MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3ed59aa66458ead040f4d4b8e0df0e90b5ed1301102b9913516317feca3fbaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3ed59aa66458ead040f4d4b8e0df0e90b5ed1301102b9913516317feca3fbaf
SHA3-384 hash: 8f05feebdbf51b7964d7a291fcc6954ad73fb063e9095ee4cc4e04193acdf844d7410cc254b7ea759f2edb26531cf849
SHA1 hash: 49aca184aa67c6219fc979a1280e5f8bd0f4378a
MD5 hash: c458f95383dd7bba8165c0e90661e707
humanhash: sodium-nebraska-mobile-lamp
File name:c4mvTY6wOhOW0ey.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:734'720 bytes
First seen:2021-05-28 05:53:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:NYZvEqXwO+dAHuMwTE14Ysi9gbC5ehx6tH:uREqA3q4Ysi9bTt
Threatray 22 similar samples on MalwareBazaar
TLSH 8AF47D2D22D4571BD17DD3B8CDE4801393A1F527B622FA9D98C503690B936CAB99333E
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c4mvTY6wOhOW0ey.exe
Verdict:
Malicious activity
Analysis date:
2021-05-28 05:54:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0913c996-f24b-49c2-bc25-ad725837a876

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/162887/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.763-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/793647
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 426043 Sample: c4mvTY6wOhOW0ey.exe Startdate: 28/05/2021 Architecture: WINDOWS Score: 100 47 premiercareclinic.com 2->47 49 mail.premiercareclinic.com 2->49 59 Found malware configuration 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 6 other signatures 2->65 8 c4mvTY6wOhOW0ey.exe 7 2->8         started        12 kprUEGC.exe 5 2->12         started        14 kprUEGC.exe 2->14         started        signatures3 process4 file5 37 C:\Users\user\AppData\Roaming\tjGrfN.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\Local\...\tmp30C3.tmp, XML 8->39 dropped 41 C:\Users\user\...\c4mvTY6wOhOW0ey.exe.log, ASCII 8->41 dropped 67 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->67 69 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->69 71 Uses schtasks.exe or at.exe to add and modify task schedules 8->71 16 c4mvTY6wOhOW0ey.exe 2 5 8->16         started        21 schtasks.exe 1 8->21         started        73 Multi AV Scanner detection for dropped file 12->73 75 Injects a PE file into a foreign processes 12->75 23 kprUEGC.exe 2 12->23         started        25 schtasks.exe 1 12->25         started        signatures6 process7 dnsIp8 43 premiercareclinic.com 158.69.148.83, 49748, 49749, 587 OVHFR Canada 16->43 45 mail.premiercareclinic.com 16->45 31 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 16->31 dropped 33 C:\Users\user\...\kprUEGC.exe:Zone.Identifier, ASCII 16->33 dropped 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->51 53 Tries to steal Mail credentials (via file access) 16->53 55 Tries to harvest and steal ftp login credentials 16->55 57 4 other signatures 16->57 27 conhost.exe 21->27         started        35 C:\Windows\System32\drivers\etc\hosts, ASCII 23->35 dropped 29 conhost.exe 25->29         started        file9 signatures10 process11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d3ed59aa66458ead040f4d4b8e0df0e90b5ed1301102b9913516317feca3fbaf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-28 00:03:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
13 of 47 (27.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2pwvtktgiwhk2bapjvfy4dpq5efv5ujqcebltejvcyyx73fd7oxq._file
Verdict:
unknown
Similar samples:
07c764029bc53a23ecde50473f42e72e44b1eed4001cff0566366b19340fec5f
AgentTesla
08f8fb048455eaa71cf153651e2c8643e1669ad29be5f523de0b8bb39996e92c
AgentTesla
1b514f5e6484c97155dda3e6ee1073f41f19318af2d00d0bec33c6dc7844c3f6
AgentTesla
3dde92f19924860f0874ee0fe3fab80a1112c20e18d9782528bd7c471f0f2344
AgentTesla
3f416eb40a2f3043bb0e16cc684a3cecdae3fee9f340e4adf9ddb700e4bf2cfd
AgentTesla
5b7c7d4bf17521dddc7ee1accfee37d1b50e89f634e7c67439ae92dcef4c32e3
AgentTesla
8ca38b4cf8849e7b7d18cc8afdae915c4dedc2f5aaca4b9a4fd57bdfd5e25a25
AgentTesla
ba41656ca5e0e243cff9f6a536c43998a9dbc492f5e813a0022e84359b2e0ef8
AgentTesla
ca54068918281e4c84cdd17b0a834f9518cda57c362d82a8393bcae117af33c0
AgentTesla
cc93a9e201ac4c87c3bad57865bea80244c9ecbeb9a381ba467a81fe1b86a015
AgentTesla
+ 12 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210528-cwc6y2lvxe/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3ed59aa66458ead040f4d4b8e0df0e90b5ed1301102b9913516317feca3fbaf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip ee05a81d7e454e912e13f570056510e3cbcbd5be08d1a0203d9cd276bed3ca7c

AgentTesla

Executable exe d3ed59aa66458ead040f4d4b8e0df0e90b5ed1301102b9913516317feca3fbaf

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 ee05a81d7e454e912e13f570056510e3cbcbd5be08d1a0203d9cd276bed3ca7c
Cape
Cape
https://www.capesandbox.com/analysis/162887/

Comments