MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3ca0b93eff9f2f129fe069e2b7dc734f749db4d098a9be27e28e36519b3fb70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3ca0b93eff9f2f129fe069e2b7dc734f749db4d098a9be27e28e36519b3fb70
SHA3-384 hash: 2cfa6ad4e6b929d0a291149902e654038a7212b95badffc510e549be3fa33457e0b243213dc17e075d6ac2a23a2e945c
SHA1 hash: 3685206ef80828371bb5ffeef5dc35351194eafa
MD5 hash: 926f1921a1c2823926681f21eaef2679
humanhash: white-vegan-spring-washington
File name:Oferta-CTHU- Equipamiento..exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'062'912 bytes
First seen:2023-06-07 11:22:42 UTC
Last seen:2023-06-07 11:29:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:RINiEP/SJaieyY3Pdy7KVwG8Q+VrYLz4ge47WZ4ackzDOFU8s8ROI9HzuL56rcGF:RIB/4Kfdy70h8L8LzDe4Wf8I8R1EqTJ
Threatray 4'902 similar samples on MalwareBazaar
TLSH T1BA35011476BA4F1ED87AAFF54A04613083F16A5A347BD6495EE328EB5D70FC00E81B63
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
274
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Oferta-CTHU- Equipamiento..exe
Verdict:
Malicious activity
Analysis date:
2023-06-07 11:25:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/05505769-e2fa-4bf4-9784-b38d1782dc1e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/396370/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67340386.1548.349.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/64806897a824595d004bb5e6/reports/da7961ec-39e9-4d69-a147-fcc89633e08c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b3ca0b93eff9f2f129fe069e2b7dc734f749db4d098a9be27e28e36519b3fb70
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e38eba0-05bb-4982-b3c0-9659653ba79b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1250210
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b3ca0b93eff9f2f129fe069e2b7dc734f749db4d098a9be27e28e36519b3fb70/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-01 19:40:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
21 of 24 (87.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wpfaxe7p7hzpckp6a2pcw7ohgt3utw2nbgfjxyt6fdrwkgnt7nya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
22f78673c87c878a5be8e407f697613d8b1dd28f08a2419e8be224fabc3f02ea
AgentTesla
6076d3956e79dc8752564da23a3dfa0100509b647128e82552bd234e5fa61ae8
AgentTesla
9267fc3af8040cbf3f53d4501c063d70e54574c98d7133a5c18c8d5b9686d901
AgentTesla
95969e3e0c1793e6177d5c5d20c9a667c9f28bb64907ad489682c41668efc29d
AgentTesla
9e5c195dcf2739418a55f6d03c1a05507f533e8a226253ffdd8b93e96f9fea51
AgentTesla
a558acd6978677d1f7ea7e1a18f675d7a49b0c3216633b2aac042abc2d0a54af
AgentTesla
c7b3ec3ac46bb0ccc41cde29a371ed3c84aff73d70ddd668f2c5bcb5ba3b2819
AgentTesla
cd8bc55c70d85611ef59efe45a5676da4e0b82f067cf188035fe9c28be2c591f
AgentTesla
e0b0867a1134a009f72806ea563e4e6597152fd73206bdbabea5a7e716cf99b4
AgentTesla
+ 4'892 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230607-ng4z5ahg44/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
3214ce6d699782a1bfcca1a5f01137de8c7d5c377d7a4208775f2ed8c2478304
MD5 hash:
bcee068cbec8334f277bcfe996548f6b
SHA1 hash:
f3d28a05ff6a88269df288ccc4a174822947a750
Link:
https://www.unpac.me/results/7f6bc01b-cc01-4972-bd5b-86b5c8bb2dca/
Parent samples :
1a30bc0d430f010b44ea3768053a0889efab84eb1b5b199153b487633733de78
9e19816e28ea81520a46e89d85f46e573f4feed5eb0eef8537c36b1120bed32f
SH256 hash:
925969a7068a0b9d2b1c5921342252ec831e08b84ef8c679769402154c9edb8a
MD5 hash:
7bde64c8d1fa6b4d3738e9e990903adf
SHA1 hash:
d4cc6b03c05f6743d104002ef1c9cd9f869adc81
Link:
https://www.unpac.me/results/7f6bc01b-cc01-4972-bd5b-86b5c8bb2dca/
SH256 hash:
c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d
MD5 hash:
9390df6c9a6111978dee5414bc42eda6
SHA1 hash:
d3cb1c366b9e466afa93eb369838a04d30777795
Link:
https://www.unpac.me/results/7f6bc01b-cc01-4972-bd5b-86b5c8bb2dca/
SH256 hash:
f079da0dfbc9855277ae9d398b58bf2f1330a20008a607dc12b0279f3baaba0e
MD5 hash:
2aeb41c8c1ce3ad1309ba4ee7b21783c
SHA1 hash:
4681a726a038fd9e7226c8e8c7bbca13c7162262
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/7f6bc01b-cc01-4972-bd5b-86b5c8bb2dca/
Parent samples :
cd8bc55c70d85611ef59efe45a5676da4e0b82f067cf188035fe9c28be2c591f
b3ca0b93eff9f2f129fe069e2b7dc734f749db4d098a9be27e28e36519b3fb70
f3b4b1719930593f8c1e135c3cc9d40567cd2077600fceb95aabed24792a5252
c1861f48bc8684453fc7a339b2bbac26cd79e2c145706066a77b8ab482660c84
b483fa2b04ee2305e50ec070450c43c4feef6d98a30f01aa1f003f11ffad2aa4
6d2a00d71cfe1ac88de75df0150145f8800668afd66cec2c73b0eeae2e4d4b5f
2b4cf6b7907df730c69b34f85e473d4c826c3bc8d423a79b5d7cf0b2a2414b95
SH256 hash:
95180f26e180cd378dd0cfbf6a84b4768c8b983632fabc7cf334293d91d78d11
MD5 hash:
0efe1c1662c9e3c3ae1ea636f32fb089
SHA1 hash:
120f26f8ebdc9c9dc1c3c795cc623b0f2e0709d0
Link:
https://www.unpac.me/results/7f6bc01b-cc01-4972-bd5b-86b5c8bb2dca/
SH256 hash:
b3ca0b93eff9f2f129fe069e2b7dc734f749db4d098a9be27e28e36519b3fb70
MD5 hash:
926f1921a1c2823926681f21eaef2679
SHA1 hash:
3685206ef80828371bb5ffeef5dc35351194eafa
Link:
https://www.unpac.me/results/7f6bc01b-cc01-4972-bd5b-86b5c8bb2dca/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b3ca0b93eff9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/b3ca0b93eff9f2f129fe069e2b7dc734f749db4d098a9be27e28e36519b3fb70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 5fcfdd1656b83d9d0d5e804ca127c129f1581a86897ba5baa98c14c8789b8f06

AgentTesla

Executable exe b3ca0b93eff9f2f129fe069e2b7dc734f749db4d098a9be27e28e36519b3fb70

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 5fcfdd1656b83d9d0d5e804ca127c129f1581a86897ba5baa98c14c8789b8f06
Cape
Cape
https://www.capesandbox.com/analysis/396370/
  
Dropped by
MD5 5f7188fae3ece6c200d0742f1fffcbee

Comments