MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f2cba483eead01ce5217afd98d8308007cf4b4b5e81bd658d27b9f31abc4b77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f2cba483eead01ce5217afd98d8308007cf4b4b5e81bd658d27b9f31abc4b77
SHA3-384 hash: 1d5572c05ac3aaa79dda9ba71a8dafaabe86eee9829b650c91ce3b8844b25422b72da78169e66c7e9af93894abd126b7
SHA1 hash: 1ba6321f5b9151f8278498b3821d2c9a6b75f420
MD5 hash: 6c7715e014818f2bded8a7e8acfd7699
humanhash: wolfram-princess-south-lion
File name:INQ.6.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:449'536 bytes
First seen:2021-06-07 05:51:21 UTC
Last seen:2021-06-07 07:18:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:j0WPXe8Q26gT1zTHNtoBFidANUreJBuGbk:jx56gTBzNgEdm3JEGg
Threatray 5'848 similar samples on MalwareBazaar
TLSH C5A40123653C945EF20840B3F3A39565A7A15D210FB21BC37E1EB0A3777692C6A6B71C
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INQ.6.exe
Verdict:
No threats detected
Analysis date:
2021-06-07 06:02:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f593f202-4a3a-473f-afb7-f7e5bbf260b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164879/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.1618.7550.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Sending a UDP request
Creating a window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/797790
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3f2cba483eead01ce5217afd98d8308007cf4b4b5e81bd658d27b9f31abc4b77/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-07 05:52:15 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h4wlusb65libzzjbpl6zrwbqqad46s2ll2a32zmne647ggv4jn3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0dcebcbff7b84930e0796b27a4f795480423a122d6d201e45073678832b0961f
AgentTesla
126f752c7dec6c513804a0737e5d0a03cd8a1082923d68aec35979f3a7db7d60
AgentTesla
14f81ecd4986ab4802d00a55fce04c132c1c25a7146ac4e99026cc666f9c3c6c
AgentTesla
337a895245dcdbe522c4320dbe1dfd62e346aecad8246f9b895a5460211865b0
AgentTesla
360dc7aa2889b1ed05b553eccab73348de2fae89cd7742e64422712298b670ca
AgentTesla
517aa4a798cd785cae7bd9722bd79a0f85eadc7a3e9dbfa24440348df4ef7c7c
AgentTesla
87178907c9c47a383a2a08a30481dbc5345b6c85c48142a855900d9840e6b6da
AgentTesla
a56b83419b879f415fcd6961f31ad0345305288cd67b61ce4a533f8c2ae12c25
AgentTesla
be7af0c2f9356ba016baa597e558df431fa2c5fbd4ac2fbf8d86a24662dcd464
AgentTesla
dea2e88e71d3b38500aca694a9ba1f476d8db14e5389a2cf70b23cad51eb33c9
AgentTesla
+ 5'838 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210607-hlpd64m4ge/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
Nirsoft
AgentTesla
Unpacked files
SH256 hash:
4dc25ffead390cd93902d38bc45f66cac03ce166633010d105315c067606ca50
MD5 hash:
5c4088e18d0ca3c1678ee4dd819ca72e
SHA1 hash:
47a518b1cca0b9538aca5edce370a4d9264a4dd3
Link:
https://www.unpac.me/results/028223fb-c8c6-4757-9f0d-3c78a89e9caf/
SH256 hash:
5cbdf396ccddac1561ca2b831dd7a37b7d1f99dac7f78fe8289ddadf3df75461
MD5 hash:
4b23b852f42c3a2ea596e269b98b55e8
SHA1 hash:
813d60ea22be456fdae14686d1e9d1fade7d685a
Link:
https://www.unpac.me/results/028223fb-c8c6-4757-9f0d-3c78a89e9caf/
SH256 hash:
a30f7b5ce05589a0a4391ffe85bdc4a55e308ab9da95fee9b8e06639bda468d8
MD5 hash:
d9c89f7985f2d6d3f82e9efe5d430037
SHA1 hash:
48fdb52b831203df9709dfa0ac65e7f8ecd77600
Link:
https://www.unpac.me/results/028223fb-c8c6-4757-9f0d-3c78a89e9caf/
SH256 hash:
29164789873ee7309c1be6d379910ccf4d6232cd9d9a1455dcdf0f7963c39346
MD5 hash:
5ff5de3908b04160e9fae4e5fbbe05d5
SHA1 hash:
1eabed3a0caa850b3f84d7b3caeb0d3ee1b14396
Link:
https://www.unpac.me/results/028223fb-c8c6-4757-9f0d-3c78a89e9caf/
SH256 hash:
3f2cba483eead01ce5217afd98d8308007cf4b4b5e81bd658d27b9f31abc4b77
MD5 hash:
6c7715e014818f2bded8a7e8acfd7699
SHA1 hash:
1ba6321f5b9151f8278498b3821d2c9a6b75f420
Link:
https://www.unpac.me/results/028223fb-c8c6-4757-9f0d-3c78a89e9caf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f2cba483eead01ce5217afd98d8308007cf4b4b5e81bd658d27b9f31abc4b77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 3f2cba483eead01ce5217afd98d8308007cf4b4b5e81bd658d27b9f31abc4b77

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/164879/

Comments