MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ec765c9bb4306f79f0a66c06fbed0327a19c71ad4e2088ba920b09269966c72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ec765c9bb4306f79f0a66c06fbed0327a19c71ad4e2088ba920b09269966c72
SHA3-384 hash: d412cb35361b97e245e710aefa7eebd76fc2542ad309b6b048bf292c218cf2bd3dff1c23549aeba85040c1c259d3a6d6
SHA1 hash: e5020201d09f4d14c43d6c53691a73a1703367cc
MD5 hash: 24df28a729fb359d3e92eeabe1b71fcd
humanhash: helium-ack-asparagus-florida
File name:Request_For_Quote.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:635'392 bytes
First seen:2023-10-09 13:29:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:SMYnQ3j67SESV1eXl8OhA90qGMzLplYrlSKTQt6rVNjw8zTTyNebEBPKvUOokO8G:SBqGMzdlY7eWA8nTyNDHOlO1kw
Threatray 186 similar samples on MalwareBazaar
TLSH T19AD4F14573E6A840E3BF97F50DF2AB982B71714BA141CB4E4D636BAC9A313428700F97
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
296
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Request_For_Quote.exe
Verdict:
Malicious activity
Analysis date:
2023-10-09 13:33:54 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/9efbcae2-1f99-427e-bb3a-89a707c00a0c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Inject4.61718.2522.28566.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Sending an HTTP GET request
Creating a window
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6524005b9b16696e9f977be1/reports/d147ef27-985c-4b6f-a5fc-2e8a012acf47/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/3ec765c9bb4306f79f0a66c06fbed0327a19c71ad4e2088ba920b09269966c72
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f5c4d9b-732d-4250-9342-f68e66e645d2
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1322190
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the startup folder
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Copy file to startup via Powershell
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1322190 Sample: Request_For_Quote.exe Startdate: 09/10/2023 Architecture: WINDOWS Score: 100 34 zqamcx.com 2->34 36 mail.zqamcx.com 2->36 40 Found malware configuration 2->40 42 Antivirus detection for URL or domain 2->42 44 Antivirus detection for dropped file 2->44 46 12 other signatures 2->46 8 Request_For_Quote.exe 3 2->8         started        11 system.exe.exe 3 2->11         started        signatures3 process4 signatures5 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->48 50 Bypasses PowerShell execution policy 8->50 13 Request_For_Quote.exe 2 8->13         started        17 powershell.exe 13 8->17         started        20 Request_For_Quote.exe 8->20         started        26 2 other processes 8->26 22 system.exe.exe 2 11->22         started        24 powershell.exe 11 11->24         started        process6 dnsIp7 38 zqamcx.com 78.110.166.82, 49738, 49739, 49740 UKSERVERS-ASUKDedicatedServersHostingandCo-Location United Kingdom 13->38 32 C:\Users\user\AppData\...\system.exe.exe, PE32 17->32 dropped 52 Drops PE files to the startup folder 17->52 54 Powershell drops PE file 17->54 28 conhost.exe 17->28         started        56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->56 58 Tries to steal Mail credentials (via file / registry access) 22->58 60 Tries to harvest and steal browser information (history, passwords, etc) 22->60 30 conhost.exe 24->30         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3ec765c9bb4306f79f0a66c06fbed0327a19c71ad4e2088ba920b09269966c72/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-10-09 13:29:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h3dwlsn3imdpphykm3ag7pwqgj5btry22trarc5jecyje2mwnrza._file
Verdict:
malicious
Similar samples:
40d0a5c663f59b7454e4e8535918b57ccba56e5f445d02e384debb16b868ebce
AgentTesla
4a699a693c63228aebd3e0bc98d92fe2d8bb7ae487992e81cfee767f0b9ed1bf
AgentTesla
524368752b84b9040d4ea648e6fa1197da3be58af376b2c09b375e21f5cc7fb0
AgentTesla
78091d62251b24e840b99cf80f6f9f68a1725a1b2cc3a11aee84847e59b38ff6
AgentTesla
7e5e3c49e0bcb2e16b86e870f591feca75b0d7007ed5851ecdfb70fa3d06976c
AgentTesla
89bc9fdb7d1d93a49c7cf3ccfff8ec5c174a44dd580e63e3cb47de448e9daefc
AgentTesla
c7825ac17db3d7a4fca371b94a6bc4aa7d22e40bfa10e24b0c3ef063c82de7d5
AgentTesla
e1588fa2fbba71b436afb6df74166ffc100c422257b8c259debb07f3201bffeb
AgentTesla
f94a62b2332593b4de3797cb1fb3127a682f2623d12e5f731157190526f6ef5c
AgentTesla
+ 176 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231009-qrsqysdb3t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
d49b28738997efa291105c209920d6f68e8947a879e47e2c079a1fc6b2a9d590
MD5 hash:
3a8524651b92efc224b3e99b3d8c05f5
SHA1 hash:
72a3b6cf58f018bfaba4d9327976515802001b66
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/e2496e9d-afb5-4869-8eef-2c52a8616964/
Parent samples :
3ec765c9bb4306f79f0a66c06fbed0327a19c71ad4e2088ba920b09269966c72
be97e1d540ea8ba81adbd8873a4ef6123f6d5d3ff51fa010e432ae7e4cad8e99
SH256 hash:
4d9e9d486249c27d02b521ec1b2f994d25ee070aa6086263071635f23ede5a47
MD5 hash:
399fb6c9fc4b8dcb0b4058a0bb3efe4b
SHA1 hash:
6a9f97a8e6e13afd4156e935000f839ff25acb44
Link:
https://www.unpac.me/results/e2496e9d-afb5-4869-8eef-2c52a8616964/
SH256 hash:
198a65f6a3f780f1a022f030629e8561c31cc555a113f570a566d40d1ee56a05
MD5 hash:
9b3a1b5d3ffe9fb9db6c5aaefa1ae076
SHA1 hash:
0da05e4c72430da0d061a02cd6cf50c41e6bd83a
Link:
https://www.unpac.me/results/e2496e9d-afb5-4869-8eef-2c52a8616964/
SH256 hash:
3ec765c9bb4306f79f0a66c06fbed0327a19c71ad4e2088ba920b09269966c72
MD5 hash:
24df28a729fb359d3e92eeabe1b71fcd
SHA1 hash:
e5020201d09f4d14c43d6c53691a73a1703367cc
Link:
https://www.unpac.me/results/e2496e9d-afb5-4869-8eef-2c52a8616964/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3ec765c9bb43/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ec765c9bb4306f79f0a66c06fbed0327a19c71ad4e2088ba920b09269966c72

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_bytecodes_sep_2023
Create hunting rule
Author:Matthew @embee_research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 3ec765c9bb4306f79f0a66c06fbed0327a19c71ad4e2088ba920b09269966c72

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments