MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e00d864918670e82b26e4dd616644aa3c22ead3495ec6ca6e2588e6a855aad8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e00d864918670e82b26e4dd616644aa3c22ead3495ec6ca6e2588e6a855aad8
SHA3-384 hash: 9ab61d62ca026a57d563530d2ffbce4f1f432513ba15eb469f33d5f3d65d613a73468ebe141ca861fe25fb1b5ea79a37
SHA1 hash: 91d37dac1d4669e0fc704ddbef4ffae00534d826
MD5 hash: e21cdaf4693263a36d6f3f6d7544bc19
humanhash: august-texas-eighteen-oxygen
File name:Purchase Order_2241838_20221210_201349-pdf.com
Download: download sample
Signature AgentTesla
Create hunting rule
File size:23'552 bytes
First seen:2022-12-10 12:33:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:xYglR6cNoHzVZJq/S8frSo62tCT+UuSvwiFawJQl:xX4HzIfrS8fiFaKQl
Threatray 9'555 similar samples on MalwareBazaar
TLSH T1EFB284D1D79405E5EC660BB45C77AD2201AB7EBEACB1AA6D681EB0359F732C30072D07
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 050559c9190a4460 (13 x RemcosRAT, 5 x AgentTesla, 3 x Formbook)
Reporter 0xToxin
Tags:AgentTesla exe Spidey Bot

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
IL IL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/344988/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.11930.17724.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63947cbe04e0e79bdf420698/reports/3a0e6dbd-d987-4e4b-8c00-c767ea3bcb48/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7d3cb8d0-db51-4b79-9b95-1fa848eb4f3e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1131940
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Creates multiple autostart registry keys
Encrypted powershell cmdline option found
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 764664 Sample: Purchase Order_2241838_2022... Startdate: 10/12/2022 Architecture: WINDOWS Score: 100 60 discord.com 2->60 62 api4.ipify.org 2->62 64 api.ipify.org 2->64 88 Snort IDS alert for network traffic 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 10 other signatures 2->94 8 Purchase Order_2241838_20221210_201349-pdf.com.exe 16 7 2->8         started        13 Ydgmbana.exe 14 4 2->13         started        15 Skype.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 74 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49697, 49704 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->74 76 onedrive.live.com 8->76 80 3 other IPs or domains 8->80 54 C:\Users\user\AppData\...\Ydgmbana.exe, PE32 8->54 dropped 56 C:\Users\...\Ydgmbana.exe:Zone.Identifier, ASCII 8->56 dropped 58 Purchase Order_224...349-pdf.com.exe.log, ASCII 8->58 dropped 104 Encrypted powershell cmdline option found 8->104 106 Creates multiple autostart registry keys 8->106 108 Injects a PE file into a foreign processes 8->108 19 Purchase Order_2241838_20221210_201349-pdf.com.exe 2 6 8->19         started        24 powershell.exe 14 8->24         started        78 onedrive.live.com 13->78 82 2 other IPs or domains 13->82 110 Multi AV Scanner detection for dropped file 13->110 112 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->112 114 May check the online IP address of the machine 13->114 116 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->116 26 Ydgmbana.exe 13->26         started        28 powershell.exe 13->28         started        38 2 other processes 13->38 84 4 other IPs or domains 15->84 118 Machine Learning detection for dropped file 15->118 30 powershell.exe 15->30         started        86 6 other IPs or domains 17->86 32 powershell.exe 17->32         started        34 powershell.exe 17->34         started        36 Ydgmbana.exe 17->36         started        file6 signatures7 process8 dnsIp9 66 discord.com 162.159.137.232, 443, 49707, 49712 CLOUDFLARENETUS United States 19->66 68 api4.ipify.org 64.185.227.156, 443, 49700, 49710 WEBNXUS United States 19->68 70 api.ipify.org 19->70 50 C:\Users\user\AppData\Roaming\...\Skype.exe, PE32 19->50 dropped 52 C:\Users\user\...\Skype.exe:Zone.Identifier, ASCII 19->52 dropped 96 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->96 98 Tries to steal Mail credentials (via file / registry access) 19->98 100 Creates multiple autostart registry keys 19->100 102 3 other signatures 19->102 40 conhost.exe 24->40         started        72 api.ipify.org 26->72 42 conhost.exe 28->42         started        44 conhost.exe 30->44         started        46 conhost.exe 32->46         started        48 conhost.exe 34->48         started        file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e00d864918670e82b26e4dd616644aa3c22ead3495ec6ca6e2588e6a855aad8/
Threat name:
ByteCode-MSIL.Trojan.Startun
Create hunting rule
Status:
Malicious
First seen:
2022-12-10 09:41:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hyanqzerqzyoqkzg4towczsevi6cf2wtjfpmnstoeweonkcvvlma._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
26cd2bcced6805a4bcfb2f0f36ee11314431ae022d0a38ec91f0108a6625dd07
AgentTesla
2b9b066e3049207623a9b58439eedeb0c226895e8a37431fb65ab15fc168636e
AgentTesla
2d5d72d557920e6beef5c35e3cdd3ddd1339b2c4306e4b79e540058afede2063
AgentTesla
2f356283c209400c6385a24450f266b59477e035e9389c8d1af4843cd1ad2374
AgentTesla
3e8e2a2868f0e729a298541b51105ca23c60b0ffaa2c7b7c89e8a1edc0b2eab7
AgentTesla
6982961c3413825c0f715fc5415109fc3072567725744de8381c2b9030880e5b
AgentTesla
6bf40a84dcada0287d1491ead582f48d2a7d89528cbfe635bceb85a8925dcc12
AgentTesla
7c042716cacb46c8c1a105fd13ceb1093f20d28c869623c4d2236805876a9f1d
AgentTesla
807a0cf73f9ab381196d8905fec842ea5ad8c13148e955f3f86895d9de7ed685
AgentTesla
9b19f138d170fb4ac954ca804d5877bdfd4f6d3342fde823a9fe7a6a69c078a5
AgentTesla
+ 9'545 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221210-prr9raac6s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b25c8a19-99d8-4bfa-8026-cc1258809d99
Unpacked files
SH256 hash:
3e00d864918670e82b26e4dd616644aa3c22ead3495ec6ca6e2588e6a855aad8
MD5 hash:
e21cdaf4693263a36d6f3f6d7544bc19
SHA1 hash:
91d37dac1d4669e0fc704ddbef4ffae00534d826
Link:
https://www.unpac.me/results/d9a7cc60-0796-4d3f-9af6-51b7cfb2e1e2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/3e00d864918670e82b26e4dd616644aa3c22ead3495ec6ca6e2588e6a855aad8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat_Detection_Dec_2022
Create hunting rule
Author:Potatech
Description:AsyncRat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/344988/

Comments