MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f5b4701d734a5036066424274d3de1b53c4d0814b41f727307556c7a1c408f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f5b4701d734a5036066424274d3de1b53c4d0814b41f727307556c7a1c408f7
SHA3-384 hash: 2c049fb904eadb010eb73130d637763a4c5aad16a196e400b5b4a42107d57f8a4eb4fddcc0c3631f229b12b5415d41cb
SHA1 hash: 69782022af595eaf09d7f706b26a328f8dd190fc
MD5 hash: c5bc25e433957078776a6cfcee5961c2
humanhash: island-indigo-burger-foxtrot
File name:SecuriteInfo.com.BackDoor.SpyBotNET.25.27385.9359
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'269'760 bytes
First seen:2021-02-03 13:19:54 UTC
Last seen:2021-02-03 14:16:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:PlqneQ/8wyua4jwAjdvDircPAetB7K/Q4BH2VeeZ69wjQsHGJsv8994KaGGCIaXb:9uK1WVy/W909FGQZGCIxh1Cz8PS
Threatray 224 similar samples on MalwareBazaar
TLSH C845BC73FBF0C6A5C456F37735EBE25A13A6F4F786208E91570A4FB11A610D2A8CE484
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Sample list.doc
Verdict:
Malicious activity
Analysis date:
2021-02-01 17:04:08 UTC
Tags:
trojan opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/a252b482-5c34-4d93-92bd-72d2a0f051ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115330/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.27385.9359.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Launching a process
Sending a UDP request
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/597823
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3f5b4701d734a5036066424274d3de1b53c4d0814b41f727307556c7a1c408f7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-01 12:15:26 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h5nuoaoxgssqgydgijbhju66dnj4juebjna7ojzqovlmpioebd3q._file
Verdict:
unknown
Similar samples:
044c7600a63f48d98d55a52953fb22799e846d32b74fd9462a03b146747813e9
AgentTesla
1a864aa18c8cc51ec4cb515224a4d51d97e398eef752c537e7308d52897b61bf
AgentTesla
601832be346d3c348f20841847a679b4888006f7f8e062a8c3c581f1ea0eac52
AgentTesla
6676e9557ed6b68ca5919a7025e82f33fc0939914e26130953b29c3cf8981474
AgentTesla
842cda0e7609203f715a06b9eb524bd82593ad4dfc4d5cc1c7754cff47ccda29
AgentTesla
9bb2525c48049ffd05b8ad6a39a89245b6a4de4914275fcfad2beee8bfaa714d
AgentTesla
c7a2fcc718b3adeedee6e215f17799f22662a66c5c8e08af94ea641e9e909b8d
AgentTesla
d21f7c6f8a4fbbb00973d1ed40f4c9ca33920aaca079b70ff298db4e74b56134
AgentTesla
f57d8788d3574f001f1a90cf0554bc69deef5cb411416f1b333bbfe5296842e9
AgentTesla
fcad0e5581e86e8359e00997302140bbaa37fed5240db35291404c9b16a9fc0f
AgentTesla
+ 214 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/210203-pdlwxxblbs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
4f81e273da20c5b9835ce6ca57cc061d77764f9e3927bdb1505cb791bf50b046
MD5 hash:
29e19b5dce96140a8b90152b16bd44af
SHA1 hash:
4f3dc6eb876bb58f53966980a9c451a04ec17d8a
Link:
https://www.unpac.me/results/1ec2bc5b-9af0-4645-9328-baf4e1e88d55/
SH256 hash:
a60900adc31e8e28ff541b91a55de5d9719c0d1ddc3022eb6f6fb5ac19cc9e4f
MD5 hash:
831fb0609b3509b4fb31ac662ac69217
SHA1 hash:
985c33fa2b01e305995e2ea166b961b01f0f6335
Link:
https://www.unpac.me/results/1ec2bc5b-9af0-4645-9328-baf4e1e88d55/
SH256 hash:
3f5b4701d734a5036066424274d3de1b53c4d0814b41f727307556c7a1c408f7
MD5 hash:
c5bc25e433957078776a6cfcee5961c2
SHA1 hash:
69782022af595eaf09d7f706b26a328f8dd190fc
Link:
https://www.unpac.me/results/1ec2bc5b-9af0-4645-9328-baf4e1e88d55/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f5b4701d734a5036066424274d3de1b53c4d0814b41f727307556c7a1c408f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 3f5b4701d734a5036066424274d3de1b53c4d0814b41f727307556c7a1c408f7

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/115330/
  
URLhaus
https://urlhaus.abuse.ch/url/989025/
  
Delivery method
Distributed via web download

Comments