MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e623a7b134fd08addeb0a34fefbf9fce20e69b422ae17273e5273d3fc73ba9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e623a7b134fd08addeb0a34fefbf9fce20e69b422ae17273e5273d3fc73ba9a
SHA3-384 hash: 7b9f205de1e6f3be315635d1b477378cd52b64e638de7ab637ed554a30a97dc6b98dae19d56a925d8ee7842d4a53de35
SHA1 hash: 0c0fe10ec5794a95a8e64bf37c9c8dfb4ddb9f60
MD5 hash: 0b7cc1b5e9cbe46d246ce1fa15d7590e
humanhash: bulldog-arizona-mississippi-india
File name:0b7cc1b5e9cbe46d246ce1fa15d7590e
Download: download sample
Signature AgentTesla
Create hunting rule
File size:665'600 bytes
First seen:2022-04-04 16:47:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:3xBJ1NUoFEIcJASaAb8facLD/CrePI7LljDvMcNYd:51NUPbJjYfZKZBP
Threatray 15'573 similar samples on MalwareBazaar
TLSH T1AAE4D03C5BE94B12FABE47BD91A5814097F8F222885FE70E5AD120FA1C77791CC21A17
File icon (PE):PE icon
dhash icon a2aab28acad696aa (10 x Loki, 8 x AgentTesla, 8 x SnakeKeylogger)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/260692/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.34136.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware obfuscated packed remote.exe update.exe
Link:
https://www.filescan.io/uploads/624b218a40ce5db9f404ebc9/reports/d453fe60-8632-481a-a7ec-f9b6ca38fd68/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df46ae09-818a-4655-8ee7-490f47c314aa
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/970279
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 602766 Sample: FDvM4fxpq7 Startdate: 04/04/2022 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 9 other signatures 2->44 7 FDvM4fxpq7.exe 7 2->7         started        process3 file4 26 C:\Users\user\AppData\Roaming\oYKzGd.exe, PE32 7->26 dropped 28 C:\Users\user\...\oYKzGd.exe:Zone.Identifier, ASCII 7->28 dropped 30 C:\Users\user\AppData\Local\...\tmpB25C.tmp, XML 7->30 dropped 32 C:\Users\user\AppData\...\FDvM4fxpq7.exe.log, ASCII 7->32 dropped 46 Uses schtasks.exe or at.exe to add and modify task schedules 7->46 48 Writes to foreign memory regions 7->48 50 Adds a directory exclusion to Windows Defender 7->50 52 Injects a PE file into a foreign processes 7->52 11 RegSvcs.exe 2 7->11         started        16 powershell.exe 23 7->16         started        18 schtasks.exe 1 7->18         started        signatures5 process6 dnsIp7 36 mail.pisc.lk 108.170.60.107, 49766, 587 SSASN2US United States 11->36 34 C:\Windows\System32\drivers\etc\hosts, ASCII 11->34 dropped 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->54 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->56 58 Tries to steal Mail credentials (via file / registry access) 11->58 60 4 other signatures 11->60 20 conhost.exe 16->20         started        22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e623a7b134fd08addeb0a34fefbf9fce20e69b422ae17273e5273d3fc73ba9a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-04 16:48:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0e16551efbf1aacaf4bbc05653978d86979048f338f9fab4a123dd3831dcef4e
AgentTesla
20b7b1c260f94daef7d5fa785b9fd1427e13c4f81f390d06850bd4aa40ead748
AgentTesla
3757e17c90a0533f757b3ab31ae4886f55a34f3af775df5eb5e14982bb7dfcfd
AgentTesla
4b0f3abe3b0c7a9356687b4c29c68f9bab4247ca92cf5c37b42eec2881d3d2ec
AgentTesla
5bbe20646d38c2bb4bc38650649633c5a78522a6ea2f09f04cb6be0f3075544e
AgentTesla
f6e4842040712cdd0f767cd5a2a5be80c0928872f2399a671f66ad544b37fa5d
AgentTesla
+ 15'563 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220404-va38ksdbej/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
94cb9269052f30d1b5c943a52c7623724ecf3f1c162cf70b969fea080586b4fc
MD5 hash:
b00535989f2a30e7d44b66a0b1c952b8
SHA1 hash:
688fa8ccecf16f1b32682e56ea4a8076a9bb6e12
Link:
https://www.unpac.me/results/550d3d03-a1ec-4e92-a820-ee94f38c24f2/
SH256 hash:
33d4c58108a4f26d2d0396bfd4c97b1e43393a6a47fc8586bd164183872ada57
MD5 hash:
a281c8460b36a1719e6a3583a6053324
SHA1 hash:
5000fc2483f791f3dfeeb9ae6ab0d9a6959cefd9
Link:
https://www.unpac.me/results/550d3d03-a1ec-4e92-a820-ee94f38c24f2/
SH256 hash:
4f11e23f83f15d7a7ae0de4dddab6c5e2d3c2dc3a1e23a562b3ac7f8ed824ea7
MD5 hash:
2be5d1ef028c4b83bbd33c8d45ff714f
SHA1 hash:
13803e20f020ac067d288409e1fe9f278a5db260
Link:
https://www.unpac.me/results/550d3d03-a1ec-4e92-a820-ee94f38c24f2/
SH256 hash:
71764eb60a83a17343af4a26bf3ec546c5ee08454722233fd5cf59693327b1a4
MD5 hash:
bfcf754fb9acba752f79f44817b7be23
SHA1 hash:
01af19456b6f97790973d0d67a97ecc362ab7aed
Link:
https://www.unpac.me/results/550d3d03-a1ec-4e92-a820-ee94f38c24f2/
SH256 hash:
3e623a7b134fd08addeb0a34fefbf9fce20e69b422ae17273e5273d3fc73ba9a
MD5 hash:
0b7cc1b5e9cbe46d246ce1fa15d7590e
SHA1 hash:
0c0fe10ec5794a95a8e64bf37c9c8dfb4ddb9f60
Link:
https://www.unpac.me/results/550d3d03-a1ec-4e92-a820-ee94f38c24f2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3e623a7b134f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 3e623a7b134fd08addeb0a34fefbf9fce20e69b422ae17273e5273d3fc73ba9a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2130914/
Cape
Cape
https://www.capesandbox.com/analysis/260692/

Comments


Avatar
zbet commented on 2022-04-04 16:47:46 UTC

url : hxxp://198.46.201.96/aku/Akubueze%2013.exe