MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94b3e37a5c039221040999418b83ab8338b165db38255ec81bc41f3a8ad2e6df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94b3e37a5c039221040999418b83ab8338b165db38255ec81bc41f3a8ad2e6df
SHA3-384 hash: f5ce64539d045da941aceec5afb24a4ced7677c5b5d832c20fffdc12d6e0b634982e297f9295f32b1f7740be4d5ed980
SHA1 hash: 4c655912a26717da52cd27388152e3560cdddba2
MD5 hash: cd9b1577f63995e5ebdb0afd073b6297
humanhash: gee-william-romeo-nine
File name:Revised PO..exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:703'488 bytes
First seen:2021-03-19 06:24:05 UTC
Last seen:2021-03-19 07:33:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:V1N3p65fWJfCOT9rKi03ElObcsEVoRRrW2UAedWA/KDxhnXfc/xUWtPR:zNo5fWJfCOxGihs4roDrW2UAUX/Yhna7
Threatray 4'476 similar samples on MalwareBazaar
TLSH 49E4D0A52340EB5DCD364F79C8412910F7E0D9F68117EBC35DE248DA498E79D8EEB282
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Revised PO..exe
Verdict:
Suspicious activity
Analysis date:
2021-03-19 06:27:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a433b20c-86e0-46b0-bbe8-a85b3d752c51

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/125570/
Detection(s):
SecuriteInfo.com.ArtemisCD9B1577F639.14725.29439.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/629b24e4-cbd6-40fc-9c1a-4c11aa472670
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/645717
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/94b3e37a5c039221040999418b83ab8338b165db38255ec81bc41f3a8ad2e6df/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ssz6g6s4aojccbajtfayxa5lqm4lczo3hasv5sa3yqptvcws43pq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
31774d7c01c8f9e15a2e4de37edd51c2eb82a537a81f0c23ce9edc3acd147c12
AgentTesla
3fe64ef36bf563c4b88c055af8b943a326084b40388143459c71ab199242f7ec
AgentTesla
420eb55a610b87b50a1f216ad003ef777283224e1aaedad7723f240ff1fed218
AgentTesla
4dad4127df36f1ff3db7fd7dcc70e776f043cb621e3ec297551ad1e187dae0a6
AgentTesla
afb762081ead1cb5e87f45a39cd16a6875e901eb1d5ab40b978c25fe549d2662
AgentTesla
b7bce95240078818bac8fe9b2ac1171c838845445f433e81c8eb819d746ab479
AgentTesla
b90e1e7edc9c706f49052560be86957b71f1dd905ee08c9441dd686546bd9804
AgentTesla
c7700b2ad0dc0c6c0fe85af9a3267e02d5ecfba90376fb5c7ba3ecce31107f7b
AgentTesla
eb9de162cbe1af46b276cebd9141ece2b6bd02847d906e4078b2dc8ded5c2a06
AgentTesla
f2551f02675f06efffbc9dd02a40d7ad1e21f8d6229cf47b1725ced9887ab706
AgentTesla
+ 4'466 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210319-pj4h9npnzj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
2b43013edb5706a946f4e523a1a219b31fe2a7e05c48884c048882b3c1327655
MD5 hash:
b7159eb14fe565d4e233604b629bbd8a
SHA1 hash:
64f82c67e6c7cbc078141162a49bffcee3d9ebb9
Link:
https://www.unpac.me/results/71241e18-350e-4b2a-b51e-18165e5a8640/
SH256 hash:
94b3e37a5c039221040999418b83ab8338b165db38255ec81bc41f3a8ad2e6df
MD5 hash:
cd9b1577f63995e5ebdb0afd073b6297
SHA1 hash:
4c655912a26717da52cd27388152e3560cdddba2
Link:
https://www.unpac.me/results/71241e18-350e-4b2a-b51e-18165e5a8640/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94b3e37a5c039221040999418b83ab8338b165db38255ec81bc41f3a8ad2e6df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 0f91d9c75cf1dd126dfd5672bdb48b8d5872578ea70933c14db18eca3ea26995

AgentTesla

Executable exe 94b3e37a5c039221040999418b83ab8338b165db38255ec81bc41f3a8ad2e6df

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 0f91d9c75cf1dd126dfd5672bdb48b8d5872578ea70933c14db18eca3ea26995
Cape
Cape
https://www.capesandbox.com/analysis/125570/

Comments