MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3f85300e3f5b35b97fa3a8622aab9fda3921a8e3c6380a2107c451d58d67412. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3f85300e3f5b35b97fa3a8622aab9fda3921a8e3c6380a2107c451d58d67412
SHA3-384 hash: 6ac14e6041a8c36380fe3d7a297edf1a7f8d20fe0a36fdafa2d6a5f436218cd30011cc537080c692c73de15f4dc4810c
SHA1 hash: 72f2c8e0a63cef52d0f8a35c0a532c7934fde5a7
MD5 hash: e8081003e06ce4a48e2fa4a9a0f1dd50
humanhash: queen-butter-table-tennis
File name:nDoc_032056193.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:84'808 bytes
First seen:2023-12-22 20:33:45 UTC
Last seen:2023-12-27 13:54:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:1H4WaH+j1EF8dEteOWvkFQHwc/oDIHqHYDRIhYfo1I8Yy03uLsSHZAMxkEyYy03Y:1Y3HK1ECd/ze1I8W3uL5BxmW3uLDixG
Threatray 5'840 similar samples on MalwareBazaar
TLSH T19B834D5677D0ADA0D4D08D737987DA2A9FA3BEB9DC11C34321C0F21F063676296632B6
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 23272f2f2f2f2f0b (3 x AgentTesla, 2 x GurcuStealer, 2 x Formbook)
Reporter FXOLabs
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
309
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
nDoc_032056193.exe
Verdict:
Malicious activity
Analysis date:
2023-12-22 20:35:04 UTC
Tags:
evasion agenttesla stealer
Link:
https://app.any.run/tasks/61b05bca-0688-4e0b-a23a-92ef3ee6a56f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469087/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader46.43467.19772.19100.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm overlay packed
Link:
https://www.filescan.io/uploads/6585f2bab855eb3693ee22ba/reports/1440abf0-faf4-4f00-bc6e-71824240b115/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e3f85300e3f5b35b97fa3a8622aab9fda3921a8e3c6380a2107c451d58d67412
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/336bae9d-6c2c-41f0-bce9-fe9f89b43a73
Result
Threat name:
AgentTesla, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1366398
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1366398 Sample: nDoc_032056193.exe Startdate: 22/12/2023 Architecture: WINDOWS Score: 100 32 server1.sqsendy.shop 2->32 34 ip-api.com 2->34 36 2 other IPs or domains 2->36 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 9 other signatures 2->52 7 nDoc_032056193.exe 16 5 2->7         started        12 plrotv.exe 14 5 2->12         started        14 plrotv.exe 2->14         started        signatures3 process4 dnsIp5 38 82.118.21.69, 49705, 49711, 49724 GREENFLOID-ASUA Ukraine 7->38 24 C:\Users\user\AppData\Roaming\plrotv.exe, PE32 7->24 dropped 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->54 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->56 58 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->58 60 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->60 16 nDoc_032056193.exe 2 7->16         started        62 Multi AV Scanner detection for dropped file 12->62 64 Machine Learning detection for dropped file 12->64 66 Injects a PE file into a foreign processes 12->66 20 plrotv.exe 2 12->20         started        22 plrotv.exe 14->22         started        file6 signatures7 process8 dnsIp9 26 server1.sqsendy.shop 63.250.35.178, 49708, 49709, 49710 NAMECHEAP-NETUS United States 16->26 28 api4.ipify.org 64.185.227.156, 443, 49706, 49712 WEBNXUS United States 16->28 30 ip-api.com 208.95.112.1, 49707, 49715, 49727 TUT-ASUS United States 16->30 40 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->40 42 Tries to steal Mail credentials (via file / registry access) 22->42 44 Tries to harvest and steal browser information (history, passwords, etc) 22->44 signatures10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e3f85300e3f5b35b97fa3a8622aab9fda3921a8e3c6380a2107c451d58d67412
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e3f85300e3f5b35b97fa3a8622aab9fda3921a8e3c6380a2107c451d58d67412/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-22 11:49:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
17 of 23 (73.91%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4p4fgahd6wzvxf72hkdcfkvz7wrzeguohrrybiqqprcr2wgwoqja._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
0574c519f3223ce91d01d30e35da2f6c64d58676854720230e92766accf145ee
AgentTesla
7948315565e8321056661c7aabdeb10e01ca73d2425a6f6bd17593a0ffb484ef
AgentTesla
aa3d6760a1c5dbfcf7407c4e69f853b33f882cfc17daee6f18e037ed3a763e11
AgentTesla
b4cbf684e8873e04a1ff54c62bdb9eb5782d1cea507edc3cef13ac280f049a2f
AgentTesla
d92da33493917017ff937789890dfacd02c22671abd9ea8c196ea9dfd90f3a72
AgentTesla
+ 5'830 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:zgrat keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/231222-zcep8adchl/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
e3f85300e3f5b35b97fa3a8622aab9fda3921a8e3c6380a2107c451d58d67412
MD5 hash:
e8081003e06ce4a48e2fa4a9a0f1dd50
SHA1 hash:
72f2c8e0a63cef52d0f8a35c0a532c7934fde5a7
Link:
https://www.unpac.me/results/d0e25f63-f230-453c-9492-56f9b1025447/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e3f85300e3f5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.12
Link:
https://yomi.yoroi.company/submissions/e3f85300e3f5b35b97fa3a8622aab9fda3921a8e3c6380a2107c451d58d67412

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe e3f85300e3f5b35b97fa3a8622aab9fda3921a8e3c6380a2107c451d58d67412

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/469087/

Comments