MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f58941384220ef9ed6d58fec255b96a08e1b60db39375764bac633a6c5c00de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f58941384220ef9ed6d58fec255b96a08e1b60db39375764bac633a6c5c00de
SHA3-384 hash: 5a357d5df7c983493d6ae7bd52d61437ae18d58d5323a67ea732e7b20d2daa4c0ba7f80f4fe9980a5490d13aadbbacc6
SHA1 hash: 9a10be2b7530674c33b9e0bab4e218000520b668
MD5 hash: 89dbaeda081c59fe1b0848a2defa634a
humanhash: pluto-illinois-kilo-friend
File name:3f58941384220ef9ed6d58fec255b96a08e1b60db39375764bac633a6c5c00de
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'076'736 bytes
First seen:2023-10-11 12:54:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:dRrizMqqptoo+2PIMnZiq6KS9sB9yGNQQn6Iq+:8M/too+QIeZiq6KS9UK
Threatray 152 similar samples on MalwareBazaar
TLSH T119358BDC3550799FC957CC76CA582D24FB242ABB470BD203D12316ADAA2DA8BDF141E3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 71e0d0e0a2b6dc71 (3 x AgentTesla)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Doc 259023.rar
Verdict:
Malicious activity
Analysis date:
2023-09-27 05:45:40 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/5dbaaf6a-0c58-49d6-bb50-e71532dc1501

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/453246/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3f58941384220ef9ed6d58fec255b96a08e1b60db39375764bac633a6c5c00de
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e63d636c-32d4-4fc5-a10f-e0c7ebc6647d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1323715
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1323715 Sample: l4hDSQrV1F.exe Startdate: 11/10/2023 Architecture: WINDOWS Score: 100 40 sh003.webhostbox.net 2->40 42 api4.ipify.org 2->42 44 api.ipify.org 2->44 50 Found malware configuration 2->50 52 Sigma detected: Scheduled temp file as task from temp location 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 6 other signatures 2->56 8 l4hDSQrV1F.exe 7 2->8         started        12 dEjRzQBidmg.exe 5 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\dEjRzQBidmg.exe, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\...\tmp747F.tmp, XML 8->38 dropped 58 Detected unpacking (changes PE section rights) 8->58 60 Detected unpacking (overwrites its own PE header) 8->60 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->62 70 2 other signatures 8->70 14 l4hDSQrV1F.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        26 2 other processes 8->26 64 Multi AV Scanner detection for dropped file 12->64 66 Machine Learning detection for dropped file 12->66 68 Injects a PE file into a foreign processes 12->68 22 dEjRzQBidmg.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 46 api4.ipify.org 104.237.62.212, 443, 49714, 49717 WEBNXUS United States 14->46 48 sh003.webhostbox.net 162.241.27.12, 49715, 49719, 587 UNIFIEDLAYER-AS-1US United States 14->48 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->72 74 Tries to steal Mail credentials (via file / registry access) 22->74 76 Tries to harvest and steal browser information (history, passwords, etc) 22->76 32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3f58941384220ef9ed6d58fec255b96a08e1b60db39375764bac633a6c5c00de/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-09-25 13:15:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
34
AV detection:
20 of 38 (52.63%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h5mjie4eeihpt3lnld7mevnznieodnqnwojxk5slvrrtu3c4adpa._file
Verdict:
malicious
Similar samples:
63efc3445014bdf5bc7c990e30c279a5f1ef3aca8760335c91e5c774aac13d73
AgentTesla
76c0e4a0502324db78e70bd3b307ecb20405ee15c7321b1d6175b7d5b0701b1e
AgentTesla
78091d62251b24e840b99cf80f6f9f68a1725a1b2cc3a11aee84847e59b38ff6
AgentTesla
861858ded7f88ccc9998eb6286cf9376fe7509a04901808bc5a3d35b076412a6
AgentTesla
af5181b58209a8a6e973d806ba6e2321e7aba08b3bd56012d4f159a7b2f51ac2
AgentTesla
d2355e84bd9dff1872c5bf04051c3984de36958b0af97c1ad874bce663501399
AgentTesla
e1588fa2fbba71b436afb6df74166ffc100c422257b8c259debb07f3201bffeb
AgentTesla
f94a62b2332593b4de3797cb1fb3127a682f2623d12e5f731157190526f6ef5c
AgentTesla
+ 142 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231011-p5sgnsgh5t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
b58e8f44c16e052c300e324d8d31929900420e527ee85eb4748251978ebe1a37
MD5 hash:
80e8120e0d74beaa8f70b44e00c66be6
SHA1 hash:
d00b435e8bb6402a2ce5775ef14cfc72e4964f4b
Link:
https://www.unpac.me/results/5923878d-f519-48bd-8a50-3c551b07bd65/
SH256 hash:
abed99881ce1e05907653d1697ae232575d0cf067fd5cc646e2e5ee9f7337c82
MD5 hash:
491a7170bd8a7ed81d03a64ff2598bdf
SHA1 hash:
8325a5bccba80878a14032c06b78b34db808b910
Link:
https://www.unpac.me/results/5923878d-f519-48bd-8a50-3c551b07bd65/
SH256 hash:
a266ef9a68743e82cd948444af794899d9320cfe09c195e39c539646b6e08220
MD5 hash:
ed02bd3e347a8ccd51d8da0ca3a47e81
SHA1 hash:
7b05b590e171f9c92e2331308c074f9eee57c440
Link:
https://www.unpac.me/results/5923878d-f519-48bd-8a50-3c551b07bd65/
SH256 hash:
c018b283b9f3ffc2bc235627e6139d6807e2dc34a63b41761fc85ffe70e32881
MD5 hash:
0f1e3472b988775b3876e3a95447551e
SHA1 hash:
4931e7080d8691772e9726e045a8b66bde8f8253
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/5923878d-f519-48bd-8a50-3c551b07bd65/
Parent samples :
ce5546e8bc7a298f9bd3506d36462eaf20f2d10f12605db2784f40b21d2207b0
2ce23f32cc6773a978869f6ace53a7ea4a441cab0ebb6ee0063faa57c6fe1625
034cc3d5fbbc537705c747c03967c9c52cfaa04554065fd050cdd78de60105ec
3f58941384220ef9ed6d58fec255b96a08e1b60db39375764bac633a6c5c00de
7b6fd30ec79bd18fdd0ef6f98aae50654584eb836db3200a870d60350bd5b67d
SH256 hash:
3f58941384220ef9ed6d58fec255b96a08e1b60db39375764bac633a6c5c00de
MD5 hash:
89dbaeda081c59fe1b0848a2defa634a
SHA1 hash:
9a10be2b7530674c33b9e0bab4e218000520b668
Link:
https://www.unpac.me/results/5923878d-f519-48bd-8a50-3c551b07bd65/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3f5894138422/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f58941384220ef9ed6d58fec255b96a08e1b60db39375764bac633a6c5c00de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/453246/

Comments