MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f6227d8a8874b0378b2f37fde0c5fd024bf0cb8ab16ab79f6e7a5ba777ab2d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f6227d8a8874b0378b2f37fde0c5fd024bf0cb8ab16ab79f6e7a5ba777ab2d7
SHA3-384 hash: bae0f062f829a64f458acaf85d3ff45fd91d5db01d0398507c7cce487d0c291244944d8e88fb4b4dae4b13013fc50414
SHA1 hash: 32db13a4ca767f0a780fe0609efe2ae00a07540a
MD5 hash: dde4be97cc8fb4ab483eb615f9d07466
humanhash: sierra-bulldog-equal-iowa
File name:MAY, 2022 Statement - 22387.bat
Download: download sample
Signature AgentTesla
Create hunting rule
File size:904'704 bytes
First seen:2022-05-15 07:15:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:/8RynXr8CoGmR4QWK4kFGg1c17RaHtzrgkgd5dJcxmFa92VBOeyPXdKf5vU6dIIo:0+89fG2c1C8kgNJcxmA9Qk/WO+Ihk2r
Threatray 16'330 similar samples on MalwareBazaar
TLSH T11215BE057A488D31E0AC3B3FE7871615137A45D38E22DB4CBA0EB6D52523683AE1F767
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/270764/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Adding an access-denied ACE
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/6280a88f22b733139c1ac754/reports/1ebad8d7-b4ee-4d70-9252-f0ba32f43fc0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/11e0eb80-d2cb-48cf-bef5-c88af5aa5c97
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/994291
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Contains functionality to hide user accounts
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626787 Sample: MAY, 2022 Statement - 22387.bat Startdate: 15/05/2022 Architecture: WINDOWS Score: 100 26 Snort IDS alert for network traffic 2->26 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 10 other signatures 2->32 6 MyAPP.exe 2 2->6         started        9 MAY, 2022 Statement - 22387.exe 2 2->9         started        11 MyAPP.exe 2 2->11         started        process3 signatures4 34 Multi AV Scanner detection for dropped file 6->34 36 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->36 38 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->38 13 MyAPP.exe 2 6->13         started        40 Injects a PE file into a foreign processes 9->40 17 MAY, 2022 Statement - 22387.exe 2 5 9->17         started        42 Tries to detect sandboxes / dynamic malware analysis system (file name check) 11->42 process5 dnsIp6 44 Tries to detect sandboxes / dynamic malware analysis system (file name check) 13->44 46 Tries to harvest and steal browser information (history, passwords, etc) 13->46 24 webmail.nexcourier.ae 185.56.88.46, 49784, 49801, 587 BUZINESSWAREAE United Arab Emirates 17->24 20 C:\Users\user\AppData\Roaming\...\MyAPP.exe, PE32 17->20 dropped 22 C:\Users\user\...\MyAPP.exe:Zone.Identifier, ASCII 17->22 dropped 48 Tries to steal Mail credentials (via file / registry access) 17->48 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->50 file7 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f6227d8a8874b0378b2f37fde0c5fd024bf0cb8ab16ab79f6e7a5ba777ab2d7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-14 13:07:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h5rcpwfiq5fqg6fs6n754dc72asl6dfyvmlkw6pw46s3u532wllq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
200a8761ad54a3eeb3039a37d654f3be76efcdd5a51b1f6f9f4b9584dc998e1e
AgentTesla
31941c96fa470de35d08fd8bdc215c2ff2cbeb82dd72e91aafa563c08af7c969
AgentTesla
6ab30070b29a4095465e89dbc1a4b0788625565aa7608973b274aadd715b5db1
AgentTesla
8dd2ea100a46b99ad89e7754af2dbd306ce5ec10e214687edd629aa6b7ab4cd6
AgentTesla
96e0c00307bf79e2654ea97fb673dd755d2d3e2ea9e17fbc774b286f6d4c3273
AgentTesla
a5d8d45cbd23356ba348b889e6055e7a114d84612f6bc20e829ee632269dc2cc
AgentTesla
c0cffde9e8ebbcf8118a7d94c1c0d2979ad9401a8f71f4ba926d988043787627
AgentTesla
+ 16'320 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220515-h3slbsdgb3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
suricata: ET MALWARE AgentTesla Exfil Via SMTP
Unpacked files
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/b34ef99c-df5d-4fed-a8ab-ab7cd19d2151/
SH256 hash:
1684f2b9634888fb939b51bc4526cf5f1b4a4b27810d6fa016548b5f450b8f02
MD5 hash:
2da5bc5e892038b93073a202ce271802
SHA1 hash:
0b279a1e7d7a8150410e353df3d775204014203a
Link:
https://www.unpac.me/results/b34ef99c-df5d-4fed-a8ab-ab7cd19d2151/
SH256 hash:
3f6227d8a8874b0378b2f37fde0c5fd024bf0cb8ab16ab79f6e7a5ba777ab2d7
MD5 hash:
dde4be97cc8fb4ab483eb615f9d07466
SHA1 hash:
32db13a4ca767f0a780fe0609efe2ae00a07540a
Link:
https://www.unpac.me/results/b34ef99c-df5d-4fed-a8ab-ab7cd19d2151/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/3f6227d8a8874b0378b2f37fde0c5fd024bf0cb8ab16ab79f6e7a5ba777ab2d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 3f6227d8a8874b0378b2f37fde0c5fd024bf0cb8ab16ab79f6e7a5ba777ab2d7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/270764/

Comments