MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f8f13f0de6057e4ce3f86db22451d28d0ad9ee6cf852eb5ca24adbefe619c86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f8f13f0de6057e4ce3f86db22451d28d0ad9ee6cf852eb5ca24adbefe619c86
SHA3-384 hash: 6510f4088c8f99e71570eea91240fff7c4ecc10893a2ba76ebb8ad668d5c4a6766b791ed14790007c2eeb59a06891ef5
SHA1 hash: 6e60d4fa3a6a437264451045abd8e3e58e9c8ec4
MD5 hash: 0662df309d7c95f1c07111341af1dbec
humanhash: hot-zebra-steak-leopard
File name:file
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'575'872 bytes
First seen:2023-03-14 15:56:02 UTC
Last seen:2023-03-14 17:28:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'751 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 24576:StGQJKZn93wnQMRy3qqE5+jxxSFcgn48f9Ot09OX7l348A5NyViwRTbYBQvzHONh:2GQJOOi31Egngn+nl8Ll7gjfkDf3
Threatray 1'371 similar samples on MalwareBazaar
TLSH T1D9C5AEB11393FEC8E72F1E64C4042A40AC25589796BCD25CFCC9299B57E9660DF9CAF0
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter jstrosch
Tags:.NET AgentTesla exe MSIL

Intelligence

File Origin
# of uploads :
2
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-14 15:57:27 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/8309895b-ed3b-4dbd-931c-d5b403fdd124

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374296/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file
Creating a window
Searching for synchronization primitives
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Searching for the window
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6410992022fbeb247a04bc56/reports/ec248554-2d7f-4d2b-a4e8-e43e4948085e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3f8f13f0de6057e4ce3f86db22451d28d0ad9ee6cf852eb5ca24adbefe619c86
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c418fa5b-4b3c-4607-a0c5-f857eb5ec3e0
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1193464
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 826365 Sample: file.exe Startdate: 14/03/2023 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic 2->48 50 Multi AV Scanner detection for domain / URL 2->50 52 Antivirus detection for URL or domain 2->52 54 4 other signatures 2->54 8 file.exe 4 2->8         started        12 Synaptics.exe 3 2->12         started        process3 file4 34 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 8->34 dropped 56 Encrypted powershell cmdline option found 8->56 58 Writes to foreign memory regions 8->58 60 Allocates memory in foreign processes 8->60 62 Injects a PE file into a foreign processes 8->62 14 InstallUtil.exe 1 4 8->14         started        17 InstallUtil.exe 8->17         started        20 powershell.exe 15 8->20         started        22 conhost.exe 12->22         started        signatures5 process6 file7 36 C:\Users\user\...\._cache_InstallUtil.exe, PE32 14->36 dropped 38 C:\ProgramData\Synaptics\Synaptics.exe, PE32 14->38 dropped 24 ._cache_InstallUtil.exe 15 7 14->24         started        28 Synaptics.exe 2 14->28         started        46 Contains functionality to detect sleep reduction / modifications 17->46 30 conhost.exe 20->30         started        signatures8 process9 dnsIp10 40 208.91.199.224, 49709, 587 PUBLIC-DOMAIN-REGISTRYUS United States 24->40 42 api4.ipify.org 104.237.62.211, 443, 49707 WEBNXUS United States 24->42 44 3 other IPs or domains 24->44 64 Antivirus detection for dropped file 24->64 66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->66 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->68 70 5 other signatures 24->70 32 conhost.exe 28->32         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f8f13f0de6057e4ce3f86db22451d28d0ad9ee6cf852eb5ca24adbefe619c86/
Threat name:
ByteCode-MSIL.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-03-14 12:51:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h6hrh4g6mbl6jtr7q3nseri5fdik3hxgz6cs5nokesw357tbtsda._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
20c94daf0506d27a6bd3de27e378fc900dd44a32328a41912d60fd26677d426d
AgentTesla
4033d9c9ef268cf2bdf04bb0e1c549e5461ba27026797edf70121468abbd1203
AgentTesla
41857a1bfb1cda7337d39a4c6bcec253fb44532179f9cb12e919608f227e3dcb
AgentTesla
686579ac798116984a5f68c10fff3ae521d14c3cfc5e7891618a963693dfeb6f
AgentTesla
8089619c8dba1d0d3a52b272d619fd6658adc82fd4f44df48582b0d6505f673d
AgentTesla
85913d4430d1da9a29e295d98d21997c90edf6d3dea08c709c81e5c8302c3e0f
AgentTesla
89a0e99ef4a97ea1ad4212d7f539c9e851b97108f93a6ff64bbb0b5a5e8997d7
AgentTesla
a75a4275af774a29509c461049253572a3181351736db3d1234a31ed3d4ab260
AgentTesla
d1a22dda5220ba19084b3e191aa4cf0028dc48e3176294f3bc298f0d4936de03
AgentTesla
f144fef878393aa69f18f5cf812ee9a62b0224ccb21936321c8f98d65c98d2f6
AgentTesla
+ 1'361 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230314-tdcz5aad3s/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/fd3b81c1-800b-4c76-bdd9-7aa2ca2a329a/
SH256 hash:
82b5395bdef1f34dbfc7a336c914f2dd913db65d4aa5233d1357eeaa683ed053
MD5 hash:
784af9979c2f089fe805365d94dfa46a
SHA1 hash:
e8bd58b9bf2b903fafd3145ed34faf77d141caa0
Link:
https://www.unpac.me/results/fd3b81c1-800b-4c76-bdd9-7aa2ca2a329a/
SH256 hash:
b7be8d1ee0700acb19048c23c043ef1b974580a10217f44a0124d231cb0eb32e
MD5 hash:
65d824898a23656e4cad9d94d6da20f7
SHA1 hash:
b4ab8037a697c232733aba7097caf9ab5d93e685
Link:
https://www.unpac.me/results/fd3b81c1-800b-4c76-bdd9-7aa2ca2a329a/
SH256 hash:
a709164f66b4e4e3d21aa33ae43eae78102c06ab9d2c50239726d1770c9fc8fa
MD5 hash:
df4a9e1166b28a62d382b09429eee866
SHA1 hash:
a05dd7fccabfe7238c1b085082611be187302177
Link:
https://www.unpac.me/results/fd3b81c1-800b-4c76-bdd9-7aa2ca2a329a/
SH256 hash:
71745a0c365d2b84ccacba936a3cfed58da4241ca6f36a4ffef62582a7afdb07
MD5 hash:
b3e38d9329b141c619b48712f02587f7
SHA1 hash:
7bf4214df884a3928fda5f7fc4ae93689bdf429e
Link:
https://www.unpac.me/results/fd3b81c1-800b-4c76-bdd9-7aa2ca2a329a/
SH256 hash:
8300f2db5f872a12e6bdb7f4e04bf09ba23674d78b97e115cf3cdf9f4d1963be
MD5 hash:
ef6e04467bf0158545c47db2a318918e
SHA1 hash:
768a923528b261c8829ffb6db1a87bbe43df8665
Link:
https://www.unpac.me/results/fd3b81c1-800b-4c76-bdd9-7aa2ca2a329a/
SH256 hash:
ee6c538fa1f17d1c62a69a57a844e1e51f36cef761fed064127fce0021f6f0be
MD5 hash:
d8c7fd5ac39595665b19e7c0c51ebaa0
SHA1 hash:
0723fc0e4e2c1d89e822a8da851304b229ec053f
Link:
https://www.unpac.me/results/fd3b81c1-800b-4c76-bdd9-7aa2ca2a329a/
SH256 hash:
3f8f13f0de6057e4ce3f86db22451d28d0ad9ee6cf852eb5ca24adbefe619c86
MD5 hash:
0662df309d7c95f1c07111341af1dbec
SHA1 hash:
6e60d4fa3a6a437264451045abd8e3e58e9c8ec4
Link:
https://www.unpac.me/results/fd3b81c1-800b-4c76-bdd9-7aa2ca2a329a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3f8f13f0de60/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f8f13f0de6057e4ce3f86db22451d28d0ad9ee6cf852eb5ca24adbefe619c86

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 3f8f13f0de6057e4ce3f86db22451d28d0ad9ee6cf852eb5ca24adbefe619c86

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/374296/

Comments