MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3dbf781957cbdd8917bf78782d83bb985a0ab219cd51dcff8ac7ef7abc53b99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	b3dbf781957cbdd8917bf78782d83bb985a0ab219cd51dcff8ac7ef7abc53b99
SHA3-384 hash:	b6e7c7ef9f530268cdd5219f7d6a14a5cae5b227a2cec207c2a3bca472ca9895289d241ec53aae9a52f7fd83a8fbdb98
SHA1 hash:	ebfdec6ffbaf968ee54cd022d8ad86b09eec8e9c
MD5 hash:	ad734f41762b27d639d4495791763ad7
humanhash:	montana-fanta-don-bakerloo
File name:	Shipping DOC_PDF.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	66'008 bytes
First seen:	2020-11-23 08:37:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	768:W9/HDoyRaQs0/6X3+ZG6SiCptvA0zNUf2h4:WNoyRfs0EWgtvA0zNUf9
Threatray	1'443 similar samples on MalwareBazaar
TLSH	44532B3632762E88D5F8A4750D997A1443F232DBEF12C3682DDD93C6B7853473B0AA58
Reporter	cocaman
Tags:	AgentTesla exe

Code Signing Certificate

Organisation:	Bbbbcceeffdfdfbaeecede
Issuer:	Bbbbcceeffdfdfbaeecede
Algorithm:	sha256WithRSAEncryption
Valid from:	Nov 23 05:45:32 2020 GMT
Valid to:	Nov 23 05:45:32 2021 GMT
Serial number:	B6128C1451FAEBA57721260E75F36678
Thumbprint Algorithm:	SHA256
Thumbprint:	5472FF7EE9447EB894483E8BA930835CD659BFD1C89330068DD40B65AD6F06DB
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

150

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a process with a hidden window

Sending a UDP request

DNS request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Sending a TCP request to an infection source

Result

Gathering data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/544893

Signature

Binary contains a suspicious time stamp

Connects to a pastebin service (likely for C&C)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/b3dbf781957cbdd8917bf78782d83bb985a0ab219cd51dcff8ac7ef7abc53b99/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-23 08:38:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wpn7pamvps65rel366dyfwb3xgc2bkzbttkr3t7yvr7ppk6fhomq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda

AgentTesla

436fdd814820def5e208ef0ed29038a5f4b0e84b418694591c926b6961e1203f

AgentTesla

480190443e701b4d129d789fe99b20bd84372470a14f2a113705735065bd43f6

AgentTesla

53b6f647f6c5d712e8ac0d200bb2e91d90814f649fd7eb8890367c0e8383b3ba

AgentTesla

8117efde6fd5ac0ab1698db8c25183c933cb93644526c0295a712deb598f57d8

AgentTesla

8a21b943ea85a94fb89a4222be1b22222b71447cc16fe9b1ef58957029210a8f

AgentTesla

9d8df34f842a101d2026ed540a5e28f3138dec4a223757860e842886d15033c5

AgentTesla

c2df8e72382149481c403e6a2d52dbb93daeb046e8ce23247ec763f50490be96

AgentTesla

f219aebbf79335831bca724a7b5e5039efb16b2ce3a5cdc3fdf6c31e8343f228

AgentTesla

+ 1'433 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201123-9kxnklpaqn/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

b3dbf781957cbdd8917bf78782d83bb985a0ab219cd51dcff8ac7ef7abc53b99

MD5 hash:

ad734f41762b27d639d4495791763ad7

SHA1 hash:

ebfdec6ffbaf968ee54cd022d8ad86b09eec8e9c

Link:

https://www.unpac.me/results/c37aa97b-af5e-4bba-84fd-fed5d9254518/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b3dbf781957cbdd8917bf78782d83bb985a0ab219cd51dcff8ac7ef7abc53b99

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.