MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db3691bd029c0e2db482666cdae1be9dbd30e488eeffc6fbffb1b52976705c99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db3691bd029c0e2db482666cdae1be9dbd30e488eeffc6fbffb1b52976705c99
SHA3-384 hash: 00a5ec55cd2bad9ab346da2d697d790caea7bb6632069f9e8d35f10319bfe4b8c86230efe4717cee704392a2226fa85a
SHA1 hash: 88dc154543d6ab6df67c13c7580bd9b7faaa2558
MD5 hash: 75cbee19828908744daa52cdfe0bdeb4
humanhash: london-ceiling-sodium-bakerloo
File name:75cbee19828908744daa52cdfe0bdeb4.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:41'472 bytes
First seen:2021-02-19 11:58:20 UTC
Last seen:2021-02-19 14:00:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:MmWwPVeT83Czk7vxZn2HyreXWr6JWfmvUnemtdK:jWueT8Sa32HjWr6JdWeqk
Threatray 2'780 similar samples on MalwareBazaar
TLSH D2131AAD6A401497C82D1B31B423AA6003B69C9298416AEF9FBC7E0B7C3F1450C57DAF
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117999/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.11969.15789.22863.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Deleting a recently created file
Launching a process
Creating a file in the Windows subdirectories
Creating a file
Sending a UDP request
Setting a single autorun event
Blocking the User Account Control
Sending an HTTP GET request to an infection source
Adding exclusions to Windows Defender
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/612637
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 355331 Sample: 3zKVfxhs18.exe Startdate: 19/02/2021 Architecture: WINDOWS Score: 88 80 Machine Learning detection for sample 2->80 82 Binary contains a suspicious time stamp 2->82 84 Sigma detected: System File Execution Location Anomaly 2->84 86 2 other signatures 2->86 8 3zKVfxhs18.exe 23 12 2->8         started        13 explorer.exe 2->13         started        15 explorer.exe 2->15         started        17 12 other processes 2->17 process3 dnsIp4 76 192.236.147.189, 49708, 49724, 49727 HOSTWINDSUS United States 8->76 58 C:\Windows\Resources\Themes\...\svchost.exe, PE32 8->58 dropped 60 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->60 dropped 62 C:\Users\user\AppData\...\3zKVfxhs18.exe.log, ASCII 8->62 dropped 64 2 other files (none is malicious) 8->64 dropped 88 Creates an autostart registry key pointing to binary in C:\Windows 8->88 90 Adds a directory exclusion to Windows Defender 8->90 92 Drops PE files with benign system names 8->92 19 AdvancedRun.exe 1 8->19         started        22 powershell.exe 24 8->22         started        24 powershell.exe 24 8->24         started        34 2 other processes 8->34 26 svchost.exe 13->26         started        94 Drops executables to the windows directory (C:\Windows) and starts them 15->94 30 svchost.exe 15->30         started        78 127.0.0.1 unknown unknown 17->78 96 Changes security center settings (notifications, updates, antivirus, firewall) 17->96 32 MpCmdRun.exe 17->32         started        file5 signatures6 process7 dnsIp8 74 192.168.2.1 unknown unknown 19->74 36 AdvancedRun.exe 19->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        66 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 26->66 dropped 68 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 26->68 dropped 98 Machine Learning detection for dropped file 26->98 100 Adds a directory exclusion to Windows Defender 26->100 42 AdvancedRun.exe 26->42         started        44 powershell.exe 26->44         started        70 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 30->70 dropped 72 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 30->72 dropped 102 System process connects to network (likely due to code injection or exploit) 30->102 46 AdvancedRun.exe 30->46         started        48 conhost.exe 32->48         started        50 conhost.exe 34->50         started        52 AdvancedRun.exe 34->52         started        file9 signatures10 process11 process12 54 AdvancedRun.exe 42->54         started        56 AdvancedRun.exe 46->56         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/db3691bd029c0e2db482666cdae1be9dbd30e488eeffc6fbffb1b52976705c99/
Threat name:
ByteCode-MSIL.Downloader.BaseLoader
Create hunting rule
Status:
Malicious
First seen:
2021-02-19 11:59:06 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3m3jdpictqhc3necmzwnvyn6tw6tbzei5374n677wg2ss5tqlsmq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07971958696b43eead2da2114b7a3965b492cdae39843078f16d56ad331427fe
AgentTesla
0db50b639d859d3ddf9aa74f96d12f7ecb189a0b3006a7ed1cfd73edbc34d220
AgentTesla
126f752c7dec6c513804a0737e5d0a03cd8a1082923d68aec35979f3a7db7d60
AgentTesla
360dc7aa2889b1ed05b553eccab73348de2fae89cd7742e64422712298b670ca
AgentTesla
38e808b501a37c1331be6a4355ff59cded87bb6316d4fac99bf4216647417996
AgentTesla
3afef4ab289c49f347ed065f4d272cec7ea413b5c84fb4c2e6aa9adad2716db6
AgentTesla
90d6d22bb3a17944aa7cfb0810b5f70fecee0edbb1c48f263bdcc9bd93e342d4
AgentTesla
99d1e6642a3f135215927e2166213409c4390a70332a77ea5fb342beaf629d65
AgentTesla
ac7be59f994a2d6ba829e6a7db30ce60594cc2384c55d673e72ee1256737946a
AgentTesla
c725eea92437455b05cf0c4007e63abff342befc67e4b8ad0e60eaa96074955e
AgentTesla
+ 2'770 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/210219-nbkl1e387x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
db3691bd029c0e2db482666cdae1be9dbd30e488eeffc6fbffb1b52976705c99
MD5 hash:
75cbee19828908744daa52cdfe0bdeb4
SHA1 hash:
88dc154543d6ab6df67c13c7580bd9b7faaa2558
Link:
https://www.unpac.me/results/ab29ad61-a405-4b69-bd9a-690d87cadbd2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/db3691bd029c0e2db482666cdae1be9dbd30e488eeffc6fbffb1b52976705c99

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe db3691bd029c0e2db482666cdae1be9dbd30e488eeffc6fbffb1b52976705c99

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/117999/
  
URLhaus
https://urlhaus.abuse.ch/url/1019371/
  
Delivery method
Distributed via web download

Comments