MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3a17a454c5f6aa5ec28be35bdf6cbc04cbe7d4cd43833c942fee4fd0a89c621. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3a17a454c5f6aa5ec28be35bdf6cbc04cbe7d4cd43833c942fee4fd0a89c621
SHA3-384 hash: 7ea85c7b713267b6e9d3102b5c1ca58d9cae7966abd393343b5bf651c6d1f5cece790d5b0a4ccfd2420337b7d109df9a
SHA1 hash: 334f4166a4411c05d461e78b1c0218b6ee484d09
MD5 hash: cd9b722a70a040fc310760de70493606
humanhash: washington-avocado-stream-september
File name:ORDER QUOTATION.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:705'024 bytes
First seen:2023-09-28 13:56:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:02iN4yiRJU/Wc5zvt+8dwdKsoN7AUifmyHjgSz0GDgn:019FeIRvIGNQZHjjzNgn
Threatray 5'667 similar samples on MalwareBazaar
TLSH T149E4021669FD0FD5D778ABFA9826900593B725A62123E34C0CC3B5CB027AF819750FA7
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
297
Origin country :
US US
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
ORDER QUOTATION.exe
Verdict:
Malicious activity
Analysis date:
2023-09-28 14:03:13 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/b56ac250-bc92-4e0f-a17b-ac49e555dceb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/451800/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65158630988a26b6d971b5a4/reports/9a734f6d-6a7c-4fb1-92db-0566f632e9b0/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/b3a17a454c5f6aa5ec28be35bdf6cbc04cbe7d4cd43833c942fee4fd0a89c621
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5423970e-81d7-4e2c-8a2d-3c8898c6f09b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1315891
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1315891 Sample: ORDER_QUOTATION.exe Startdate: 28/09/2023 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Found malware configuration 2->60 62 Sigma detected: Scheduled temp file as task from temp location 2->62 64 9 other signatures 2->64 7 ORDER_QUOTATION.exe 7 2->7         started        11 NylNbG.exe 5 2->11         started        13 OzaFJlz.exe 2->13         started        15 OzaFJlz.exe 2->15         started        process3 file4 46 C:\Users\user\AppData\Roaming46ylNbG.exe, PE32 7->46 dropped 48 C:\Users\user\AppData\Local\...\tmp5469.tmp, XML 7->48 dropped 78 Uses schtasks.exe or at.exe to add and modify task schedules 7->78 80 Writes to foreign memory regions 7->80 82 Allocates memory in foreign processes 7->82 88 2 other signatures 7->88 17 RegSvcs.exe 17 4 7->17         started        22 RegSvcs.exe 7->22         started        24 powershell.exe 20 7->24         started        26 schtasks.exe 1 7->26         started        84 Multi AV Scanner detection for dropped file 11->84 86 Machine Learning detection for dropped file 11->86 28 RegSvcs.exe 11->28         started        30 schtasks.exe 1 11->30         started        32 backgroundTaskHost.exe 11->32         started        34 conhost.exe 13->34         started        36 conhost.exe 15->36         started        signatures5 process6 dnsIp7 50 mail.asiaparadisehotel.com 112.213.92.100, 49800, 49802, 587 SUPERDATA-AS-VNSUPERDATA-VN Viet Nam 17->50 52 api4.ipify.org 64.185.227.156, 443, 49799, 49801 WEBNXUS United States 17->52 54 api.ipify.org 17->54 44 C:\Users\user\AppData\Roaming\...\OzaFJlz.exe, PE32 17->44 dropped 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->66 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->68 70 May check the online IP address of the machine 22->70 38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        56 api.ipify.org 28->56 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->72 74 Tries to steal Mail credentials (via file / registry access) 28->74 76 Tries to harvest and steal browser information (history, passwords, etc) 28->76 42 conhost.exe 30->42         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b3a17a454c5f6aa5ec28be35bdf6cbc04cbe7d4cd43833c942fee4fd0a89c621/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-28 09:48:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=woqxurkml5vkl3bixy2335wlybgl47km2q4dhskc73sp2cujyyqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
178dfba1bc6c689b9f3170003e559431a5244f43b8b0639d37ed77446bd9ebca
AgentTesla
3b6a3c3e882e95192ca46c020d2651800671e59816eb9aa0cef15cabdbfebfe7
AgentTesla
4d7baaac41068e98e18399597fbd22cc0ee2ae3b2055745c3cd304b697aa12ed
AgentTesla
79b920d634334a0c90d75e4630730604ca9caad3ff3ec66f85bce143bbb56d49
AgentTesla
8c929903e4e19929cb2c3a77560fe295684b67434763be0372cbdbcef7d44191
AgentTesla
acedd97c8350bacc485e87ae56c851d08b497c202deb46df28c3e7218cb4469a
AgentTesla
ae26382f191225447550e9a691453fc3ea2e02127222787c662efc8db63c59e3
AgentTesla
e477f1e27f4484425cc8317e0a0abbbf81fcbd4944714abbf702b6d27c811ea6
AgentTesla
ea76d84bffa9794fe86505016d0370dd29db84fbdff79a26bfee30be32a7a0a8
AgentTesla
+ 5'657 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230928-q89qssdb89/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
a655be43f79d44bf3e6720e6e1aa99b8fd94785cd46707d9a0dd48a10e4d20c8
MD5 hash:
7c2c98a1bc1af93e1bc1e0c933915b8e
SHA1 hash:
c5c3a2e553fdfa9010cf11b582fe3399c5551ffd
Link:
https://www.unpac.me/results/09a3f583-7d0d-47aa-ae98-354bed29d0c6/
SH256 hash:
10c2af6775281471f310a311b5679c15a92f52a63fd568121eceff11619d943c
MD5 hash:
3ba9138dee0e8c0cbfa145c6558e5494
SHA1 hash:
c4f0d50cdcb62a5e70dfc6fb0aed4623851321a4
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/09a3f583-7d0d-47aa-ae98-354bed29d0c6/
Parent samples :
b3a17a454c5f6aa5ec28be35bdf6cbc04cbe7d4cd43833c942fee4fd0a89c621
60751e1f86b4b78e592917168a731a30b464a6c52b59118490ac8411905cbcc3
055aa8e2816ebdf77f441bc3dd667aafd2aef85a24941bf94761620f9291fe1a
SH256 hash:
caa97eef0dfaba4395ec91e22c0812706c656e027837d111520106104491a69f
MD5 hash:
fdae2539d61399bb8587e311fd1dbdff
SHA1 hash:
85e3797df95cd32e4b2b05f8f46b81571b866c14
Link:
https://www.unpac.me/results/09a3f583-7d0d-47aa-ae98-354bed29d0c6/
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/09a3f583-7d0d-47aa-ae98-354bed29d0c6/
SH256 hash:
b3a17a454c5f6aa5ec28be35bdf6cbc04cbe7d4cd43833c942fee4fd0a89c621
MD5 hash:
cd9b722a70a040fc310760de70493606
SHA1 hash:
334f4166a4411c05d461e78b1c0218b6ee484d09
Link:
https://www.unpac.me/results/09a3f583-7d0d-47aa-ae98-354bed29d0c6/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b3a17a454c5f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b3a17a454c5f6aa5ec28be35bdf6cbc04cbe7d4cd43833c942fee4fd0a89c621

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/451800/

Comments