MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3956670c2fb4ab0739bff8f47efc5f6accc848960a9ec11e8bb1849dfc8a59d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3956670c2fb4ab0739bff8f47efc5f6accc848960a9ec11e8bb1849dfc8a59d
SHA3-384 hash: 78fa573b7c38fbe287c084f0279c3986fa1c690d4a3d9aacd461819ec46cf0fd8e23f09ce7b0d09a182264346c7dd5cd
SHA1 hash: 3ffdfbd18c6259fbc62c3cdc1f82977f9808143a
MD5 hash: 235fd45bf6dbc62b5310a71e761ee5a6
humanhash: moon-alaska-happy-crazy
File name:Quotation.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:564'224 bytes
First seen:2024-09-05 17:30:41 UTC
Last seen:2024-09-05 18:26:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep 12288:3YV6MorX7qzuC3QHO9FQVHPF51jgc322X3x+XorsE5hl7qS:EBXu9HGaVH35X34pE5hlR
TLSH T104C423801FC1A972C1A463B9D43BCC40142638B5CFE577AD829DF56DF93AB83D82B54A
TrID 35.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
35.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
434
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Quotation.exe
Verdict:
Malicious activity
Analysis date:
2024-09-05 17:32:57 UTC
Tags:
agenttesla stealer evasion exfiltration smtp
Link:
https://app.any.run/tasks/372c4196-1396-45b4-b5ac-b780df4f273a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.27903.12105.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66d9ead8f3d7ccf99f9019da
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
autoit lolbin microsoft_visual_cc overlay packed packed packed shell32 upx
Link:
https://www.filescan.io/uploads/66d9eadb5c270e35fa4498ff/reports/09d669ee-88fd-4f34-958b-d1dbb3365a23/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/d3956670c2fb4ab0739bff8f47efc5f6accc848960a9ec11e8bb1849dfc8a59d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4747cf31-b5ea-43fa-9891-99a1fdbe18f1
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1505098
Signature
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d3956670c2fb4ab0739bff8f47efc5f6accc848960a9ec11e8bb1849dfc8a59d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3956670c2fb4ab0739bff8f47efc5f6accc848960a9ec11e8bb1849dfc8a59d/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-09-05 17:11:31 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2okwm4gc7nfla44376hup36f62wmzbejmcu6yepixmmetx6iuwoq._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla credential_access discovery keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/240905-v3pkwswcmk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
Looks up external IP address via web service
UPX packed file
Credentials from Password Stores: Credentials from Web Browsers
AgentTesla
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/799a4f11-279c-41de-8eb2-6325ba79c82f
Unpacked files
SH256 hash:
aa4240d3c6a1ba38ff9c7abe3455a20c782b5e3aaa96af6e4332bc9476fd656e
MD5 hash:
06af3c3f7b31c9d3d27981a0842dacb0
SHA1 hash:
407cc724660e5787cf05e03b08c6f28b4835d51f
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/490ec360-30d8-4f9c-a67d-331a8c8d35a2/
Parent samples :
5c1009bc821a697905465a8c104b90813332d5815a85b73cea23131b930db557
db083048a859cc61f02d17f62e940ca93ae1e986c91d80a8c7b5300fb80e3eb4
fe2a9ae78a0634c404db5100489e946283cfedf0240ddf57e7b4f17dfec30162
09c2bde39a42e15cf277c4d992c091a5832a396cf314345e9c233d786dc3438a
e9232107c85b4b3a9ec90a32fa98b99d27f1ca84ef2b5654d7ab696f9f034890
f419ddfc11a334a5ab4f9a289db5783877d4108107ed912e2e2b3f57ae9be808
19b604df73a21665949858204d634fc31077cc0b1c0c02f53712b2cf3b5e8bc0
