MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fbf2e87f150e0aee720dc30b69cb5f7811fb855192c74c6be180fa23a06d5ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3fbf2e87f150e0aee720dc30b69cb5f7811fb855192c74c6be180fa23a06d5ed
SHA3-384 hash: 8077a5a3af824392143eb5e4d32db716b8acb26dc57e2e9e4be543898bbd965990525ff562ac9c7ace3c9b3eb580498e
SHA1 hash: 5a89a9b628b5085c097b69959678fe13353fd14f
MD5 hash: 5f5d899c61c52ae601a613e0afa559a9
humanhash: single-fifteen-white-avocado
File name:5f5d899c61c52ae601a613e0afa559a9.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:986'112 bytes
First seen:2020-10-06 07:29:23 UTC
Last seen:2020-10-06 09:14:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:q34PlRfI1alL0wsx1XHY4kuGYgsnJLvUbBn8EUrqBphQb9o7vjj:AuO16kX44k/YgEJLKJUYmbk
Threatray 359 similar samples on MalwareBazaar
TLSH 5125C011968C0267F232D038A227D5786BB59D455A04D2D52DEADCBFFACFE98F4D024C
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.gautengelectrical.co.za:587

AgentTesla SMTP exfil email address:
geemoney21600@gmail.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68514/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482527
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 293714 Sample: hbVwQfz1RB.exe Startdate: 06/10/2020 Architecture: WINDOWS Score: 100 30 cdn.onenote.net 2->30 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Antivirus detection for dropped file 2->40 42 10 other signatures 2->42 8 hbVwQfz1RB.exe 7 2->8         started        signatures3 process4 file5 22 C:\Users\user\AppData\...\SKnZTiiKPpwOz.exe, PE32 8->22 dropped 24 C:\...\SKnZTiiKPpwOz.exe:Zone.Identifier, ASCII 8->24 dropped 26 C:\Users\user\AppData\Local\...\tmpAD1B.tmp, XML 8->26 dropped 28 C:\Users\user\AppData\...\hbVwQfz1RB.exe.log, ASCII 8->28 dropped 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->44 46 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->46 48 Injects a PE file into a foreign processes 8->48 12 hbVwQfz1RB.exe 2 8->12         started        16 schtasks.exe 1 8->16         started        18 hbVwQfz1RB.exe 8->18         started        signatures6 process7 dnsIp8 32 gautengelectrical.co.za 192.185.156.157, 49759, 587 UNIFIEDLAYER-AS-1US United States 12->32 34 mail.gautengelectrical.co.za 12->34 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->50 52 Tries to steal Mail credentials (via file access) 12->52 54 Tries to harvest and steal ftp login credentials 12->54 56 2 other signatures 12->56 20 conhost.exe 16->20         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3fbf2e87f150e0aee720dc30b69cb5f7811fb855192c74c6be180fa23a06d5ed/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 07:31:05 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h67s5b7rkdqk5zza3qylnhfv66ar7ocvdewhjrv6dah2eoqg2xwq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02e8ccb362f76aeb28273e88c3538254effce7f5aa752e17373c1de1c34e3d24
AgentTesla
17347ea4da31247415f8d87423d8b0b03eac3c25c4bed8fac50723eaba2f6b04
AgentTesla
25da7474b9a3f44d1cd3d378bdfde80fc2f6896a38321e1d642d3dccd4f5a010
AgentTesla
441da56bd7e61ce353b6cf4be1510e44983465620fab6130c648bb99e15ab190
AgentTesla
510c68882ff2fed7d2045040f45c79980ebaa58c9c074d59390edc72c1bbca68
AgentTesla
64c4d370517d05b2add478ca85855bf94c4c51ed05e9e02a92afecc04459ea38
AgentTesla
79a794aa53cfb22103d08a8cfa1bb158e2a23bbaa6f73abee590083ae45b560f
AgentTesla
8600c1896f8c6835a9a5c44631ac45b319c0cc9b2e0a50a72bb37436a84ea96a
AgentTesla
986b212acea3c00ed30bba3e1a12519bb601d47f5b0ba61ddb68f5e82eff5d53
AgentTesla
d9c78a21a8344b6cc4768d7fa1b9ff128437267f1b7d1d29fccca4a5751d7ed6
AgentTesla
+ 349 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla
Link:
https://tria.ge/reports/201006-449frgqrq6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
3fbf2e87f150e0aee720dc30b69cb5f7811fb855192c74c6be180fa23a06d5ed
MD5 hash:
5f5d899c61c52ae601a613e0afa559a9
SHA1 hash:
5a89a9b628b5085c097b69959678fe13353fd14f
Link:
https://www.unpac.me/results/8427e4ba-d03b-41e7-93d1-0b16b55ca3a2/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/8427e4ba-d03b-41e7-93d1-0b16b55ca3a2/
SH256 hash:
005f60089c5b13890f079a89b3e3defec0d542328af8d355571e82a2edefb2d0
MD5 hash:
8ccd3bd3df59e1a31929ad89cee8b641
SHA1 hash:
2630bfb667c59409059772890303ba814cad8237
Link:
https://www.unpac.me/results/8427e4ba-d03b-41e7-93d1-0b16b55ca3a2/
SH256 hash:
625751ce3e1c7ba9fbdac70eb0cddd25dbbebd297c6e8a838711fc5f894b306e
MD5 hash:
acc5894efb67c7e8eb027c9c5c4ac168
SHA1 hash:
38a345ccde6b563704ab8010bcefdcd7d248551e
Link:
https://www.unpac.me/results/8427e4ba-d03b-41e7-93d1-0b16b55ca3a2/
SH256 hash:
3cc84018595e5805dd2c3fff14816e89d7057e0f87d46ffa9e8bfb04fd6bdcc6
MD5 hash:
b892d5e97e158c758d5d3dcd043fc7ae
SHA1 hash:
79214cc9e006238dc55a06aecb32615162186254
Link:
https://www.unpac.me/results/8427e4ba-d03b-41e7-93d1-0b16b55ca3a2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3fbf2e87f150e0aee720dc30b69cb5f7811fb855192c74c6be180fa23a06d5ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 3fbf2e87f150e0aee720dc30b69cb5f7811fb855192c74c6be180fa23a06d5ed

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/68514/
  
URLhaus
https://urlhaus.abuse.ch/url/412465/
  
Delivery method
Distributed via web download

Comments