MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f0da0c03ce3305ae5fdc9d58b9dc4b8ab209abbd75743472440d21899c6167b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f0da0c03ce3305ae5fdc9d58b9dc4b8ab209abbd75743472440d21899c6167b
SHA3-384 hash: 64623b9af4c9e0eacfa2d4050b2dedb6ea1f41e6a63fef21738485a0150d8f5dd1ca2a2a8226d4f5286a8befb40977cf
SHA1 hash: c2de7ec6d436aae9d6ab958ea5a9ea4d0526a0e8
MD5 hash: a366bdc02e28b9b5cf46ac278998172b
humanhash: uniform-jupiter-cup-nineteen
File name:WAU.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:894'976 bytes
First seen:2022-06-03 08:31:38 UTC
Last seen:2022-06-03 11:57:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:qB2NwpmtpLTjVD47pBB7ZipmzaGArquQjqi8MzkwZrJYfNE3:qQtpLe7l7EGbuQ2irHZ1INE3
Threatray 17'688 similar samples on MalwareBazaar
TLSH T1AB158D5C29A5C925F0AF333BC266465A89F87027724AFB492FC51CE5383F6538E816CD
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.3% (.SCR) Windows screen saver (13101/52/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter pr0xylife
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
322
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Book1.xlsx
Verdict:
Malicious activity
Analysis date:
2022-06-03 08:31:20 UTC
Tags:
exploit CVE-2017-11882 loader agenttesla
Link:
https://app.any.run/tasks/442d9272-2dd8-47c1-a2bb-249a7b7c70b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/276461/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.32383.30863.20012.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed replace.exe update.exe wacatac
Link:
https://www.filescan.io/uploads/6299c71298a5e4f2925de0e5/reports/97fd5207-bf64-40df-a230-ebf2e7658bfe/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07d7c2a7-e9a7-45c5-9270-a4c5dac6337d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1006178
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3f0da0c03ce3305ae5fdc9d58b9dc4b8ab209abbd75743472440d21899c6167b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-02 13:21:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h4g2bqb44myfvzp5zhkyxhoexcvsbgv325lugrzeidjbrgogcz5q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
127e512be158b258d5db5e050b3b79c41bbdf08a66d11fd75a7ef93ccd1cc7a5
AgentTesla
58c4b64412b4dd61472d6df712f5ec38b7b2f8d88d6607b90804c4253b6400f4
AgentTesla
767993476ab8416016c41b44654f391fed6af498937c8b7ab2f9af9a14c5f749
AgentTesla
e46d797785ee0837fbe4f643f1f8bfe3331306c3b46b2505b72e2e562b6b8525
AgentTesla
ff75c7241e090b211f4c9a2742ebf774ad878619eeef8701a8af3a6229da1e8e
AgentTesla
+ 17'678 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer suricata trojan
Link:
https://tria.ge/reports/220603-ke9wtahehj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
suricata: ET MALWARE AgentTesla Exfil via FTP
Unpacked files
SH256 hash:
0356bad9b1f4ef1c34f7ec4743095e8c726d3fe3a795138b22a4103f884e2076
MD5 hash:
21ee5f27a48fbd058a9536e16b7a4bf5
SHA1 hash:
a56d1fda2d36d21548abd5cf67e342728b8cfe9b
Link:
https://www.unpac.me/results/902debc6-174a-4809-b9cd-9af1127c53c8/
SH256 hash:
68047725fe690d503a2c100542323e99b597f90366631591561e2e521f44aef7
MD5 hash:
82d6feb4655c5436900b0aaa026948ec
SHA1 hash:
a3c4dfa388ba377fd2be370596bab7d5a48c17b7
Link:
https://www.unpac.me/results/902debc6-174a-4809-b9cd-9af1127c53c8/
SH256 hash:
cb26b701bc1699839c29f93790c5df718a973f31578b9a4990aae8fe9da69bf7
MD5 hash:
17f5844b5d2431ae393db562d1555644
SHA1 hash:
4f1a8750cb5104595ff70fb2b731cbf11a1284a0
Link:
https://www.unpac.me/results/902debc6-174a-4809-b9cd-9af1127c53c8/
SH256 hash:
4d7a1202e5360fcc3a77f8d9af28f80b26ae66346341a973dc8ac9096d8a8747
MD5 hash:
3f428362a2e853d401aea8fa0b452721
SHA1 hash:
4ced635ff3431693515c91eb57b3c32f1acdedca
Link:
https://www.unpac.me/results/902debc6-174a-4809-b9cd-9af1127c53c8/
SH256 hash:
3f0da0c03ce3305ae5fdc9d58b9dc4b8ab209abbd75743472440d21899c6167b
MD5 hash:
a366bdc02e28b9b5cf46ac278998172b
SHA1 hash:
c2de7ec6d436aae9d6ab958ea5a9ea4d0526a0e8
Link:
https://www.unpac.me/results/902debc6-174a-4809-b9cd-9af1127c53c8/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3f0da0c03ce3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f0da0c03ce3305ae5fdc9d58b9dc4b8ab209abbd75743472440d21899c6167b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 3f0da0c03ce3305ae5fdc9d58b9dc4b8ab209abbd75743472440d21899c6167b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/276461/
  
URLhaus
https://urlhaus.abuse.ch/url/2223086/
  
Delivery method
Distributed via web download

Comments