MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3332f865f362bd89aaa305a8b8ec5d3e5b6ddae9e704b70a2d36723550415b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	b3332f865f362bd89aaa305a8b8ec5d3e5b6ddae9e704b70a2d36723550415b0
SHA3-384 hash:	5b30abed9f7ed2d76a42e59274f390f91643fc7a5bec6d7ae8e3fa4b9e5418b10b2c1bda0340e8fbbb0228c31b26890a
SHA1 hash:	aad3a850e388b4cadd6b13736e8208e69fbb3846
MD5 hash:	bfb0e30ca466323d4b0ee2e538f08c2a
humanhash:	princess-floor-william-september
File name:	bfb0e30ca466323d4b0ee2e538f08c2a.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	699'392 bytes
First seen:	2020-09-27 08:10:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	10c4e79da1631ecbb0bd1ff36adbf403 (3 x AgentTesla, 1 x Loki, 1 x AZORult)
ssdeep	12288:XOL2EC+KNAlnSVi4dVNkKQqdiuV7a+u9LjyXsnh7Q5fL+t:XGRYAlnG7T9V7a71j8sZz
Threatray	191 similar samples on MalwareBazaar
TLSH	37E48E26E2F14437C327163DDC0B97B4683ABE502A6868863BF5DF4C9F387913919297
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

153

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/66229/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Trojan.PWS.Stealer.24943.18452.13126.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/476021

Signature

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Contains functionality to detect sleep reduction / modifications

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b3332f865f362bd89aaa305a8b8ec5d3e5b6ddae9e704b70a2d36723550415b0/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-09-24 14:54:03 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wmzs7bs7gyv5rgvkgbnixdwf2ps3nxnotzyew4fc2ntsgviecwya._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

125203c92ab4db76de740b9cb2ce5908bbf6ee86864855a4903e2d5c17953ad1

AgentTesla

1277fb7fda4e11d5c61a6c07df4af7712070f01e002d54683c879c23e739519f

AgentTesla

68c67f845d8c48aa74901553deb7cc31b7f2a27954d75e4f67093c70f81eb9d6

AgentTesla

8ceba0ecd94e885f32b2e9b68373691b43887e70f6bc903878fdb74551fc919d

AgentTesla

d09186afeb1460fe7e7e33f7e319ecb280374f7c49b4240dfacc397323333834

AgentTesla

d2dfba35543519803792501c08cc68bb21534ec3fcdc50224bb154776f62b28f

AgentTesla

e2150f160d11a8a7917b38060171eceeb1d68209ca5c81394682b0d828f35ac9

AgentTesla

f6b7e42150aea95c6af1e8c570ca45fac6e7e7dc2b27a88cae25fbc92faa07ff

AgentTesla

fc27d5975a0b1b0f856f57dd5839cd081efde7a6fc228a5ddbdb57ef4bf1a9c3

AgentTesla

+ 181 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200927-apl49fn7r6/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla

Unpacked files

SH256 hash:

2e3a87cce8efd3f0cf4d146d14f017c78a05ccf44aecb3c790a204029c367558

MD5 hash:

5338234def608d895434dad6c650827e

SHA1 hash:

434d7541897be9f6c42f74d10652e6b16164a578

Link:

https://www.unpac.me/results/aedaee82-6e4c-40e0-b92d-88e870e29dbb/

SH256 hash:

7e9386fa00081e9fffd208b258598be34a081906f06c46a2b34ff154d201ca0e

MD5 hash:

475f138c233372850f4616ebd0ac08f7

SHA1 hash:

07100a2cd1d39277901b8759617b0af8383f4c3d

Link:

https://www.unpac.me/results/aedaee82-6e4c-40e0-b92d-88e870e29dbb/

SH256 hash:

b3332f865f362bd89aaa305a8b8ec5d3e5b6ddae9e704b70a2d36723550415b0

MD5 hash:

bfb0e30ca466323d4b0ee2e538f08c2a

SHA1 hash:

aad3a850e388b4cadd6b13736e8208e69fbb3846

Link:

https://www.unpac.me/results/aedaee82-6e4c-40e0-b92d-88e870e29dbb/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.