MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a310036353168d56a7d519f39e601dc7dee833a9e782b9f7661e8b55e2a31139. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a310036353168d56a7d519f39e601dc7dee833a9e782b9f7661e8b55e2a31139
SHA3-384 hash: 8d2c945cd26add182fa1105b9403bb4fefffc8be942ef60560ac1d8968d7a3edcdb0485ee92cc33e6e69de75104d91a9
SHA1 hash: 1bf8b919e0aeb06b0ce08a0f333827aa0ff2f517
MD5 hash: 3ab41d1d6f9ba76b483a79900648422c
humanhash: fourteen-romeo-may-south
File name:MRKU8781602.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:781'312 bytes
First seen:2022-06-01 11:36:36 UTC
Last seen:2022-06-01 11:36:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:RnLp6SIcd1AagG9GL6u0Ys7qnQLDlhSlNsnpygbvHLrjEecP01lOUK2P:BLpz0+90sVqn+8Da/fM
Threatray 17'801 similar samples on MalwareBazaar
TLSH T122F4016432AC0564C6AA877640BAC250537D395AF73ECB0E39D3A48E1DF33825B167E7
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cocaman
Tags:AgentTesla exe Maersk

Intelligence

File Origin
# of uploads :
2
# of downloads :
307
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
MRKU8781602.exe
Verdict:
Malicious activity
Analysis date:
2022-06-01 20:18:40 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/b07c76e3-a401-4523-a93f-7ea0f5c25284

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/276034/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.17812.16560.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fc2c4f98-5c60-45c5-b0e7-7d07cfa02838
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1004988
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a310036353168d56a7d519f39e601dc7dee833a9e782b9f7661e8b55e2a31139/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-01 10:33:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
38
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=umiagy2tc2gvnj6vdhzz4ya5y7poqm5j46blt53gd2fvlyvdce4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1f519abedceeaca2fffef4410b7e05feda1f2449cb49d4e7d6bbe4ce2b567c95
AgentTesla
25289b51159400b22b0a123f57c8ad0129346ae8944eccd8b9e8c9d58ad010b0
AgentTesla
4196ac36c2e960a9c3b602394b6867e9503417a265c48552a8d5c0cfe4d17231
AgentTesla
49b5b36041408c4f58810bad116898bec932533a1487099f1049c0df3740688f
AgentTesla
57f01cdded3c545f55b5dc74630fc7cb9679abe58949e706bef98014f6578ab4
AgentTesla
7c5bb3d937ef9a92d2e2d42ff300f3025c2ffc631e5d80401dbf8808389335f5
AgentTesla
a1b36c729b1d2dbc3b47d9359285ab2dcc2e0f66c4ed4c0f17dcf4c59ec54e02
AgentTesla
a310036353168d56a7d519f39e601dc7dee833a9e782b9f7661e8b55e2a31139
AgentTesla
b6977327ba4fd222c6e98fb0c3989e20b28fe4d460ad2b2201e4ba13fe7b8441
AgentTesla
cba6f82874cfbafe61ef0cc5491e9d11aa8aba58a4df9b3eb738ceef2da0e828
AgentTesla
+ 17'791 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220601-nq5m1sgch9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1633482536:AAF1JIS_DaayovuRrLGy_POYaI3DRc2CrPY/sendDocument
Unpacked files
SH256 hash:
b91307eeae6495cc3202fb1ec39e3f58534be4b1a60795d0b31fd52c76f040d4
MD5 hash:
19f1df1e9b8f809b61dab4490cdc6e9c
SHA1 hash:
9e2e47b1ae0d94e894a88ce28a7c8a7c1a00e8ef
Link:
https://www.unpac.me/results/14c3c9ec-a832-46a8-b64b-8bd5b32d79d9/
Parent samples :
827774cd3d42753b5a959a706a3ae0d989cd6b1cdb9eb54590acdc37f086d4b4
5509e143021f95074f9cde2dac4d79960710adb794bb1cdf57582be08681c3bf
57191284c75940f3a637266acc38d3a503ab97a52c9d99a0a85ff61d27420b6f
44adde49a051c923e1ed89d0adfa105fb66f85bebe630f625c29e25f93da3043
604c52301a76a47042112a3a7fca37f1c6c205a0888a6e28c5555406c55b2279
SH256 hash:
2fbad01d034c679b28f472164238ed32b5b3ea8739a49e014dbd825cecd7f8a2
MD5 hash:
ac909c298fd3752ebb1c68f326ad1e38
SHA1 hash:
9a9d2c4d8d9ed3f7d4f46dbd60410adb29a2b4ae
Link:
https://www.unpac.me/results/14c3c9ec-a832-46a8-b64b-8bd5b32d79d9/
SH256 hash:
879c29560b21be7d9b69ca27ca4756df86e080fa3e34cb191aad5cb1e5f05504
MD5 hash:
30b6a54a992eae921a2eb8c5ea130911
SHA1 hash:
1c83f0319bffe007077c6656418c9b7344d5affe
Link:
https://www.unpac.me/results/14c3c9ec-a832-46a8-b64b-8bd5b32d79d9/
SH256 hash:
8935e5e8a7330d8459d4f7de891c94005a299395fbba4c02585429e199fdb81c
MD5 hash:
e009d07ede215e3df768c197038d21d1
SHA1 hash:
0da6b9e4421a98c9025e98e404a95d9eeba3a3af
Link:
https://www.unpac.me/results/14c3c9ec-a832-46a8-b64b-8bd5b32d79d9/
SH256 hash:
a310036353168d56a7d519f39e601dc7dee833a9e782b9f7661e8b55e2a31139
MD5 hash:
3ab41d1d6f9ba76b483a79900648422c
SHA1 hash:
1bf8b919e0aeb06b0ce08a0f333827aa0ff2f517
Link:
https://www.unpac.me/results/14c3c9ec-a832-46a8-b64b-8bd5b32d79d9/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a31003635316/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a310036353168d56a7d519f39e601dc7dee833a9e782b9f7661e8b55e2a31139

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 188b9aca21242aae9a39e337159d524fb5e5c15744e1b94cfb49ed2b919265f7

AgentTesla

Executable exe a310036353168d56a7d519f39e601dc7dee833a9e782b9f7661e8b55e2a31139

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 188b9aca21242aae9a39e337159d524fb5e5c15744e1b94cfb49ed2b919265f7
Cape
Cape
https://www.capesandbox.com/analysis/276034/
  
Dropped by
MD5 f3e8740562d6287d2f82cb1c56aa3872

Comments