MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3fa345d4d272ddb13e0e3141bf18eac8521acaf8eb2eff8d3395f056740c2bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3fa345d4d272ddb13e0e3141bf18eac8521acaf8eb2eff8d3395f056740c2bd
SHA3-384 hash: 5e308a090fd12413fe9b69f49526faa68337650f39a7d77f0b994d29cea1dd467bdb7e4358276b47f5bc90cc33ec9f7d
SHA1 hash: 1696db3ccfbb455b4c7072c6c30f18fa2b7032af
MD5 hash: 5d4a217b376391725efa48b7669a489d
humanhash: paris-social-mirror-uranus
File name:5d4a217b376391725efa48b7669a489d.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'143'808 bytes
First seen:2021-02-05 19:29:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:dnQF9aM3IEzkCPMusWghnHinb9pWyl2FwMvQQ6VzJfO2BlGF11lpXUFMO+:2eMjkCMusWsS9V2Kwp6KsS7WF
Threatray 2'455 similar samples on MalwareBazaar
TLSH 3635070127A42F18F17D97754DAD184443F8EC27E762EB2DBEB4B2DA0A71F128B11B16
Reporter abuse_ch
Tags:AgentTesla exe Telegram

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5d4a217b376391725efa48b7669a489d.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-05 19:48:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6c1b5987-5388-4f4d-8f1d-4dd7eb13f8ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115835/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/600852
Signature
.NET source code contains very large array initializations
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a3fa345d4d272ddb13e0e3141bf18eac8521acaf8eb2eff8d3395f056740c2bd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-05 12:15:31 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=up5dixkne4w5we7a4mkbx4movscsdlfpr2zo76gthfpqkz2ayk6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
199da37d02aa71c502adf3a623de188b25f7cb2001b4936a798ea8a6a9c20ad3
AgentTesla
1f57778e5448ce6d8834f523299fc5ba868636556c993a4b5f3faabacb36c993
AgentTesla
40e1050719fa63b000fb1e254951098c69eb2eacf2e1ea8865ddea91f12908a9
AgentTesla
5c8ba975c1ec2a2fe0c98e5e1cd0ba61b415ba7667f5a7c95ad383abe4ba92a2
AgentTesla
5e7ab36ec389a4294220c2b5535e8389fcb1acbd09b7a87dbc2e924ee54544b6
AgentTesla
6b75182568a1cf2fef851977be460536fe4a0af4aaf05b41a253c53f2af276fc
AgentTesla
8ef317f2278fbe6a533e8f78b932698e986280d2f4a6716aaaaa4dc5692222a8
AgentTesla
a97528499bee868023a6898c85da34f9ed73a5a12b8a3a01817a88d82a8c5641
AgentTesla
b5aeb6d277320df561d9bb77a95e976c5527c17441292ec7b5bafc441fe746d0
AgentTesla
de9d415f8380055c8fc1a2239b7e1e85f29f0f1ba780c7bb2b9e2921dad93123
AgentTesla
+ 2'445 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
ransomware
Link:
https://tria.ge/reports/210205-cf1cz2hpfx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
d602ddacb8c0cd11f69142bee945c220d6b27468ff3f69e3e9b60525baae6654
MD5 hash:
508614c40a4af1845c85386867ac433c
SHA1 hash:
dbcfb176a1b2b7f98ac412038a1011e4ae2860ec
Link:
https://www.unpac.me/results/d9fc0665-4133-48d6-8e7f-c7ae1c64e026/
SH256 hash:
c16adf07ffd4ba90c537558d8670ab65b2571cf43942b50ecb68a41cce9822ce
MD5 hash:
b5954bb7e8a7fd7639499694fec44fa4
SHA1 hash:
750c208de84ff5ca382e6af6bd057fa64f8bc0a2
Link:
https://www.unpac.me/results/d9fc0665-4133-48d6-8e7f-c7ae1c64e026/
SH256 hash:
2b2bcf851c2b87033fd24c890c2a1de3642564f7cec7282982d96b8280baa849
MD5 hash:
befb0470c71d676cc891cba16088975d
SHA1 hash:
5b7143f97d1d656fd1cacf70949048c1951b639a
Link:
https://www.unpac.me/results/d9fc0665-4133-48d6-8e7f-c7ae1c64e026/
SH256 hash:
a3fa345d4d272ddb13e0e3141bf18eac8521acaf8eb2eff8d3395f056740c2bd
MD5 hash:
5d4a217b376391725efa48b7669a489d
SHA1 hash:
1696db3ccfbb455b4c7072c6c30f18fa2b7032af
Link:
https://www.unpac.me/results/d9fc0665-4133-48d6-8e7f-c7ae1c64e026/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a3fa345d4d272ddb13e0e3141bf18eac8521acaf8eb2eff8d3395f056740c2bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe a3fa345d4d272ddb13e0e3141bf18eac8521acaf8eb2eff8d3395f056740c2bd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/990233/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/115835/

Comments