MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3a34de391f5072cd26a2be41b5a9b0f7a2cb0b502ef01ded4b777f6a0cb6833. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA File information Comments

SHA256 hash:	b3a34de391f5072cd26a2be41b5a9b0f7a2cb0b502ef01ded4b777f6a0cb6833
SHA3-384 hash:	62b404c1cb022fd60f539c7e27253f51641bcb3bddf2becd300f849fe7d0e77d40e72872b685dd8dff12e147c9236b38
SHA1 hash:	51b5428c52128dadfe95bad4f2d2aed415213011
MD5 hash:	c207d67faa4433dacdda40a3a98e740b
humanhash:	washington-ohio-idaho-spring
File name:	SecuriteInfo.com.Win32.PWSX-gen.12103.17670
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	656'896 bytes
First seen:	2023-12-14 03:15:05 UTC
Last seen:	2023-12-18 08:51:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:WK0oLteqOf8nIimDYwCiD7QUQ4FKDVwpl4+u1km0g:W9gBOQbMcifQF4FmVwj4gw
TLSH	T131D423952E1CDBBBCBDD26F49D70514A07BA065B3E76FA4D8DC8668908BFB0243C5213
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

462

Origin country :

Vendor Threat Intelligence

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/467352/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.12103.17670.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Reading critical registry keys

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/657a7375da3178d99ce44739/reports/a74fe4e4-718c-4df1-bfa1-996fc301b189/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/b3a34de391f5072cd26a2be41b5a9b0f7a2cb0b502ef01ded4b777f6a0cb6833

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dae4ff12-ef2c-468c-b8e8-848c507fec5f

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1361868

Signature

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b3a34de391f5072cd26a2be41b5a9b0f7a2cb0b502ef01ded4b777f6a0cb6833

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b3a34de391f5072cd26a2be41b5a9b0f7a2cb0b502ef01ded4b777f6a0cb6833/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-12-14 03:07:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 22 (68.18%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=woru3y4r6udszutkfpsbwwu3b55czmfvalxqdxwuw537niglnazq._file

Verdict:

malicious

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231214-dsfrkabagr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

a34822518e59724e617d9460c7bed908ba6a00facb0732fc7a7b5b9562621c89

MD5 hash:

f8503b9fc7660e8371e0852380097ee5

SHA1 hash:

ce0201826949c62205cabde8c4f92ee4a3435e99

Link:

https://www.unpac.me/results/8babd5d4-c134-48be-8e19-841652e56538/

SH256 hash:

c5328f7af843244b56d6a208c322a9315daea139d1b255cda993b243e4394ecf

MD5 hash:

160f4669c06c6496d79a92ea9d33e89b

SHA1 hash:

baae226fdb2a9739f118db781bdc74f2efc6a585

Link:

https://www.unpac.me/results/8babd5d4-c134-48be-8e19-841652e56538/

SH256 hash:

bba03f84b01df6772053f2ae70c6387522fd4a772fa4498afdd1f2c246e85415

MD5 hash:

ff641d1ab661288cf7258a39885ed5d6

SHA1 hash:

2bb98f966fa60e70377fc0b5426b4daff7eb0889

Link:

https://www.unpac.me/results/8babd5d4-c134-48be-8e19-841652e56538/

SH256 hash:

e9253ec00d5b51b6335d4c5deac492fb606dc87760657c0c33b901ed4dcdb05b

MD5 hash:

027015ee1c018fb06727ce262c62e06b

SHA1 hash:

26a7fa9ed40b9ccff2a9e7b50c22425835cab0d3

Detections:

AgentTesla

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/8babd5d4-c134-48be-8e19-841652e56538/

Parent samples :

1acf4214e296a724d9f3de5a07c317dc9d3e2eb5e065fc4500201c86bc6c61da
1ff764ec5a79ed2072a558af6de49b863e9e5683e63b3c070e86c9d1b7814f4d
b3a34de391f5072cd26a2be41b5a9b0f7a2cb0b502ef01ded4b777f6a0cb6833
7f2fea83dd18d529a6a6440334240fd6ea6cb4a84d4bfe1ab3213c894a7a51d0

SH256 hash:

b3a34de391f5072cd26a2be41b5a9b0f7a2cb0b502ef01ded4b777f6a0cb6833

MD5 hash:

c207d67faa4433dacdda40a3a98e740b

SHA1 hash:

51b5428c52128dadfe95bad4f2d2aed415213011

Link:

https://www.unpac.me/results/8babd5d4-c134-48be-8e19-841652e56538/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b3a34de391f5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b3a34de391f5072cd26a2be41b5a9b0f7a2cb0b502ef01ded4b777f6a0cb6833

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/467352/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample