MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e43fc7961678765fa09b867e27d15c9246bdd19f599a7b6e1ce215f3c03f104. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e43fc7961678765fa09b867e27d15c9246bdd19f599a7b6e1ce215f3c03f104
SHA3-384 hash: a9c3d498ddb90a8c7754e50d71871b33a30ba3416d5461333c2433134dffaa2d4e749568a19cd756583b36ff1183929f
SHA1 hash: f3bc20ec0642dc6b1d9433b377df071802536442
MD5 hash: de2d79bd4c61f5ba062c16264f383a9c
humanhash: burger-kansas-winner-nine
File name:W5yGEg5aqOJcVA8.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'556'480 bytes
First seen:2021-06-22 06:00:54 UTC
Last seen:2021-06-22 06:49:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:IHRRip5+bp/FsOiPksa8AVoGoA0zSaL0m93CePx+iJHENMkjiA:IH5/K3AboA0zsYPx+iJkNMAiA
Threatray 6'007 similar samples on MalwareBazaar
TLSH 7B75E1124ECF422EE2758EB557B0AC47C3765EB62A05B2213DC032EDCA335DAD9EE511
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
W5yGEg5aqOJcVA8.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-22 06:02:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/03676365-1438-4ded-9f41-dea06db6f7c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167433/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.6645.13201.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6b764873-56d6-477c-a54a-8160d069f563
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805731
Signature
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 438142 Sample: W5yGEg5aqOJcVA8.exe Startdate: 22/06/2021 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected AgentTesla 2->46 48 5 other signatures 2->48 9 W5yGEg5aqOJcVA8.exe 3 2->9         started        13 tnvLnx.exe 2 2->13         started        15 tnvLnx.exe 2 2->15         started        process3 file4 38 C:\Users\user\...\W5yGEg5aqOJcVA8.exe.log, ASCII 9->38 dropped 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->52 54 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->54 56 Injects a PE file into a foreign processes 9->56 17 W5yGEg5aqOJcVA8.exe 2 9->17         started        58 Machine Learning detection for dropped file 13->58 20 tnvLnx.exe 13->20         started        22 tnvLnx.exe 13->22         started        signatures5 process6 signatures7 40 Injects a PE file into a foreign processes 17->40 24 W5yGEg5aqOJcVA8.exe 2 5 17->24         started        28 W5yGEg5aqOJcVA8.exe 17->28         started        process8 file9 34 C:\Users\user\AppData\Roaming\...\tnvLnx.exe, PE32 24->34 dropped 36 C:\Users\user\...\tnvLnx.exe:Zone.Identifier, ASCII 24->36 dropped 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->50 30 MpCmdRun.exe 1 28->30         started        signatures10 process11 process12 32 conhost.exe 30->32         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3e43fc7961678765fa09b867e27d15c9246bdd19f599a7b6e1ce215f3c03f104/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 06:01:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hzb7y6lbm6dwl6qjxbt6e7ivzesgxxiz6wm2pnxbzyqv6pad6eca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04538fa6efd1de9c1eb97acc72b3ce8f5625ab5a9e41c7eb7c9d753ccbb7881e
AgentTesla
216dc98d0a9b992b98806b104dfea335abe2c28673825b0b26dda374d62b46f2
AgentTesla
2bc56dd47a78f4275986e243fb30e12b6b17b06ac420d0464b2bdc0b4b27ebbe
AgentTesla
6413bfe11d962866d306007489ae88c102a5550ef22f1a0ae69231d1a04964be
AgentTesla
6d4d2a2d69e81b0f6b91a437aaf0869956306c347f0b2ed492168f95d6b24d93
AgentTesla
7299f2323910def53bb344e98441a66dba82b84b0d8ec89dbddf0ee6a936280a
AgentTesla
7a1250d86cbe4957fe35dd7e98412e2e2c7388e155731e2d6b0ddbb5241043b4
AgentTesla
7d7924e92e2e23345b47169e428d4bc85cd5140e733e90512d28cef9e7d0c38a
AgentTesla
c6b6c3ad94852d0fb8d6cf6d3aa2c4bfd14c627287317a72995a4c59a12d331e
AgentTesla
f3ce6962e0e3ac2cb3384df02bf0e4851362eeceae101d92f26ba641e4846e20
AgentTesla
+ 5'997 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210622-17brqv4jm6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
42b564620ace61712f7385f0d2aee31072476f699708c8a9340f0fe56f90cdcb
MD5 hash:
92dbe745db0bfb2f7fb6f5fb952563b1
SHA1 hash:
9ec2491dde25e7c092038bf7ffcbd7865b19148d
Link:
https://www.unpac.me/results/b4bbfef4-3aad-43e9-bc3c-ad692725da2b/
SH256 hash:
6e8b13a751febadb0ae379917e9c08c1f0ddfbd131973cb23958d4d7f6bd370d
MD5 hash:
e7e06df26dd6a808b03386dbc0e4da5c
SHA1 hash:
46d6cb2ecaa2731757d59e8c83eb0f8f87c0f25c
Link:
https://www.unpac.me/results/b4bbfef4-3aad-43e9-bc3c-ad692725da2b/
SH256 hash:
c83ad20647f204d777a9b49505433cd85064b5fc2e97a170b9b5e40eb3ba7307
MD5 hash:
d59f456e50b03bf1d20f5db42f6f8689
SHA1 hash:
02f331c795d23e29f45170d1182383f87175ab32
Link:
https://www.unpac.me/results/b4bbfef4-3aad-43e9-bc3c-ad692725da2b/
SH256 hash:
3e43fc7961678765fa09b867e27d15c9246bdd19f599a7b6e1ce215f3c03f104
MD5 hash:
de2d79bd4c61f5ba062c16264f383a9c
SHA1 hash:
f3bc20ec0642dc6b1d9433b377df071802536442
Link:
https://www.unpac.me/results/b4bbfef4-3aad-43e9-bc3c-ad692725da2b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e43fc7961678765fa09b867e27d15c9246bdd19f599a7b6e1ce215f3c03f104

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 0f9ac899b92a075ecac20e5539a9f6ef0365b6b2e39c537ea83f45069b86a628

AgentTesla

Executable exe 3e43fc7961678765fa09b867e27d15c9246bdd19f599a7b6e1ce215f3c03f104

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 0f9ac899b92a075ecac20e5539a9f6ef0365b6b2e39c537ea83f45069b86a628
Cape
Cape
https://www.capesandbox.com/analysis/167433/

Comments