18f7507efdb35483a8642553f66647b9c1cc54d67614782622b7a64261042924
a3d537273efd479c1cc02c3d7e288482b495d119ffe172afa28aa33a6c90522b
bf2bb447f3c3344ff70beede0d0889840d533b011f963136b9e3b1bf897f7991
afccbcb46f3ef4814055e5d4acbef95679cb05e80c7b57cdd49df43234cfae66
df83a2880c473c9491465e517ca3fdeefb533e3520b13432b7e6f063ccea8247
6be42d7e8ab6309248ec11a362abd79226faedf4f7b9a110094f303a166b2d93
d18d881b4d582a792946d651f91f77a1b68b23b2abada7cb9b864ce4da24dbee
cda61139578f1cb169cfaa8b588dd7691c4f912baab91ad355ced6ea3edfdabe
c897b3234947f6478f99c333ecf8b9f06a52d8058de70fc5e6eb09aa4195d214
2cd4a1b5a6970f10245111eed4113323d391b1fe221f01fa11ad0d9695b82ea8
ec9b3edc6fdb39696ddff5fa0cba95f486c7fa765136eb92d78c94f57e37ccdd
ce69c0e4efa80c87b672f5fe7ec35808b24d05a1feffba954720e8a801a8acac
7d32ffb777ed327a39961748d04917f29b52bf373e7cb07a64cc86ebc172352b
f0a1308efe7bcf1be384db385b8183f48c5f1c2432da2322263b90f01a0820aa
ee58426723ce085d5ec2a045c3e020bc0b9ab6dc90e16ad1c2b8bac0804a2604
524cc2764d1bab453b5148129ee6942b8f6dca3fefa60a785d3d0f96848290ba
553efa334e9610ef0f28120965724b031ff0f26fb16e8aa23098c8af570ebc51
ba84ff47581d052e6fefe8f380126d6f770b6307b7d512388907225b576749d2
eb89a7b195591d21c6f902d02560d4b2d1d1837fd94d404c3211e9f4ae12444d
c7dc84187ebfc4521a3fe173e5b59850c753251a1a935b294c0a6fb63d6c9315
feb7b9b695fa6e3d5c9d19b4309aaadada0b15529364e17781e91553dc7e3406
508de38b2d605ccd6886dad188e151e3061896f795fc7ee60db182397d1b397e
e4d1908e539f5c7bcc6960d7616c88db9a0382e76186f28026e4f659b1ae058d
31ed160a5d6da518efe41113124db5c203316a965ccce18cca9e0ead7bac96f6
5dd25e32ca50fdacf6b304cfebd5d222141b9a13d9120c3a61342ff4588c85f0
96d2a9befbbed1913469d5e03f50cbbd700311f7cb8d87dc28d325be258cf35b
0d045677fbab19a80b17225c90ecca8fb973f67db71e7f86df8af5c25e0ac7a6
f9898f9bbef6d022dd0ce4343009f8d8ec465322ec384723e565a7ff0db259e7
87044fd80bd4cb7069021fa48e337e1ffc5d6f192932645045536ffccab8c4db
0a5816f1e55e810043fd6ac8a6d28eabd755696e76cf1b96d9fc3680c8af6177
3add79dac5ae034342c137acedfc270130622c6ccb3db23c36b3483a06c4fc96
c0606c7a28717e12ff2ba17844d4be166dcc9cfa060c98d0bd3b940c79d81ef8
d3956670c2fb4ab0739bff8f47efc5f6accc848960a9ec11e8bb1849dfc8a59d
317d4b1683e217b6af80de147bbeb8581255f320dd11ca5c13b0796f837d42aa
fd9725ecc7ed625c2174660e7f51f647fff9474f4c21c8ed84e0608bbcc5a409
67a8b2077a1aa43d393b1f843e556fd030c13dbe7a0e041d41c86fe233bddb38
18bdc6654a91219d11b56059df0aa5bdce67e8db3faade250c5d40dba9cf0e9b
97565e05b015972c9b22a7b55d9e68c6f8d0bc90693731cfc1c925a127611800
SH256 hash:
e76fbdfe2f14252c431b6f152d170e2f6a4e4c22967685d3043162cdb0506d6f
MD5 hash:
2ce5f0d019e52053548e1ebc9f4f01ab
SHA1 hash:
790ff758fc33660ce0535fdcbaceecd2a0a1f814
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/490ec360-30d8-4f9c-a67d-331a8c8d35a2/
SH256 hash:
d3956670c2fb4ab0739bff8f47efc5f6accc848960a9ec11e8bb1849dfc8a59d
MD5 hash:
235fd45bf6dbc62b5310a71e761ee5a6
SHA1 hash:
3ffdfbd18c6259fbc62c3cdc1f82977f9808143a
Detections:
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/490ec360-30d8-4f9c-a67d-331a8c8d35a2/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d3956670c2fb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.59
Link:
https://yomi.yoroi.company/submissions/d3956670c2fb4ab0739bff8f47efc5f6accc848960a9ec11e8bb1849dfc8a59d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe d3956670c2fb4ab0739bff8f47efc5f6accc848960a9ec11e8bb1849dfc8a59d

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetAce
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetUseConnectionW

Comments