MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 301c31d38f7cb13d8128b53666c66e251d7a398c1b0fdae66d52ab0d377852ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 301c31d38f7cb13d8128b53666c66e251d7a398c1b0fdae66d52ab0d377852ef
SHA3-384 hash: d70cb5a94595e7cf94eca474b946aa6bbff354ce6ea4edb497260519c9953d7571133801cdf1b2e522f1067e3b34c4ad
SHA1 hash: c4c6bc3ce6e2ee682982403e97eb5364ebd9b01d
MD5 hash: ad5ecefbac91d7cee3191da22872e2ec
humanhash: pluto-september-wyoming-johnny
File name:PO 4800049984.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:414'720 bytes
First seen:2020-06-30 06:39:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'453 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:Z5VelUt5kqq7U/HnI3cMwp0PRzZSx68T/GeaQc:3VelsaU/HI3dpzZSx1T/0
Threatray 136 similar samples on MalwareBazaar
TLSH 2094023123A95B36C0FE8BF460B045250FB1B05F3511E35E6E52A5EE16B7B609334BAB
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: rallis.com
Sending IP: 209.58.149.86
From: Purchase <vivek.patil@rallis.com>
Reply-To: sultan.works28@gmail.com
Subject: Re: FW: PO Number 4800049984
Attachment: PO 4800049984.rar (contains "PO 4800049984.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16835/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/301c31d38f7cb13d8128b53666c66e251d7a398c1b0fdae66d52ab0d377852ef/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-06-30 05:06:43 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gaoddu4ppsyt3ajiwu3gnrtoeuoxuommdmh5vztnkkvq2n3yklxq._file
Verdict:
unknown
Similar samples:
052148f226d2b1e51ca7318eacda6906765138d2e28b290558a2b7003e9f6634
AgentTesla
09d36fe7fb556c5f30897231a8b0cab021d9fd04896eefc838dbe4dee24eb772
AgentTesla
127d1bc07171d0d03ae4ee209692c3c226d0160e23fc08c805d01929a8997874
AgentTesla
2a87cb832286cd46299d51045054aecf69b3a7898a7bef464531f9f9d370e9c6
AgentTesla
35b0f0ea8e64564dacb06fb7c9c4816cbe2962e27c72e83b6cca54c92582a620
AgentTesla
736752175fe91906f41d00670318a55afe8c2c85e30ced11df477f5c61fddac8
AgentTesla
885c0db8dce61efe0b93c41f8eaf4e42f0180ba4b9045d8ca6978298d81bebec
AgentTesla
a440dca4a1559d04426c05899989e611bd77d55b3fe00713b70e1b4968c8f61b
AgentTesla
bcf951a2c7bc31a37486577ae1fc83f97bc1daf987d5a35e9302eb31f5a5ebf0
AgentTesla
f98bb09a67afe83ca7b041488f460d2a8b96224d77f21117d5b0076e04706dd4
AgentTesla
+ 126 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200630-qbh64ym15s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Adds Run entry to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 6b358e7947ac67fa83c41b8ea0616367ef7fc381af1c75a63fddc135bb012ac9

AgentTesla

Executable exe 301c31d38f7cb13d8128b53666c66e251d7a398c1b0fdae66d52ab0d377852ef

(this sample)

  
Dropped by
MD5 142467d4e209bfff239ee1f58a59ec27
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6b358e7947ac67fa83c41b8ea0616367ef7fc381af1c75a63fddc135bb012ac9
Cape
Cape
https://www.capesandbox.com/analysis/16835/

Comments