MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3b4b1719930593f8c1e135c3cc9d40567cd2077600fceb95aabed24792a5252. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3b4b1719930593f8c1e135c3cc9d40567cd2077600fceb95aabed24792a5252
SHA3-384 hash: c6f58206bd8fd6c6a86e8b1a149de48560b77c70858847f8a76c8a0aa117ec2b053dc51d2364946a54030f81f3cef160
SHA1 hash: 154b12723d567234e865db892ccc3efc7bf80e7d
MD5 hash: 28e63e1e10d77ab417e72584e682324f
humanhash: fix-wolfram-uncle-johnny
File name:PO 614457.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:824'320 bytes
First seen:2023-06-07 12:27:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 24576:51U9BqmycgiH75BP1ST/HQLGNBmulUPVrHmZ:5u9Bqmycr7gEklUNr
Threatray 4'916 similar samples on MalwareBazaar
TLSH T1D905F146BABE5B26C436ABF80230523057FDD965703BD28A8ED325DFA464F301E51B63
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO 614457.exe
Verdict:
Malicious activity
Analysis date:
2023-06-07 12:30:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/17928f30-6c3c-4dfa-8963-dec92a07161b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/396469/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/648077d45a0066d6c4f7517f/reports/fdece23a-638f-41f3-9116-5206fae5c73b/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f3b4b1719930593f8c1e135c3cc9d40567cd2077600fceb95aabed24792a5252
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eff1268e-78c3-4b2f-b352-ddd713666ca2
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1250277
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f3b4b1719930593f8c1e135c3cc9d40567cd2077600fceb95aabed24792a5252/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-06-02 11:15:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6o2lc4mzgbmt7da6cnodzsouavt42idxmah45ok2vpwsi6jkkjja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0adef78d93aefbf2868d22e5e63265cc574c7fea255e903c0a8e936586ddaf1f
AgentTesla
3f07585c2ab00f3f8cb68b6c3a461c0b267c52531a5bca15d59a6cad1cbbc6f7
AgentTesla
6cdfbcdefb75d6cb8b7394b30dcb4cf81fe1f2e0fc584dae8cb7fb304d01f0aa
AgentTesla
75084813c3a29787a8329b1dfba9c1865034cae773ead12faed935b9b1e7175f
AgentTesla
8235377c714eb9e58b2db6d39c4091d4b610296e8bfdfae466a8f286e655dabe
AgentTesla
a4ce07acfbdf7bd395f263bd86c3383bfc2d2f21be8df21511c1d37fa40e59b4
AgentTesla
b3ca0b93eff9f2f129fe069e2b7dc734f749db4d098a9be27e28e36519b3fb70
AgentTesla
c70b193a2cfb726c02359b7acd2fc0d5c59986b9f24058e1f3bb37767fa944e4
AgentTesla
cd8bc55c70d85611ef59efe45a5676da4e0b82f067cf188035fe9c28be2c591f
AgentTesla
cf6d236b07b02bcded4e19c6bb1ce31df4993c2961fb8544a9337969e44eff9c
AgentTesla
+ 4'906 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230607-pnbslaah6v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d
MD5 hash:
9390df6c9a6111978dee5414bc42eda6
SHA1 hash:
d3cb1c366b9e466afa93eb369838a04d30777795
Link:
https://www.unpac.me/results/46f0afe8-9f67-4a43-bfa1-96b00e8362ba/
SH256 hash:
70b8a67d5ad715fabfc20d16120f01e11140836505556dc11539c75723ac9b29
MD5 hash:
c516e17eabb170187720e4297b36d6ea
SHA1 hash:
9d02ca772e7317245eee670c701845fe263094da
Link:
https://www.unpac.me/results/46f0afe8-9f67-4a43-bfa1-96b00e8362ba/
SH256 hash:
59c15353394e2a3ed293c8194a0a40b1c29822ec2caec7e0e9213b9e2a7b3e24
MD5 hash:
2e652bdb9c25b7bbc36bcba66b3a5233
SHA1 hash:
77af9e048e1bb927c102bbf531f21af295a45072
Link:
https://www.unpac.me/results/46f0afe8-9f67-4a43-bfa1-96b00e8362ba/
SH256 hash:
f079da0dfbc9855277ae9d398b58bf2f1330a20008a607dc12b0279f3baaba0e
MD5 hash:
2aeb41c8c1ce3ad1309ba4ee7b21783c
SHA1 hash:
4681a726a038fd9e7226c8e8c7bbca13c7162262
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/46f0afe8-9f67-4a43-bfa1-96b00e8362ba/
Parent samples :
cd8bc55c70d85611ef59efe45a5676da4e0b82f067cf188035fe9c28be2c591f
b3ca0b93eff9f2f129fe069e2b7dc734f749db4d098a9be27e28e36519b3fb70
f3b4b1719930593f8c1e135c3cc9d40567cd2077600fceb95aabed24792a5252
c1861f48bc8684453fc7a339b2bbac26cd79e2c145706066a77b8ab482660c84
b483fa2b04ee2305e50ec070450c43c4feef6d98a30f01aa1f003f11ffad2aa4
6d2a00d71cfe1ac88de75df0150145f8800668afd66cec2c73b0eeae2e4d4b5f
2b4cf6b7907df730c69b34f85e473d4c826c3bc8d423a79b5d7cf0b2a2414b95
SH256 hash:
4afa89c3b62bf720ae4b2d9530628905041d01bc23fb2a36b9104945d7c199b1
MD5 hash:
d1c229b6b5a0463e9f4aae718c8ebbd4
SHA1 hash:
27e879cc78df4ee431ed3279cd2181808f2f95bf
Link:
https://www.unpac.me/results/46f0afe8-9f67-4a43-bfa1-96b00e8362ba/
SH256 hash:
f3b4b1719930593f8c1e135c3cc9d40567cd2077600fceb95aabed24792a5252
MD5 hash:
28e63e1e10d77ab417e72584e682324f
SHA1 hash:
154b12723d567234e865db892ccc3efc7bf80e7d
Link:
https://www.unpac.me/results/46f0afe8-9f67-4a43-bfa1-96b00e8362ba/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f3b4b1719930/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.67
Link:
https://yomi.yoroi.company/submissions/f3b4b1719930593f8c1e135c3cc9d40567cd2077600fceb95aabed24792a5252

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 29cc2fbd6fe5239934f809dfa390b13659d89d5a0aa51bf9ede079b7130bd85f

AgentTesla

Executable exe f3b4b1719930593f8c1e135c3cc9d40567cd2077600fceb95aabed24792a5252

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 29cc2fbd6fe5239934f809dfa390b13659d89d5a0aa51bf9ede079b7130bd85f
Cape
Cape
https://www.capesandbox.com/analysis/396469/
  
Dropped by
MD5 80258c5e4dad5920bd4edc1215c23d0e

Comments