MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 525e3d916bb14eeb8b678488d2d01c4f74dcf35ec84c1a4b4e56131a33364650. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 525e3d916bb14eeb8b678488d2d01c4f74dcf35ec84c1a4b4e56131a33364650
SHA3-384 hash: 72eef7d7422a5dbf0f7dc69639a25e9c30e9431a901c2941f1ccc52d7db5e955f183a2cfffaa1cbe00a4fd64fe54edbd
SHA1 hash: b6093634843a83bd6bff53f8f3c623ea2f58ffc2
MD5 hash: 3d6cf7a1fed97f0fbb978a60ffa26f56
humanhash: three-pluto-spaghetti-alanine
File name:3d6cf7a1fed97f0fbb978a60ffa26f56.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'227'776 bytes
First seen:2021-07-01 09:55:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:gpULTrW2+FLzx20pbT/Q8p59vODWZ2hsB7Mj5dTYeXMA94l1Ef4wooj:gpZ2ELzx2EPQVD3hsB7MjroA94lk7
Threatray 19 similar samples on MalwareBazaar
TLSH 6845233026E84556D3779A3363F1328AD23EB7353A0AD22916F7079A4993F40CEE257D
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3d6cf7a1fed97f0fbb978a60ffa26f56.exe
Verdict:
Malicious activity
Analysis date:
2021-07-01 09:56:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ed99a644-1345-463e-8d5f-e143bf76f253

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169099/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.900-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5969043-a6e9-4ddc-9f49-88a350072470
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/810456
Signature
.NET source code contains very large strings
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 442864 Sample: B9idzBr7dC.exe Startdate: 01/07/2021 Architecture: WINDOWS Score: 92 32 Multi AV Scanner detection for dropped file 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected AntiVM3 2->36 38 4 other signatures 2->38 7 B9idzBr7dC.exe 6 2->7         started        process3 file4 26 C:\Users\user\AppData\Roaming\rxqfjXj.exe, PE32 7->26 dropped 28 C:\Users\user\AppData\Local\...\tmp7B06.tmp, XML 7->28 dropped 30 C:\Users\user\AppData\...\B9idzBr7dC.exe.log, ASCII 7->30 dropped 40 Uses schtasks.exe or at.exe to add and modify task schedules 7->40 42 Tries to delay execution (extensive OutputDebugStringW loop) 7->42 44 Injects a PE file into a foreign processes 7->44 11 B9idzBr7dC.exe 2 7->11         started        13 schtasks.exe 1 7->13         started        15 B9idzBr7dC.exe 7->15         started        signatures5 process6 process7 17 WerFault.exe 23 9 11->17         started        20 WerFault.exe 11->20         started        22 conhost.exe 13->22         started        file8 24 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->24 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/525e3d916bb14eeb8b678488d2d01c4f74dcf35ec84c1a4b4e56131a33364650/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-07-01 06:06:34 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kjpd3ellwfhoxc3hqsenfua4j52nz426zbgbus2okyjrumzwizia._file
Verdict:
unknown
Similar samples:
1b9bb1e946bfa8aedec8483a97b8abc7bac0da1e58150d23b2c0473aa1095782
AgentTesla
21fdc7575a436316c0235f3240191d0e4773e8a54d1d088c76cfab7c705bb0fb
AgentTesla
42d293cf86f774218bf7751f1001e0a57883a1c7c90c6c1e8803a061094860cf
AgentTesla
6830905eba294273b6b4dd27f4e8670d4c05013d85e88df7db1b99d42619f0f6
AgentTesla
788c6cb2d98c6b7a40318a4293bdf24001940fe44a750f37fc30733739efffc2
AgentTesla
9e537b12c49cb2567b23a965f83695bc071b684c81edb5fadf1b24909f24b3e9
AgentTesla
a98ba3cb7eb936b7edcf60262bb5b78f8584af2f7b41423a62f291c804ef9252
AgentTesla
c57956ac3cb0ec921a56c3c3a75a16fd0b8cc0b4fa25e7444aadefa9868af9ae
AgentTesla
f03e44339ccec266337496169d478be9683f0a6057d58697d2942a52aebbf7b1
AgentTesla
f354ab2b18c8fcabbc94123f41ce225fb9ec4adaceafda7c5fefd61dee656f70
AgentTesla
+ 9 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210701-nc7yrwhras/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6
MD5 hash:
072eeac61b35d3f09edee4ff4f80f52d
SHA1 hash:
696fd9905a47e526470c2e234fef32f1ec1b74ad
Link:
https://www.unpac.me/results/80fb2df0-9b14-43bc-976d-85cfda6ff4fe/
SH256 hash:
44241b13109f14864e689c033fa474f0440354a9c16fb8ad10407118fa0881b2
MD5 hash:
57289165648b36ed145c913c5f0b1011
SHA1 hash:
573c68dd41a2a25a2d261366f3be9776f8af123f
Link:
https://www.unpac.me/results/80fb2df0-9b14-43bc-976d-85cfda6ff4fe/
SH256 hash:
dfcef5f068d6b66319c9ba0c1d7f922e224b88387a966c70b21d7c982ef54aae
MD5 hash:
5a3145a077e5fe730a627ce6d2d0d3fc
SHA1 hash:
179f1968d625a5a5366c026e30b1415c822a0213
Link:
https://www.unpac.me/results/80fb2df0-9b14-43bc-976d-85cfda6ff4fe/
SH256 hash:
525e3d916bb14eeb8b678488d2d01c4f74dcf35ec84c1a4b4e56131a33364650
MD5 hash:
3d6cf7a1fed97f0fbb978a60ffa26f56
SHA1 hash:
b6093634843a83bd6bff53f8f3c623ea2f58ffc2
Link:
https://www.unpac.me/results/80fb2df0-9b14-43bc-976d-85cfda6ff4fe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/525e3d916bb14eeb8b678488d2d01c4f74dcf35ec84c1a4b4e56131a33364650

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 525e3d916bb14eeb8b678488d2d01c4f74dcf35ec84c1a4b4e56131a33364650

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1398051/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/169099/

Comments