MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3b1f3479b7d0033e21ef89ccea063a0281604d4472252cf590ec99be5aa2eb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	b3b1f3479b7d0033e21ef89ccea063a0281604d4472252cf590ec99be5aa2eb4
SHA3-384 hash:	34d553a4ac96c0dbab2073d9d5a439eca6338dbea9385329f1a6828a936fc38e2c3899c177d867e453cae711e3344fd6
SHA1 hash:	8939c73029843320236abcd14becfe27b67a4ef8
MD5 hash:	7aed8d355a7d3c46117bd070425349d2
humanhash:	india-double-black-spaghetti
File name:	Proforma Invoice.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	757'760 bytes
First seen:	2020-10-22 01:51:37 UTC
Last seen:	2020-10-22 02:57:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:tuIy/iGEfBRDma0FUcrpJEwWiJTEA8brP8vQ4UcClFevJ/MkZwzWpsKY7d9A1GKF:oIy/xEJRrkUrYjsWVMkwWeKMA1GUKzof
Threatray	10'855 similar samples on MalwareBazaar
TLSH	10F41211B1A9AB73D5BE47F7311C052693B5189E7722E7281DF33BEA71A2B008B60D53
Reporter	GovCERT_CH
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/74403/

Detection(s):

SecuriteInfo.com.Trojan.InjectNET.14.22424.17392.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/506513

Signature

.NET source code contains potential unpacker

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Capture Wi-Fi password

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal WLAN passwords

Tries to steal Mail credentials (via file access)

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b3b1f3479b7d0033e21ef89ccea063a0281604d4472252cf590ec99be5aa2eb4/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2020-10-22 01:03:11 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=woy7gr43puadhyq67com5idduaubmbgui4rfft2zb3ezxznkf22a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

082c20b7ce84dae638bcaecef84a954adf251ddf11fb2038ea3ad95e48c3d7ba

AgentTesla

21fd74234f073c7af91314d235b04418af7ad84f7a2cccc54b8af8192372cd7d

AgentTesla

62433e4de86d61a56cfc3333382d8a43d666a4839415a88ceca53a0754e06636

AgentTesla

7a93cc0c53a02b539c07c06f9fc2d0e9b3794e6c33165e4e7cbe34c569e31278

AgentTesla

8addc01173e27e282faccde8d201c4f7a95530c95525ae3290cea5e9537e6469

AgentTesla

ac5ebb2296437f981009943674e53071e6154c70b2ba473f816a3fec9a42d172

AgentTesla

c299c360a59db588d26e7063cfbafb5327ebb191e3f4bfb3611cadbcfa5aff25

AgentTesla

df696f5fa3df8ce1eaca951cad491770b1d7aeb6e6326a360bcdb266f6d31620

AgentTesla

fc7ebe6c552a74ca5ad5f273e569c81b3c8aa18e69a70dbb18e8b3a0105888b1

AgentTesla

+ 10'845 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware persistence trojan family:agenttesla

Link:

https://tria.ge/reports/201022-s9bddd77r2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

b3b1f3479b7d0033e21ef89ccea063a0281604d4472252cf590ec99be5aa2eb4

MD5 hash:

7aed8d355a7d3c46117bd070425349d2

SHA1 hash:

8939c73029843320236abcd14becfe27b67a4ef8

Link:

https://www.unpac.me/results/281c1ba7-368f-4902-a8ea-4cb5a957a0ed/

SH256 hash:

31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b

MD5 hash:

0aebe46040ceb011e78506d4985fe3de

SHA1 hash:

218ac1e7b14a66c604ec3042f8486bed9cd4c2c1

Link:

https://www.unpac.me/results/281c1ba7-368f-4902-a8ea-4cb5a957a0ed/

SH256 hash:

15a2cf3ed73cf55fcf791a047fc0d672d42344752539d60de9d87004df773d9f

MD5 hash:

67ddedebc90e1232f9dce201c8a32503

SHA1 hash:

54e657b9112023124c1aa34eb5679518684c5199

Link:

https://www.unpac.me/results/281c1ba7-368f-4902-a8ea-4cb5a957a0ed/

SH256 hash:

98a617d0adab1d5a57d383b1dfa871e301f431819cd2af1aed61bec6044ec36f

MD5 hash:

1b011b9628f949b8f76ee8a29ff4225d

SHA1 hash:

d02e16ecf0cb52bd1d54eecc3facdcc34c105581

Detections:

win_agent_tesla_w1

Link:

https://www.unpac.me/results/281c1ba7-368f-4902-a8ea-4cb5a957a0ed/

Parent samples :

b3b1f3479b7d0033e21ef89ccea063a0281604d4472252cf590ec99be5aa2eb4
b965e20213ebff1b60c20b0bb7159e74cbaa6d6fb70ff5fe1d2f85dc2eb251c5
4f7f5917d40bbc372c64653858938d7e9255f2a4800215c8c0c2ea839566cda9
c0fa3d471fb605ce9ea0e18e66079fffdfc82ebebcfc7fc0318235412907237f
6bdcd8e2956d4c754f9ecedeb22fa1121f3f3d6f41a9dba35cdc59ce6da6c0e9
ece55bf60d34d3e75131e7c4a2f5c082f2d5e57bd0f97a54c89dfaff156d081d

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_extracted_bin Create hunting rule
Author:	James_inthe_box
Description:	AgentTesla extracted

Rule name:	AgentTesla_mod_tough_bin Create hunting rule
Author:	James_inthe_box
Reference:	https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar