MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ee59149caa2a1f67159eb37aca56d4e1019ea5b33851c5b724a4911c0b0b4d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ee59149caa2a1f67159eb37aca56d4e1019ea5b33851c5b724a4911c0b0b4d7
SHA3-384 hash: 2f92a24897898b20972c4330377ccb9ddfd6d3a8edd6694dd0fb2a3e0c7f3d99fc5646b9c14eb7dfd004adbab7c8f103
SHA1 hash: 29208213ceb4ef86c567e7b626c527d914137844
MD5 hash: af0369c72a9f9acfeed0d609863d8a2d
humanhash: eighteen-thirteen-floor-kitten
File name:Request Quotation for Tender Purpose in Middle East.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:800'768 bytes
First seen:2020-09-28 13:52:08 UTC
Last seen:2020-09-28 14:46:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ccd477c88c3e8be26b5e0692515f665c (4 x AgentTesla, 1 x Loki, 1 x Formbook)
ssdeep 12288:D38ZC2jTIBwgM9poZThtKyx12lwLxog3rChBQhwIRP1SnksxNqCXdi:DfzBw3PotKWR9h3On6t1SnXXo
Threatray 224 similar samples on MalwareBazaar
TLSH A7058E36B2A15833C123E57C9C0B5774AC26BA503A2479A62BF5CC7C5F3D691383A1B7
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/66438/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/476441
Signature
Contains functionality to detect sleep reduction / modifications
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ee59149caa2a1f67159eb37aca56d4e1019ea5b33851c5b724a4911c0b0b4d7/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-09-27 14:40:17 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
25 of 48 (52.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h3szcsokukq7m4kz5m32zjlnjyibt2s3gocryw3sjjerdqfqwtlq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
083e098c7a4893abdbb906f03b92dda1f54c469527f2f59eafca8f1176d2686f
AgentTesla
125203c92ab4db76de740b9cb2ce5908bbf6ee86864855a4903e2d5c17953ad1
AgentTesla
27efe7f981e88e619d7a59df155f8b9f7c7bdcc0f52b08de1c0cedeaa9e817d9
AgentTesla
5d988a8c854a4ebca5533e5273c1a797c3900d3fb9cc20bf7186578aff26d825
AgentTesla
63d643f5f17f5e621ef22e4c05a5d92c519376d0043c0958284d34ae206c0161
AgentTesla
7a5cf1b0f0b115b160a48992609c57b8f9c4591a736ffc052549b2f1e91e2eb7
AgentTesla
8ceba0ecd94e885f32b2e9b68373691b43887e70f6bc903878fdb74551fc919d
AgentTesla
b3332f865f362bd89aaa305a8b8ec5d3e5b6ddae9e704b70a2d36723550415b0
AgentTesla
d09186afeb1460fe7e7e33f7e319ecb280374f7c49b4240dfacc397323333834
AgentTesla
fb9170b75704e2202310a4ea95652f93cfcc6d4c4700055156ebb8e5532c4a9b
AgentTesla
+ 214 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx keylogger trojan stealer spyware family:agenttesla
Link:
https://tria.ge/reports/200928-cg7sapw78s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Unpacked files
SH256 hash:
3ee59149caa2a1f67159eb37aca56d4e1019ea5b33851c5b724a4911c0b0b4d7
MD5 hash:
af0369c72a9f9acfeed0d609863d8a2d
SHA1 hash:
29208213ceb4ef86c567e7b626c527d914137844
Link:
https://www.unpac.me/results/8cc60e9c-1183-4d17-bafc-3be927761ccf/
SH256 hash:
f4572f54d1806f432ec3620e02772736f2bbb159ce27d82437b60c383b48fa45
MD5 hash:
dec215056b002ef1aed76df952f1a00e
SHA1 hash:
ba94d981358f07150c8412c5ac0900b698181714
Link:
https://www.unpac.me/results/8cc60e9c-1183-4d17-bafc-3be927761ccf/
SH256 hash:
d564835e27ab3bddce214206c4de3cdc25c014021fc24a4cb31a4a6594218b1a
MD5 hash:
30fdaaee120b99ebfe232244e1426c54
SHA1 hash:
9e01b1175d659952f7d39ced5c94cecf0590119e
Link:
https://www.unpac.me/results/8cc60e9c-1183-4d17-bafc-3be927761ccf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ee59149caa2a1f67159eb37aca56d4e1019ea5b33851c5b724a4911c0b0b4d7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/66438/

Comments