MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff3c396049c100121be3f3140824dea82b62bbb17e63fe6586650ba56cc75298. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	ff3c396049c100121be3f3140824dea82b62bbb17e63fe6586650ba56cc75298
SHA3-384 hash:	ceaf305dcd92439630e3e12fc056a9fa458062e3700664d1316251bb484badfd1c7caa53d8758e50e0c254fcaf349f7e
SHA1 hash:	b33819564eb45d10745ec759f23e0ef426df48f4
MD5 hash:	8e5a3fa366c41a239f860855f59caf6d
humanhash:	ack-finch-sierra-connecticut
File name:	SecuriteInfo.com.Win32.PWSX-gen.7233.16866
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'100'800 bytes
First seen:	2022-10-18 04:22:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:zhxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNuss+AMzalK:BZOko1CGykFdj
Threatray	20'785 similar samples on MalwareBazaar
TLSH	T1C7356AB626D41257E42972B58193E1F322FB6E506011E2CB58C31FAFBC902BBD52774B
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.3% (.SCR) Windows screen saver (13101/52/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	1031ccc4ccccaa10 (14 x Loki, 12 x SnakeKeylogger, 11 x Formbook)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

224

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/321192/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.7233.16866.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/634e2a28455bf4ac5c714dee/reports/180165be-76ab-4637-ac91-44546311c2ad/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b822e4ce-e3c6-4b04-9d6f-5b7005909519

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1092412

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Contains functionality to register a low level keyboard hook

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ff3c396049c100121be3f3140824dea82b62bbb17e63fe6586650ba56cc75298/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2022-10-18 04:23:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

11 of 26 (42.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=746dsycjyeabeg7d6mkaqjg6vavwfo5rpzr74zmgmuf2k3ghkkma._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2107eeec59919ea8ec495701134e942d7f88d19de70b97016f1df74b16c8c90d

AgentTesla

24b0889aeba0fa92e2cfbd9f9a5ccf708bfabe6b1425a9f35ce59b012f14b4ab

AgentTesla

71720ec77fe5f1bf93446abc71b1ae23da1e5bff3d45ca6eb0d52e8739e4a155

AgentTesla

76c62b27943302da33b608e13bb0ad5b594cf1327b91395f6d07311133f0d624

AgentTesla

ab91459253a14ca086ed1b79f0958b331fc09b7d611ef953ca85c045ff43024e

AgentTesla

d5af77fbabd67255d4d1f3e31f0379496c8dd2401198f663e9dc25c64851d5e2

AgentTesla

ee521d7554ad7fba79ca211b807366a879fbf25bc57de72d76f0e366a81503fb

AgentTesla

+ 20'775 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221018-ezsv5sedh4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla

Gathering data

Unpacked files

SH256 hash:

aa43aba05f0543fe2405979bd2a50c30f2cba119b73e84667e0aae2c69339565

MD5 hash:

8ad8a436d63a9e2f369be485e665d22e

SHA1 hash:

81c5b8787f2e7d96db24b82a49bc44f303384c23

Link:

https://www.unpac.me/results/d1a77c6d-185c-4756-bdfd-77fe9487cf1b/

SH256 hash:

cd2d46f156e784a7385953a42f5afc0f9d3221903a323fb6dbdc117c49ba992b

MD5 hash:

62a518baa018ac1a6f9ba0571e85205a

SHA1 hash:

61d4f659f92bc5ad8c5fbd408d3e3992d1672660

Link:

https://www.unpac.me/results/d1a77c6d-185c-4756-bdfd-77fe9487cf1b/

SH256 hash:

eb3e33abe7d180ea7c4a18114d714b8df2aac8a79ad2429551786e1c6da8ade7

MD5 hash:

680c6c5ae23f2106902c8794f8478b57

SHA1 hash:

4f6c9682e47960e10f500bfaa9f399b46c3d0687

Link:

https://www.unpac.me/results/d1a77c6d-185c-4756-bdfd-77fe9487cf1b/

SH256 hash:

678d527fc01a0eaa1be366ca97b0ad5a3fe890b1ef8267d2fc981ff43c4d08e5

MD5 hash:

2da433d67db4775d8f02a8fed4b31bf3

SHA1 hash:

235fe8f2076f3b5cfffacc574825550cee8e61e9

Link:

https://www.unpac.me/results/d1a77c6d-185c-4756-bdfd-77fe9487cf1b/

SH256 hash:

e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee

MD5 hash:

35cb29046968faca7f3f3b4463449b6c

SHA1 hash:

088c8c30ec1bece0a4b5bbfe3982b073f8b95598

Link:

https://www.unpac.me/results/d1a77c6d-185c-4756-bdfd-77fe9487cf1b/

SH256 hash:

ff3c396049c100121be3f3140824dea82b62bbb17e63fe6586650ba56cc75298

MD5 hash:

8e5a3fa366c41a239f860855f59caf6d

SHA1 hash:

b33819564eb45d10745ec759f23e0ef426df48f4

Link:

https://www.unpac.me/results/d1a77c6d-185c-4756-bdfd-77fe9487cf1b/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ff3c396049c1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ff3c396049c100121be3f3140824dea82b62bbb17e63fe6586650ba56cc75298

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/321192/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample