MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3153b96e0d31eb2901117a088ffcdbe7e88ba65660171b0f0d43295ea21a27b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3153b96e0d31eb2901117a088ffcdbe7e88ba65660171b0f0d43295ea21a27b0
SHA3-384 hash: 4fcd42624b66e950211634046cbaec787333635d74270819f8a4c4da0b7de3145c1e7233c564a9e89ab7bbe77fda9e50
SHA1 hash: 66bed09ca8d3a62dae4040c8ed3c85413376d179
MD5 hash: b359f6f166a841a1eadb58deb2e9f58e
humanhash: football-crazy-virginia-black
File name:PDF-34569876545677654567-7655612.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:419'328 bytes
First seen:2020-08-04 13:37:28 UTC
Last seen:2020-08-04 15:22:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c2d00fc4271c3f42efcfb8ae80a5dd76 (2 x AgentTesla)
ssdeep 12288:6ldjCmdFfe1yzpbpbIrmjWdbACd3/Nb7m7bwR:6DjCmdFeyzplbkeCd3d7w
Threatray 10'651 similar samples on MalwareBazaar
TLSH 6694D06435C8E226F043493ABC18DE7BDA75F7302D24980773D05B5A6F26AF6C524E2B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: smtp6.mailgatewaypro.com
Sending IP: 85.95.228.151
From: cuentas <cuentas@patiodelacartuja.com>
Subject: Re: ConfirmaciĆ³n de aviso de pago
Attachment: PDF-34569876545677654567-7655612.lha (contains "PDF-34569876545677654567-7655612.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38745/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/409527
Signature
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3153b96e0d31eb2901117a088ffcdbe7e88ba65660171b0f0d43295ea21a27b0/
Threat name:
Win32.Trojan.Skeeyah
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 13:39:06 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gfj3s3qnghvssairpiei77g347uixjswmalrwdynimuv5iq2e6ya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2797fabdb7ec8843947933f792ef8db22cc3bab5e06f8204ab4697acd0a04d55
AgentTesla
29351837be2ee7ec1cd05fb09ee502ef3f43dfc549d23d69d4b61c400343d899
AgentTesla
34408552d34edc061e6bce5aa476bdfa09f5c8a7f1936d902dea430c0fa14d62
AgentTesla
43f7ca6a635db4dedd6c734f3af9ba5a96d87b4698f1c4eec56c8b86f6be26c9
AgentTesla
6bab78869dbbef0f84e21ff64ef79e4d2f5b5c672b3d8ef48dc520c674b81c5d
AgentTesla
8be1266645d388fa35124c58831cbd83fdc9b6faac7ad44ddaf4b0f6b9d2fd09
AgentTesla
90aa9f9ad74752d2965816d8d68399d2b1c4fdce28c2ca57753196b3a2d60b34
AgentTesla
a132044c5acdf6901718ff3e7b6cee80b0d976f32d8876b2352b08d316feacf7
AgentTesla
b04580b535d7a018ff5b8933e399b7b1497b3dfa896798fef656412a925ceb78
AgentTesla
f9cdc89e99a471146ead33ee9c93bca0ecc286e65cf326c4450a9d6d8597153b
AgentTesla
+ 10'641 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200804-sehawhp5ne/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3153b96e0d31eb2901117a088ffcdbe7e88ba65660171b0f0d43295ea21a27b0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip f9632d3304b3c47e81ac5dc18fd28373eeab24600492502d0b23e3f724c4aa50

AgentTesla

Executable exe 3153b96e0d31eb2901117a088ffcdbe7e88ba65660171b0f0d43295ea21a27b0

(this sample)

  
Dropped by
MD5 c1645184c8269e76832cf773ee7e0d15
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38745/
  
Dropped by
SHA256 f9632d3304b3c47e81ac5dc18fd28373eeab24600492502d0b23e3f724c4aa50

Comments