MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e63a6ac7005b4a485be33309d09c80395408c3310da4db8dc1a8e12535644e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e63a6ac7005b4a485be33309d09c80395408c3310da4db8dc1a8e12535644e4
SHA3-384 hash: b86a2657e8c61a10a3a8468e0eacf1306f10a459be67d1d3c741baff7b753923e5adadda68a28d3fb9c189c87d977507
SHA1 hash: d59072ce0da620df4148267b0e4debfd470fc805
MD5 hash: f3258c047be69799b5c01229cf7bf451
humanhash: delta-island-golf-zulu
File name:Payment Slip.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:793'088 bytes
First seen:2022-05-27 19:19:44 UTC
Last seen:2022-05-27 19:40:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:ycEEnNAgs/WnsIqCV/bhgW892PjSbCjUQ:HRS0sIqyV/S2PhUQ
Threatray 17'497 similar samples on MalwareBazaar
TLSH T1EEF4E01A72979E13C0A813F981C2D42493F61517E431E3CB2FCA65D62B457EACDCAB87
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon c066e276b4c470a4 (18 x AgentTesla, 10 x Formbook, 2 x Loki)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
485
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Payment Slip.exe
Verdict:
Malicious activity
Analysis date:
2022-05-27 19:21:30 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/8ea56d68-2492-4476-894a-038a1f516280

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/275096/
Detection(s):
SecuriteInfo.com.Heur.MSIL.Bladabindi.1.21894.7772.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6291247ceba388bb8684bbc8/reports/617fb3a3-e017-4086-a494-089e084e3399/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b7b13530-c18b-4406-9b23-b3a2fceff133
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1002921
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 635414 Sample: Payment Slip.exe Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 13 other signatures 2->62 7 Payment Slip.exe 7 2->7         started        11 Tnpak.exe 2->11         started        13 Tnpak.exe 2->13         started        process3 file4 36 C:\Users\user\AppData\Roaming\IGlxtzg.exe, PE32 7->36 dropped 38 C:\Users\user\...\IGlxtzg.exe:Zone.Identifier, ASCII 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmp8A54.tmp, XML 7->40 dropped 42 C:\Users\user\...\Payment Slip.exe.log, ASCII 7->42 dropped 64 Writes to foreign memory regions 7->64 66 Adds a directory exclusion to Windows Defender 7->66 68 Injects a PE file into a foreign processes 7->68 15 RegSvcs.exe 2 4 7->15         started        20 powershell.exe 25 7->20         started        22 schtasks.exe 1 7->22         started        24 conhost.exe 11->24         started        26 conhost.exe 13->26         started        signatures5 process6 dnsIp7 44 subnet-group.com 206.189.39.129, 49767, 587 DIGITALOCEAN-ASNUS United States 15->44 46 mail.subnet-group.com 15->46 32 C:\Users\user\AppData\Roaming\...\Tnpak.exe, PE32 15->32 dropped 34 C:\Windows\System32\drivers\etc\hosts, ASCII 15->34 dropped 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->48 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->50 52 Tries to steal Mail credentials (via file / registry access) 15->52 54 5 other signatures 15->54 28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3e63a6ac7005b4a485be33309d09c80395408c3310da4db8dc1a8e12535644e4/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-05-27 18:34:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hzr2nldqaw2kjbn6gmyj2coiaokubdbtcdne3og4dkhbeu2witsa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0918c0111b97f8a25e9717e9b74a96c85e9f3801e2922bb050e8024edf9adff0
AgentTesla
4303985ee7b44ba9c01edd967873f8b12df0dcd267f48df10962b3368e01ff82
AgentTesla
6a0cdf63baad32236d845d0027822d4e9c67ac4f9bddd9933ada09f9811dbca5
AgentTesla
6ac706b6fe1af38091271422e7b896393f32f34924e84f15ac296d837ce56605
AgentTesla
d3e50ef8f29f78a2bff3ddf40d6eb7a25986a549beba200ad9ff678dad816279
AgentTesla
dd0bdbd65d12a9ee3c2aea6c16ca0a6bf913d09a72385bfda2b1d8a6e1011436
AgentTesla
+ 17'487 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220527-x13qvahff4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Drops file in Drivers directory
AgentTesla
suricata: ET MALWARE AgentTesla Exfil Via SMTP
Unpacked files
SH256 hash:
8eea34761755bde6873f711d42e0cea8c3a08b702c192fb02749c0a6af01c7ec
MD5 hash:
41e199eb276a7ead0799dbf2948af888
SHA1 hash:
58e52db4474a979245a79d8f7686eff2f7be6f5f
Link:
https://www.unpac.me/results/9e2c9b2c-64d8-4dc5-b7a1-08fc9056babc/
SH256 hash:
742bfb49cf3904931ce87b810106611867a6b4b7a8d69f308e21d9d221365b3d
MD5 hash:
81cf021b05eebb622775151dc87f2aa1
SHA1 hash:
480c103ac6e66fe00b488d286832dc89eee088a6
Link:
https://www.unpac.me/results/9e2c9b2c-64d8-4dc5-b7a1-08fc9056babc/
SH256 hash:
3e10ad86caaa17160b44fa871db35e2e96f3567ea6aa13ee48eb474a27ecb09c
MD5 hash:
61416458f837ae43c54fd5f7361ffd0f
SHA1 hash:
3fe491da26f4802b0abdfd3078a1fe858779663f
Link:
https://www.unpac.me/results/9e2c9b2c-64d8-4dc5-b7a1-08fc9056babc/
SH256 hash:
d99dfd36246209ac31004ad9e2efde70488ac6402293980e4c7e2d8427ed939a
MD5 hash:
48bffbfc063691cf5c0d3dc5c62bc7a0
SHA1 hash:
371a6c672c3df5d7159b8045bd1251e77022143b
Link:
https://www.unpac.me/results/9e2c9b2c-64d8-4dc5-b7a1-08fc9056babc/
SH256 hash:
838741a6c2293d30f76e1b8c6f710e88f8fc165994f3b25fafe5a17026431191
MD5 hash:
40bd18b576c1eb6890b419893e33aae3
SHA1 hash:
34a8cdba6e55e0b78b2a0b91cb49495cd9ddf0d8
Link:
https://www.unpac.me/results/9e2c9b2c-64d8-4dc5-b7a1-08fc9056babc/
SH256 hash:
3e63a6ac7005b4a485be33309d09c80395408c3310da4db8dc1a8e12535644e4
MD5 hash:
f3258c047be69799b5c01229cf7bf451
SHA1 hash:
d59072ce0da620df4148267b0e4debfd470fc805
Link:
https://www.unpac.me/results/9e2c9b2c-64d8-4dc5-b7a1-08fc9056babc/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3e63a6ac7005/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e63a6ac7005b4a485be33309d09c80395408c3310da4db8dc1a8e12535644e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 3e63a6ac7005b4a485be33309d09c80395408c3310da4db8dc1a8e12535644e4

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/275096/

Comments