MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e4483bff852f83c8c2e8fcf81f20c6473a296b7f9d3fbca391cff4303bb94d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	3e4483bff852f83c8c2e8fcf81f20c6473a296b7f9d3fbca391cff4303bb94d3
SHA3-384 hash:	a339a528cd81fe9e1e82d2ecf5add7e13489573207c92052e6b348952e0d79330b3a79d6ce325fbb8b7352e0a3b9723d
SHA1 hash:	6d59ae944d20e4a824f4343e37447534643b7be5
MD5 hash:	4c627bc8a6bac5edce13474299b83e7f
humanhash:	cola-wolfram-venus-iowa
File name:	ob.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	221'184 bytes
First seen:	2020-09-30 20:21:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	3072:3GWeW3bJf4m+Vp7spFUCfpacn3NUtsZMKLkqmyLUFiHbuuA/GjlT9gc4TtDKG8:33L+4XUNg3c4A+HbfflT945DK
Threatray	236 similar samples on MalwareBazaar
TLSH	CA242A1A6714D520CB5F417FC016820831F1DB07A71AD78F5AA6D8FA2F812CEF92B9E5
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

104

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/67215/

Detection(s):

Win.Packed.Razy-9768966-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/478728

Signature

Antivirus / Scanner detection for submitted sample

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3e4483bff852f83c8c2e8fcf81f20c6473a296b7f9d3fbca391cff4303bb94d3/

Threat name:

ByteCode-MSIL.Infostealer.DarkStealer

Status:

Malicious

First seen:

2020-09-30 20:21:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hzcihp7ykl4dzdbor7hyd4qmmrz2ffvx7hj7xsrzdt7uga53stjq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2769e7180962969c0f1cfaa16850c17e6a44b298b3c5899d32b37366a090727d

AgentTesla

423349485a78884c5ed9d7a2b933f65d4ca59c1e6bc0543b752ccac6bf6e0b95

AgentTesla

6301733be7a1058abac7988f9143ca5739c05e9a12a567d1ca2593f3b64f818f

AgentTesla

65e1f86de7b69f4eac3430c49757b5b11905ded68d9a6c7d1eca46f8609db4a1

AgentTesla

7b5cd0182b1122c0231fb30af6252fe4b0b9a9dd0962d14264ff1f09ced46943

AgentTesla

8ca10b0fcde48ff00c9218062eb8aefe2a9d3ddc5e240a9da4a2e7764cbfff90

AgentTesla

c01c0556641fcb384b2ab40d5d4a3fb6c5f119590b679e8957065038699c88a1

AgentTesla

c48e35f8fcabd28e3598287342ddc3f3d28f24d6415786a980675d456e0836f9

AgentTesla

d7f3cc72163e809b398c83abb04b237d3f900fee8886e862995a2e5995c3d627

AgentTesla

+ 226 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200930-ly2r98ghbs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

3e4483bff852f83c8c2e8fcf81f20c6473a296b7f9d3fbca391cff4303bb94d3

MD5 hash:

4c627bc8a6bac5edce13474299b83e7f

SHA1 hash:

6d59ae944d20e4a824f4343e37447534643b7be5

Link:

https://www.unpac.me/results/8311ef44-6122-4828-88ab-3e7ea514c58a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3e4483bff852f83c8c2e8fcf81f20c6473a296b7f9d3fbca391cff4303bb94d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/67215/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample