MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 348ab69ec7c99d1803d0b8b29f5959fff8dd6daed1d992f7da2d796495ac0a67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 348ab69ec7c99d1803d0b8b29f5959fff8dd6daed1d992f7da2d796495ac0a67
SHA3-384 hash: 49c260633f5c0afd603c045962bbc5c20032de37340755ad0294b836c3cae63e25112c20e707b68bd97d86b48dd8efc4
SHA1 hash: 9de6b1e06532084b375f25ae9807086a28522a4d
MD5 hash: 38200f27bf7337dc20db1fe24f8eaf85
humanhash: butter-river-minnesota-sad
File name:OC_Y091648273.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:552'448 bytes
First seen:2020-05-21 10:41:22 UTC
Last seen:2020-05-21 12:24:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:Fd0O4v8zU4BH+cHdUl5Z+BdyXGAjDWFgVH8a:Hb4v2UWH+cHdUjZ+BQGAjDWFgVH8a
Threatray 10'683 similar samples on MalwareBazaar
TLSH C6C41220BBE0AB10F2ED4BF6183221806BB3765BD972D55C1F5631CE6D39F82C691A17
Reporter abuse_ch
Tags:AgentTesla exe HostGator


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: gateway22.websitewelcome.com
Sending IP: 192.185.47.144
From: Julia Gutierrez <elena.fernandez@arequipatrack.com>
Subject: RE: ORDEN DE COMPRA
Attachment: OC_Y091648273.cab (contains "OC_Y091648273.exe")

AgentTesla SMTP exfil server:
smtp.megoagro.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.17.6842.21950.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-21 08:46:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
094f6a9977aca85ca844fdab18035108dda8907b5c7b90416653a573e4e127b7
AgentTesla
62433e4de86d61a56cfc3333382d8a43d666a4839415a88ceca53a0754e06636
AgentTesla
642ce48af8f6fb3c7a74225655ef59a92e7cd4fcb98dc4af02359fb3490a9c55
AgentTesla
6c731b9e623222de40d78c857573d713bafce156a4b42dd445a840fddfe585be
AgentTesla
708819369d030c9ac2cca2a078e695318a8b8289ff78e50a44684761d63173e5
AgentTesla
7ef79b0251ad78e90b1cd1e95fcdd8566ac3629d6a921a3aca8383edc8893f82
AgentTesla
848ae8868ad4d12a679fa8f3de29957f572bb8cca9befeffe7fc68ed6fad2fed
AgentTesla
8c2e223633dad17b0830a0efc0a1a3edfd835e176c5a502d36bb0021dfdbf2dc
AgentTesla
beaa5c13b3a73673a51f0cf8a2c24ef5ec65c3bbe0007520d4af6c37a8d43aca
AgentTesla
ce62db6659d55100dccca756c2782c49aff09f36c9b08439ff357df77a2020a5
AgentTesla
+ 10'673 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-r7axdtwc4n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

cab 7286ef8488ec32dc085ae927a4c0b7c5f1e3f83a75a189e3dbe1bd7e2ed5512e

AgentTesla

Executable exe 348ab69ec7c99d1803d0b8b29f5959fff8dd6daed1d992f7da2d796495ac0a67

(this sample)

  
Dropped by
MD5 377000993e5a850c394b8711a611bdd1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 7286ef8488ec32dc085ae927a4c0b7c5f1e3f83a75a189e3dbe1bd7e2ed5512e

Comments