MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3729ee774783f9a15211e79e021238418c97d4625631368f7c2e187678ba72a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3729ee774783f9a15211e79e021238418c97d4625631368f7c2e187678ba72a
SHA3-384 hash: 9185cd28e854107e4aa75813d3a48c14c829dc916f1cf2f71f26ea0ec3b5936d6389f5eedae4f92e162d569dcbe37313
SHA1 hash: b083e5356585b1fb246f5f38878735fa0f232151
MD5 hash: 08e9726af71afff24f4f803989872313
humanhash: kilo-double-sweet-delta
File name:08e9726af71afff24f4f803989872313.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'427'459 bytes
First seen:2023-10-22 18:00:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 24576:NTbBv5rUanDK1DKvMrBW4ey2Tygt90e+hoxkSKo:HBjW4vMr8Maygt+HSB
Threatray 634 similar samples on MalwareBazaar
TLSH T1206512027ED264F2D1732D371A656B22E9BCB9301FA98DDF93D04969DA304C0D735BA2
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74f4d4d4cce4e8e0 (27 x AgentTesla, 19 x Formbook, 17 x DBatLoader)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
08e9726af71afff24f4f803989872313.exe
Verdict:
Malicious activity
Analysis date:
2023-10-22 18:01:13 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/609c761d-744e-4af7-92fc-ff9a041516e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.29320.Rarsfx.SUD.UNOFFICIAL
Create hunting rule

Win.Malware.Nanocore-10008288-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Launching a process
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Stealing user critical data
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware installer lolbin overlay packed redcap replace setupapi sfx shdocvw shell32
Link:
https://www.filescan.io/uploads/653563622614136586e9506b/reports/5f7a290a-ae17-4508-9f87-caf4201c3cda/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d3729ee774783f9a15211e79e021238418c97d4625631368f7c2e187678ba72a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2a1b0f2e-989f-40ad-a039-c80ef94ac740
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1330131
Signature
Antivirus detection for dropped file
Contains functionality to modify clipboard data
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Starts an encoded Visual Basic Script (VBE)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AgentTesla
Yara detected AntiVM autoit script
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1330131 Sample: xfeZH8xMuM.exe Startdate: 22/10/2023 Architecture: WINDOWS Score: 100 49 oiliskim.com 2->49 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected AgentTesla 2->61 63 Yara detected AntiVM autoit script 2->63 65 2 other signatures 2->65 15 xfeZH8xMuM.exe 35 2->15         started        signatures3 process4 file5 45 C:\ikpx\jaslea.pif, PE32 15->45 dropped 47 C:\ikpx\bili.exe, PE32 15->47 dropped 53 Drops PE files with a suspicious file extension 15->53 55 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->55 57 Starts an encoded Visual Basic Script (VBE) 15->57 19 wscript.exe 1 15->19         started        22 bili.exe 2 15->22         started        signatures6 process7 dnsIp8 67 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->67 25 jaslea.pif 3 4 19->25         started        51 oiliskim.com 141.95.172.69, 49711, 587 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 22->51 69 Antivirus detection for dropped file 22->69 71 Multi AV Scanner detection for dropped file 22->71 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->73 75 4 other signatures 22->75 signatures9 process10 signatures11 81 Antivirus detection for dropped file 25->81 83 Multi AV Scanner detection for dropped file 25->83 85 Machine Learning detection for dropped file 25->85 87 2 other signatures 25->87 28 wscript.exe 1 25->28         started        process12 process13 30 jaslea.pif 1 28->30         started        signatures14 89 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 30->89 33 wscript.exe 30->33         started        process15 process16 35 jaslea.pif 33->35         started        signatures17 77 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 35->77 38 wscript.exe 35->38         started        process18 process19 40 jaslea.pif 38->40         started        signatures20 79 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 40->79 43 wscript.exe 40->43         started        process21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d3729ee774783f9a15211e79e021238418c97d4625631368f7c2e187678ba72a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3729ee774783f9a15211e79e021238418c97d4625631368f7c2e187678ba72a/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-17 15:16:53 UTC
File Type:
PE (Exe)
Extracted files:
298
AV detection:
23 of 36 (63.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2nzj5z3upa7zufjbdz46aijdqqmms7kgevrrg2hxylqyoz4lu4va._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
37203c38c11b529b8d10382dfb610e739ceb38daae8bc1c19f28506edf3dfdd1
AgentTesla
51ba2b6912305fd63c041dccff36db067314cab3f93227aaf21990801efa0b25
AgentTesla
592217d2590ae9ca688346688b2d7d13a78190f9562889597ebb79060136034c
AgentTesla
719342deb77a6f03f09db95f137db0de14beb7f98c80372c21238a74d5f58b97
AgentTesla
726bc1cc141d4ad30a0a1622d3aa8ac21af76273180b0efd160d2cc12d4a7fcb
AgentTesla
8e16304b756988b8fedf67c9c0eee38873fa743a2e9beae9bfc7bc44206e6a5d
AgentTesla
ced55c9b4b3dba810dc674575818bb4d9dc828d3df6efee4a15d85ac24abd69b
AgentTesla
d12374b77206c950e02f93c953e663d3f09a9708f9313ae0a74c636cae4851b8
AgentTesla
fe8269a96b39d622796d4ded1ba8c9bed83e8abb17d0c159f8a3eac96594c965
AgentTesla
+ 624 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231022-wlv7sabf5x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
448bd3a51117128565cadd25316f65113e83f07e25a71c61c8fa0d9a31a8caee
MD5 hash:
14d776832cca77281595996852719871
SHA1 hash:
019794fd4737c614058bc81f1e5fa8e43bba582b
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/45085941-598a-4966-8753-ca64a154939b/
Parent samples :
cf7ecaebf8b1d31a0d5ebaa74b29ec6455d2ccdcd0d1d1587729eee498f41a4f
d3729ee774783f9a15211e79e021238418c97d4625631368f7c2e187678ba72a
SH256 hash:
f7d035e37e2c50033e23fc86c1efc6b6c04df091274c686a622acef692b1a4b3
MD5 hash:
10542f11049b453dfdf4f3f1c3d26b6f
SHA1 hash:
73fb4de774d73a699a3c6e88eaf932ff9934a2e0
Link:
https://www.unpac.me/results/45085941-598a-4966-8753-ca64a154939b/
SH256 hash:
d3729ee774783f9a15211e79e021238418c97d4625631368f7c2e187678ba72a
MD5 hash:
08e9726af71afff24f4f803989872313
SHA1 hash:
b083e5356585b1fb246f5f38878735fa0f232151
Link:
https://www.unpac.me/results/45085941-598a-4966-8753-ca64a154939b/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d3729ee77478/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3729ee774783f9a15211e79e021238418c97d4625631368f7c2e187678ba72a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments