MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff3f3250034862434276a28909e3290dc17c89d6aab4e784044253ee31f136ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff3f3250034862434276a28909e3290dc17c89d6aab4e784044253ee31f136ad
SHA3-384 hash: 0bce7a1bd6a19fe903336850b3fcd4c93a8bbadfaf121979f83e5e5b15a3ccc1afb481ddf8cf97b158666a0a7d8dccc7
SHA1 hash: ecd0adeff8473ebdfe6ba95db8a0e14b156c5c2f
MD5 hash: ac7b3d4cf6ac759e8b8be76fdae568a9
humanhash: six-speaker-november-nuts
File name:Payment Advice 17-01-2022 SKMBT03783930484080488904003TXT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:422'912 bytes
First seen:2022-01-17 03:25:01 UTC
Last seen:2022-01-17 06:36:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:p1hAbzMT1IYzlZzeld8xSCxnMbE4oxdXHkRRRRRER:3hAbzMpxVelsVxnM3udXkRRRRRER
Threatray 14'545 similar samples on MalwareBazaar
TLSH T11F94131136D5A782D87647F428E3620023F826DBA957E3AD3ECBA4CD6443B534905FBB
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Advice 17-01-2022 SKMBT03783930484080488904003TXT.exe
Verdict:
Malicious activity
Analysis date:
2022-01-17 03:26:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/08cbf3f3-b2a7-4728-b8a5-e2b13f17340c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219681/
Detection(s):
SecuriteInfo.com.Variant.Kryptic.18.113.9836.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61e4e190f81da814af87b195/reports/31dd5215-1dbd-4a63-a5e3-27f905b95209/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a92e751-54a2-4969-874b-9b98d857d45f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/921529
Signature
.NET source code contains very large array initializations
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-17 02:33:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=747teuadjbregqtwukeqtyzjbxaxzcowvk2opbaeijj64mprg2wq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
144c28f64d5e23966923a2a0c779286494f27b3fba1ccde62731d861d7852461
AgentTesla
179d2c41bfd55de708d53b5c422df71f8a121aa67526edff75ba727e45db232f
AgentTesla
1a38d6405f32c9c305a39a7f909cdc0834208fbd6ad1435bfd0794386ce71878
AgentTesla
1fa49d8200559915bd7a748f844cc16c52e5067e09b859bebed6591a6ce3abb3
AgentTesla
3869d9e129d4455ee5e45533d8625346a559bc275e2d4834d89b21bd2118c871
AgentTesla
70a95a4f9d14e1eba560bf099472de80894b047dc943c8e451e84d0e60eac587
AgentTesla
a3d226c6d6bc10bb4bcff72350676cd2ff897613520b0cf6f1b1153b077b159f
AgentTesla
caee5cd41b3a916702d8cd65189cb32ece59f9846f8d55018b7e057907a871ff
AgentTesla
ff3f3250034862434276a28909e3290dc17c89d6aab4e784044253ee31f136ad
AgentTesla
+ 14'535 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220117-dymgasgfc5/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
0cd52fcde442097a676aac36a8881df78442ab162cf5693f8b581f68f3c14f62
MD5 hash:
6e8aa66f3596f926813d4b36a1af7f40
SHA1 hash:
7b376740269239a84013b23fcd4efdcd143df5a4
Link:
https://www.unpac.me/results/41bf25cc-e0fd-4f43-b68f-547d628d315b/
SH256 hash:
28e56ab06586ca6335532d66bf9540c8540130d4abc7249e7eebe2a499884f59
MD5 hash:
ca3a6c5630d13f41cb7cf2b804d18fd9
SHA1 hash:
2c120510a6be153952570ae1e8551f9ea2243af1
Link:
https://www.unpac.me/results/41bf25cc-e0fd-4f43-b68f-547d628d315b/
SH256 hash:
2788613dd39db003349b73ad823d1da4419cae4d3b28a00821d2d94bc2e1b791
MD5 hash:
bc5c09a201a2c2075f4f6225c15137ef
SHA1 hash:
111f3569e94bf5f156a5081d0a1a3da56d434470
Link:
https://www.unpac.me/results/41bf25cc-e0fd-4f43-b68f-547d628d315b/
SH256 hash:
ff3f3250034862434276a28909e3290dc17c89d6aab4e784044253ee31f136ad
MD5 hash:
ac7b3d4cf6ac759e8b8be76fdae568a9
SHA1 hash:
ecd0adeff8473ebdfe6ba95db8a0e14b156c5c2f
Link:
https://www.unpac.me/results/41bf25cc-e0fd-4f43-b68f-547d628d315b/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ff3f32500348/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff3f3250034862434276a28909e3290dc17c89d6aab4e784044253ee31f136ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ff3f3250034862434276a28909e3290dc17c89d6aab4e784044253ee31f136ad

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/219681/

Comments