MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f6ec2ba24b07924bf9bab3d4ae81df005d327bd6a93481ebefe0fff004d9fa3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f6ec2ba24b07924bf9bab3d4ae81df005d327bd6a93481ebefe0fff004d9fa3
SHA3-384 hash: 4cc352c9b4c8e2490c72186fd0410591017f8748954c746cf92698208bb81bd9c2e9f687466a0fd1835fd41e2786b165
SHA1 hash: babcd0ec820c55ba047e2a024467eb9f998c713b
MD5 hash: 81b99806fafe162f9ee496f0485e8be7
humanhash: timing-yellow-twenty-september
File name:NEW URGENT INQUIRY_B9020289.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:518'656 bytes
First seen:2021-03-09 06:28:39 UTC
Last seen:2021-03-09 08:38:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 12288:b+egb10QmhH0GEIGx1bL5xv3/Kri5v2Gq6YupcBNt+/o:b+96Af/L5J3xIlupco
Threatray 3'075 similar samples on MalwareBazaar
TLSH 50B4E0240B7C21A2F783EF7B753B09366C9A17E5490BFC153AECA096292D37841FD694
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW URGENT INQUIRY_B9020289.pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-09 06:30:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/732dc27e-b130-44ef-a771-f31770eb8d20

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/123093/
Detection(s):
SecuriteInfo.com.Variant.Bulz.387274.27443.1574.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/632324
Signature
.NET source code contains very large array initializations
Binary contains a suspicious time stamp
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected Beds Obfuscator
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-08 19:20:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 47 (42.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h5xmforewb4sjp43vm6uv2a56ac5gj55nkjuqhv67yh76acnt6rq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4316dbece42e93640c8df6fab16f81e09d207967c9e94b908b96f680c0469064
AgentTesla
501f8cd5de11d78091f6029c64cbae14c72a0e6ac7a7a95d30d4de8edddaba06
AgentTesla
547730d182deb8f0b96b48b7d635288e43748c79816f3ad481735df25ae9523c
AgentTesla
70f663d3327046c372ba628ba4a216adc73738b080c579a9e9c45c7780e79e1e
AgentTesla
9d533e1a5e529d1f7b30f0f6ef8d1322b34878b70435c9892d673a1dccca689e
AgentTesla
a24b65d53104ef9cad9859a7d02ae4b8b39ead417b2dc81866d59051285410c5
AgentTesla
afb762081ead1cb5e87f45a39cd16a6875e901eb1d5ab40b978c25fe549d2662
AgentTesla
c3624982c4e27761f6d132bb33b9fd3618642fdc0cc5949a6207ceef392b3d8a
AgentTesla
ddd2c3304f4423f4348cf0d858ecba70eaaba5b652969d5f582a534ccfb55093
AgentTesla
ead0f6ef88c149f4318129ed6e3ef5fb30bd2ab03afef3625ca08d1b2f6f180e
AgentTesla
+ 3'065 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210309-tj1spm9s5j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
Beds Protector Packer
AgentTesla
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/15f3d1fd-8f65-48ab-b0cb-2fb91812e0c9/
SH256 hash:
ec5256bc0112eb8d009153adcce15a09521997125f15ba4e386b94ad3456959e
MD5 hash:
069249857aa0404bd1266b58a4f2fc86
SHA1 hash:
a28edb5605c4fc0cced5ae0c8d92a7aaef99b7b0
Link:
https://www.unpac.me/results/15f3d1fd-8f65-48ab-b0cb-2fb91812e0c9/
SH256 hash:
5dc67a9516fb24c2630275b96e2a58609842cc45a16ebb0fedd74fa33fb9cc18
MD5 hash:
3189cd61a8bc5c7148f43bf2894e3c1c
SHA1 hash:
9283f462e9c57b6014e4d7dc8fbb03508f018c2a
Link:
https://www.unpac.me/results/15f3d1fd-8f65-48ab-b0cb-2fb91812e0c9/
SH256 hash:
3f6ec2ba24b07924bf9bab3d4ae81df005d327bd6a93481ebefe0fff004d9fa3
MD5 hash:
81b99806fafe162f9ee496f0485e8be7
SHA1 hash:
babcd0ec820c55ba047e2a024467eb9f998c713b
Link:
https://www.unpac.me/results/15f3d1fd-8f65-48ab-b0cb-2fb91812e0c9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f6ec2ba24b07924bf9bab3d4ae81df005d327bd6a93481ebefe0fff004d9fa3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 7919783de80fe8bbc20927d6abcbb434477cdcdb51a48133635ee9d7d5a34c6d

AgentTesla

Executable exe 3f6ec2ba24b07924bf9bab3d4ae81df005d327bd6a93481ebefe0fff004d9fa3

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 7919783de80fe8bbc20927d6abcbb434477cdcdb51a48133635ee9d7d5a34c6d
Cape
Cape
https://www.capesandbox.com/analysis/123093/

Comments