MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ee7aa3a891ec3cdb3d03240d19ec0495e9439bebaaf271ed753a08dc9dfe078. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ee7aa3a891ec3cdb3d03240d19ec0495e9439bebaaf271ed753a08dc9dfe078
SHA3-384 hash: 05de73176a5dac699d4155b434de93b9d8acec6cb91ed90f07708f02946ec0833df5d328d8bbebe027afa5c2cab66e87
SHA1 hash: a5104466ed0813dfff833b2080d129956941d7c9
MD5 hash: 112baddddf970b2722d01ae2fe9e8dec
humanhash: spaghetti-sweet-idaho-coffee
File name:PI#001890576.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:758'272 bytes
First seen:2021-05-03 05:40:57 UTC
Last seen:2021-05-03 06:02:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:HqenoLLoS60/K7yh0BGYfzUoELIoTDkcw1i3R2CjpLH++TDExWTZgduAW466:Hq8oLABJ4vTDkN1YdC+MxWTudp
Threatray 4'363 similar samples on MalwareBazaar
TLSH 48F47CFC751464F1D35B2C27A3CF4C0782251270693BAA1F9B2027BA5A67E173E3998D
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/148183/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/707319
Signature
.NET source code contains very large array initializations
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3ee7aa3a891ec3cdb3d03240d19ec0495e9439bebaaf271ed753a08dc9dfe078/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-03 02:31:45 UTC
AV detection:
13 of 47 (27.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h3t2uoujd3b43m6qgjandhwajfpjion6xkxsohwxkoqi3so74b4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0dc0f8dca48090c22d53e8b76e32094fa65a5e994c01507a987dd9b572c10844
AgentTesla
1321e390a0141decaf5a8dab00fe02bc111ece34f446115842c6afa068c7fd3c
AgentTesla
225292deee765b9ce907a03a47645c52201a14dfb962345096fd30385fc63eae
AgentTesla
26dad1e44b5d06bcee5cddb288e3cd623da7bfd1d44a68661e27796f32e3de70
AgentTesla
2b4d627a6ac8c7eeca73863e772ca981672d29498629d0b86e1ef978a6ab2859
AgentTesla
2d03d586cd5f7c3a9cdda77d45f78124acfef0879489a78081b6885eb75dcd2d
AgentTesla
3a5c30055449247f22c553ec85ef739642e65e1046dac93d9ead539e2fc4fd07
AgentTesla
73919b4d792a4fc63ec3121edd6b41cfba0a266db32fac1f76132758c549b8e0
AgentTesla
9b28e086223a3a91a2888e62924e0d7d93bff6e333ae07167fad3aad15c45fb6
AgentTesla
b9b2c05c193a6df71266380c102c635199a45263722c6395a0b03de819a01ee1
AgentTesla
+ 4'353 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210503-xzzmqltd96/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
033e327f13f29e0878a06761eeada186e2e668037cd2dc5873d7b1d25e01e18e
MD5 hash:
8d4f02d9f6073652977dfe99cb640d3c
SHA1 hash:
f5c3d239c4b22cb24626a80e38d8c7732030dee2
Link:
https://www.unpac.me/results/d1767e9d-8783-4d0b-ab9c-a1f742d6313b/
SH256 hash:
74b2935b9dfe4ba397fd0507ae3c36abb77193041f2e7c43c55dc4e7b33de61c
MD5 hash:
b5c218f30fecc9cb8513ff6a46737b01
SHA1 hash:
f0416867c2b114789620b318051f1fa390b07eae
Link:
https://www.unpac.me/results/d1767e9d-8783-4d0b-ab9c-a1f742d6313b/
SH256 hash:
f0fb6027cfca7fe2c65e6cbd6a9a581418dfbe40ec477668a61a822a35b95f6d
MD5 hash:
13af30c2ea31473e1660c4c9f773efb3
SHA1 hash:
c63fb417a96f9939d5d6d480d403e6f2ac71cd48
Link:
https://www.unpac.me/results/d1767e9d-8783-4d0b-ab9c-a1f742d6313b/
SH256 hash:
3ee7aa3a891ec3cdb3d03240d19ec0495e9439bebaaf271ed753a08dc9dfe078
MD5 hash:
112baddddf970b2722d01ae2fe9e8dec
SHA1 hash:
a5104466ed0813dfff833b2080d129956941d7c9
Link:
https://www.unpac.me/results/d1767e9d-8783-4d0b-ab9c-a1f742d6313b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ee7aa3a891ec3cdb3d03240d19ec0495e9439bebaaf271ed753a08dc9dfe078

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/148183/

Comments