f817bd5127
AgentTesla
69d31a62dc0f4c9faffbe33f0c65dfa6240ef17dff57cc5ccc1a15f1219c5eb9
AgentTesla
740ade7a62a555ad148bb2d2d97bafcf893a8be5b0db0e278ef9f16bec310c07
AgentTesla
7ad8b74ac85044fdec2b62194c0e22ce7d31b353a97bce4ea09e80151bff60fb
AgentTesla
bee949c5192f46467c2fb76490dd2407f4206639c2e5e824c74e879c02fcc342
AgentTesla
ce14e600e9fabbe76c755ebf23c96be8cda1054c4cd00ef0c0d8b3b8e04769ee
AgentTesla
d9819797562fc37901466523b731e2114efd43d2395887cf44116e7b208e7d71
AgentTesla
+ 1'219 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230905-hlchsaeb72/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
7d50eb1fad89f4ebf7f5aa8c1b956e13b19ccf67b17007d97c5f5ae382d44f56
MD5 hash:
3d74b731a9fd0acb05187baae7f0c186
SHA1 hash:
f6b77064ed5220b8d6e1e051c145574aeb8dcb71
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/8282e273-dc67-4347-813f-8af7ed6fc1f0/
Parent samples :
3df4a60f664b3a105d0562b885a6ec1a63956917b7c2325357e09e81e6d50899
241784a425ca56db84249bb2435b5894f48a9ca15e913b60c1e80975c19abffe
96391cff00ba35611d9d14ab17616c48a89337f7a973e1098c82f010f8d3f3f5
eccd37fd51b5291eaa446c828bbf0a682c09fda2bf52a8e9fdc771d3d8e65ec2
SH256 hash:
55ea20faf9b0c8c00f3d3ea16ff5bfd836fa99f1941946885d45240d2f681f4c
MD5 hash:
eec54763c3b2e33ba860048ffe88f910
SHA1 hash:
8034038ca99a91c8fdf69b1bc745e9dcdaac02e4
Link:
https://www.unpac.me/results/8282e273-dc67-4347-813f-8af7ed6fc1f0/
SH256 hash:
e5c474b4f5db5d5deed3f2f2b9c1e3cb4ec006eb61043bd3ea487237f3100f0c
MD5 hash:
48675c1652a382f7d572c8c5f2fb1440
SHA1 hash:
1eb242bb0ab1066e01930958707fb01e03c57a33
Link:
https://www.unpac.me/results/8282e273-dc67-4347-813f-8af7ed6fc1f0/
SH256 hash:
0630b864e828fff2d66f33ab7d00fad231df4c00fc0bbad313ee0d12ca503198
MD5 hash:
f559a9abbd849eb977d262d597d6e4fd
SHA1 hash:
0a8769b40b026852690c89b913c2812817ef43c8
Link:
https://www.unpac.me/results/8282e273-dc67-4347-813f-8af7ed6fc1f0/
Parent samples :
cef72412a1dd9486bae5f7e606d4330660fba98575ba1c939559ccc83536f41a
81ccf158093718305b3499d0f16d8a82bcad69f2740066daca8d5b5ca9979688
SH256 hash:
3df4a60f664b3a105d0562b885a6ec1a63956917b7c2325357e09e81e6d50899
MD5 hash:
782bf801f3d7bf7d3b9fab0337b8023c
SHA1 hash:
745da4da0e07a320c35802f44bff4aa3c7b3a78a
Link:
https://www.unpac.me/results/8282e273-dc67-4347-813f-8af7ed6fc1f0/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3df4a60f664b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3df4a60f664b3a105d0562b885a6ec1a63956917b7c2325357e09e81e6d50899

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 3df4a60f664b3a105d0562b885a6ec1a63956917b7c2325357e09e81e6d50899

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/446251/

Comments