MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3bdb9360b074ddaf80a551a4b92ab802725ddfa83ad33bbc3eed2efc58e39d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3bdb9360b074ddaf80a551a4b92ab802725ddfa83ad33bbc3eed2efc58e39d7
SHA3-384 hash: 6196ebaf64d24fa88e7dbedc260d5cb4c0f55aa280605750a5f34f8f67e26870ae3b2e01a9e0c71a450fd4b382dc9bb9
SHA1 hash: 4f68b65a1a729cb2f46aa4a218fe02f0fe37e1f9
MD5 hash: f8f9fee6a7183c93c1ae52ecf9ee05a1
humanhash: artist-freddie-march-quebec
File name:Payment_ Advice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'030'656 bytes
First seen:2021-05-31 06:49:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:eyeKccy/TGrGkMuk/VTK7bq76iQzEOq6MGOEcY:c/cGFVK7bIaE36MGX
Threatray 5'405 similar samples on MalwareBazaar
TLSH 05258D2D1268176AD139D3B889D0540393F1EC27F252FB986DD133A50B73B86B99227F
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment_ Advice.exe
Verdict:
Malicious activity
Analysis date:
2021-05-31 06:55:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/05d81ec4-ced1-4971-b757-0ec917c93ec6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/163362/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.763-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/794514
Signature
.NET source code contains very large strings
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a3bdb9360b074ddaf80a551a4b92ab802725ddfa83ad33bbc3eed2efc58e39d7/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-05-28 20:43:11 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uo63snqla5g5v6akkunexevlqatslxp2qowtho6d53jo7rmohhlq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3a7f2d0d405e3e17dde8bad93a092cf03f10fe7bba0230431a0b449a384dacc7
AgentTesla
3ee4e620dd7cb6d8a6f604e5653a4f5cbf1258032ffc7d13ae9a415c672a5713
AgentTesla
5a1c59664608fbf4b0079b61e18f0cc56afd551642c2ecc16bca995c8b6ed38a
AgentTesla
61060fa22e8fe8c29f2cd7b2b4b9bc4d350fc9331a6dfcbc2f873bec00f6818d
AgentTesla
89444f8c0f1f3e941506f8914d357918a67d8d813115eb361754dc38c5982b60
AgentTesla
a7d71b128d7e8366f7e2fd8002f971c490575ea8fcc15bd571152db97f7b26f3
AgentTesla
aa061712833434c40871093a476fb1743c83b3b05f5325f68f58f33e91ba3e36
AgentTesla
c1c24ae77d5605d4fa7c779ca4d720869a66bf3832bcca3c8bb4f3bf20b97575
AgentTesla
c6b6f77cbf5c49770a33a8d7198e4f81dd2a6b3584e76c90f8303269f6c69432
AgentTesla
feedd6efd7f0f971d6b9da9033e8c062180b2e613fb10c55e019aa6c2a6c353a
AgentTesla
+ 5'395 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210531-lg2ej9bhcx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a3bdb9360b074ddaf80a551a4b92ab802725ddfa83ad33bbc3eed2efc58e39d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe a3bdb9360b074ddaf80a551a4b92ab802725ddfa83ad33bbc3eed2efc58e39d7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/163362/

Comments