MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3847e885fde014d20644ed7e2ac69d8c6708b05700a416721de68e77d7cd66f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3847e885fde014d20644ed7e2ac69d8c6708b05700a416721de68e77d7cd66f
SHA3-384 hash: 99f5c8ba83794932031fbc671eb45c504bb1f2716df803b2fce8864d49dd406d51de8ff76646698149eef173521a51b8
SHA1 hash: 8442101a1cd985ddff442e39f774c13e09d409b0
MD5 hash: 63d5fec4417ab19871a893e8ce517bcc
humanhash: aspen-carpet-indigo-six
File name:VESSEL SEPC'S - WECO BULK.doc.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:178'688 bytes
First seen:2021-09-27 14:13:05 UTC
Last seen:2021-10-04 09:40:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:cnRh3ly15aCaDOo/ls3kd6Zy3nk71ZjR5Mq5:cRFU1tKsUd6Z8c1D7
Threatray 10'701 similar samples on MalwareBazaar
TLSH T128048C687E54C972C2994B388D53EA284FB07F213D45978F7252378F1EB13DA4A43A36
File icon (PE):PE icon
dhash icon 0048c8c460e0f468 (1 x AgentTesla)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8442101a1cd985ddff442e39f774c13e09d409b0
Verdict:
Malicious activity
Analysis date:
2021-09-27 13:18:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/22a481aa-1a83-4db7-a1eb-ee00fb9c1537

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c31eb06b-fd65-4cd6-b60c-5263845e88b0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/859081
Signature
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491506 Sample: VESSEL SEPC'S - WECO BULK.doc.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 60 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Uses an obfuscated file name to hide its real file extension (double extension) 2->41 7 VESSEL SEPC'S - WECO BULK.doc.exe 15 4 2->7         started        process3 dnsIp4 27 store2.gofile.io 31.14.69.10, 443, 49848 LINKER-ASFR Virgin Islands (BRITISH) 7->27 10 powershell.exe 72 7->10         started        13 powershell.exe 7->13         started        15 powershell.exe 7->15         started        17 2 other processes 7->17 process5 dnsIp6 29 facebook.com 157.240.17.35 FACEBOOKUS United States 10->29 19 conhost.exe 10->19         started        31 twitter.com 104.244.42.193 TWITTERUS United States 13->31 33 192.168.2.1 unknown unknown 13->33 21 conhost.exe 13->21         started        35 google.com 172.217.168.46 GOOGLEUS United States 15->35 23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b3847e885fde014d20644ed7e2ac69d8c6708b05700a416721de68e77d7cd66f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-27 13:22:35 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=woch5cc73yau2idej3l6fldj3ddhbcyfoafeczzb3zuoo7l42zxq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
126f752c7dec6c513804a0737e5d0a03cd8a1082923d68aec35979f3a7db7d60
AgentTesla
337a895245dcdbe522c4320dbe1dfd62e346aecad8246f9b895a5460211865b0
AgentTesla
360dc7aa2889b1ed05b553eccab73348de2fae89cd7742e64422712298b670ca
AgentTesla
3ed17d1df70b71852be2335f91bdfe20cd4a319a7d22d407e6e82a8dbe91bc5f
AgentTesla
4065ef6148d82e9b20fb8fb21b7969636fdc0218259f069adffabd3b2882cc81
AgentTesla
517aa4a798cd785cae7bd9722bd79a0f85eadc7a3e9dbfa24440348df4ef7c7c
AgentTesla
7868ece7b29dcba357ff00b1e0394b6e8062eae5512c08a0dea575c2d4f55230
AgentTesla
d3ee5744817862d7e419d46ec2f89238c64d8fb18b3acf15863396143039bd63
AgentTesla
e69ebaafa96ca91f70472ad65cfbc6483f65911e715c8eede2707697aca8f077
AgentTesla
+ 10'691 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210927-rjfbbshbg3/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
Nirsoft
AgentTesla
Unpacked files
SH256 hash:
b3847e885fde014d20644ed7e2ac69d8c6708b05700a416721de68e77d7cd66f
MD5 hash:
63d5fec4417ab19871a893e8ce517bcc
SHA1 hash:
8442101a1cd985ddff442e39f774c13e09d409b0
Link:
https://www.unpac.me/results/cc27cc4f-768b-4061-9d51-642de2e6849c/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b3847e885fde/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b3847e885fde014d20644ed7e2ac69d8c6708b05700a416721de68e77d7cd66f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe b3847e885fde014d20644ed7e2ac69d8c6708b05700a416721de68e77d7cd66f

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments