MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3458232b533e946c63311cd8241c2a390868950d89c3f5e3aaac3f2413c9b82a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3458232b533e946c63311cd8241c2a390868950d89c3f5e3aaac3f2413c9b82a
SHA3-384 hash: da029c5748ba3438837739d18e736bef55d08d5af38d5975348ce1a8d7e3ac409c7b24737482222b164e58ed3c2e3ebf
SHA1 hash: a9aa47e1ead673ed8cc261f2a909d63595a1744a
MD5 hash: a7bf31bbad9274ece1edf10d1efbad1b
humanhash: washington-rugby-one-golf
File name:PokoWay.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:766'976 bytes
First seen:2020-08-05 13:45:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:HkZWGYlDhZ//qtSMyH5KogfMKtaw7oDPJ954Us3HjfhJ3Bmj3OBL9qv2ynQsb8os:HkKjZASMyHQogfMKj0DBEUYKcyQsQo
Threatray 10'774 similar samples on MalwareBazaar
TLSH 6DF4493C36819809D43E8A7649E49AD277B0E64B7B82C74F2DD6039C7F1279B3B1614E
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.inclusion-souken.com
Sending IP: 150.95.183.80
From: Paul Newman <paul@cnode.io>
Subject: SFH002/AT - Export Order - Shipping Specs
Attachment: Offer10044885_BMElectricalWholesaleLtd._8_05_2020.xlsm

AgentTesla SMTP exfil server:
mail.cam-asean.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/39652/
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.6204.18278.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/411318
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Agent Tesla Trojan
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 257993 Sample: PokoWay.exe Startdate: 05/08/2020 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Yara detected AgentTesla 2->45 47 4 other signatures 2->47 6 PokoWay.exe 4 2->6         started        10 MyKanyAasean.exe 2 2->10         started        12 MyKanyAasean.exe 1 2->12         started        process3 file4 23 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 6->23 dropped 49 Writes to foreign memory regions 6->49 51 Allocates memory in foreign processes 6->51 53 Injects a PE file into a foreign processes 6->53 14 AddInProcess32.exe 17 16 6->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        signatures5 process6 dnsIp7 27 mail.cam-asean.com 107.180.12.39, 49710, 587 AS-26496-GO-DADDY-COM-LLCUS United States 14->27 29 checkip.us-east-1.prod.check-ip.aws.a2z.com 52.0.197.231, 49709, 80 AMAZON-AESUS United States 14->29 31 2 other IPs or domains 14->31 25 C:\Users\user\AppData\...\MyKanyAasean.exe, PE32 14->25 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Tries to steal Mail credentials (via file access) 14->35 37 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->37 39 4 other signatures 14->39 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3458232b533e946c63311cd8241c2a390868950d89c3f5e3aaac3f2413c9b82a/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 13:47:05 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=grmcgk2th2kgyyzrdtmcihbkheegrfinrhb7ly5kvq7sie6jxava._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02261d11f15d4b62340ceed9b3ab2e1520ed3206ba85331be8a775426969ba1d
AgentTesla
269770044a2b90764179e7d03229a3977e6034257d036c9f3d977803107f8b24
AgentTesla
757f7141daf24169ff3694cdf0247b7ce0b71c66a970837a71149a69b5b6d371
AgentTesla
82888e4c1b79c13b1030a983093f9c2452631f593ec65a3ec975964e1e3322e7
AgentTesla
971a5e9ae9227ec480b3dff1e342ebbc811d5489b86c6733bc51a3b0519a94cf
AgentTesla
9abbf24b322068da5ac2e1581827d788d787eb8b31685863b1aa048f01ca5190
AgentTesla
9c41470416c33f1ac91bdf39d8bbec407e0214456f9d298e736cd62586345676
AgentTesla
a1579595bc8439774307b941ef20cbcd1e6f3e767859debd8e5e448eda09a0f2
AgentTesla
c68ca95d35436bd4f31c1c447310f00e330b8535395dcd4a6648661d7e42556c
AgentTesla
e47b659eed1b2902835b5c1d40f9c844d707fa08403e7b5f73ed88f9b9c95a6e
AgentTesla
+ 10'764 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer family:agenttesla
Link:
https://tria.ge/reports/200805-fccrwx8btn/
Behaviour
Agenttesla family
AgentTesla Payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/3458232b533e946c63311cd8241c2a390868950d89c3f5e3aaac3f2413c9b82a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 3458232b533e946c63311cd8241c2a390868950d89c3f5e3aaac3f2413c9b82a

(this sample)

AgentTesla

Excel file xlsm 161ade8ac6cb6107129a14fa6aceab06e873200ae13ea262bde1c2073c22301c

  
URLhaus
https://urlhaus.abuse.ch/url/424731/
  
Dropping
MD5 ffd8cee0d901445c357a434872b2ed49
  
Dropping
SHA256 161ade8ac6cb6107129a14fa6aceab06e873200ae13ea262bde1c2073c22301c
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/39652/

Comments