MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34b3295ad5896150db239597b0502fb978d98f57550aabce938b9f590b4e9948. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34b3295ad5896150db239597b0502fb978d98f57550aabce938b9f590b4e9948
SHA3-384 hash: d96aa76a46b62a977598e8e941363556e3f5c68aa2571855b3756c71ae199cff35544d0b9ce9ba9af85ade96c26cfdd6
SHA1 hash: 9d660fd8c93c5faeff89ebee420f52259a389935
MD5 hash: 02eb476442c712e4ceb0fe93b47e0214
humanhash: network-mirror-fifteen-florida
File name:Certificate.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:430'592 bytes
First seen:2020-06-02 12:00:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:4intG2ZRImk3uITFHuMJMzs+cHe/QxVqzIPfByAzwVySHfg2OJgRiQvr3:4itVhVAHuM2zxpox31wVJHfOJDoT
Threatray 11'341 similar samples on MalwareBazaar
TLSH 5A94026A73148E57DA9411F4C859F70017724DBCA8ABD3C7BDD674EC3AB6BC14A00AA3
Reporter abuse_ch
Tags:AgentTesla exe SendGrid


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: wrqvpcpx.outbound-mail.sendgrid.net
Sending IP: 149.72.60.58
From: MOSHOOD RASITH.B <mager@jscextrusion.com>
Subject: First order payment
Attachment: Payment details.rar (contains "Certificate.exe")

AgentTesla SMTP exfil server:
smtp.seacormerine.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 20:40:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
36 of 48 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gszsswwvrfqvbwzdswl3aubpxf4ntd2xkufkxtutropvsc2otfea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
053bc157e442a323430782ea3b5b79848ea70ae93d94979d1362ab4f39392eed
AgentTesla
097dc388040d619c874beb1b1f407234ceca08b2065fce29e5084e0b9d195987
AgentTesla
0f245e781af8c065c6b729a872e440dd51dc80b6a06ed463a140115d33d97ded
AgentTesla
202e40782853b6efd0c62a2cbdf33891463302014b21b026ef35d51e2d889bac
AgentTesla
5450397ac1f2728fb9fea91b01725d737c380f694477230e196f3524bc0935dc
AgentTesla
5ad20ca410100bf0013fb992a9e4a087e503dad2a9edcd9165f28200961134d9
AgentTesla
7f12463a65ad57727f5fd9d11648ac1c8afce2af47b864c08c656eaef7391a49
AgentTesla
81877c179e72019b2d31b9c4cf64fb7a44b8929e1fc0f6da28bda5e14a7be2c5
AgentTesla
ca61f3fba5e6d86553e1ffe61a2ce58836065b09f6959ff3cf4e778b6ca12436
AgentTesla
e36592e55db1b574420d878db8af79b5bdffe0be9c0829da0457c1cd78399110
AgentTesla
+ 11'331 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-vnrdx2xw22/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 32b57a44358ac8512999e93d61cf9e65902e9e660142ba1193ea5dd58e2e2935

AgentTesla

Executable exe 34b3295ad5896150db239597b0502fb978d98f57550aabce938b9f590b4e9948

(this sample)

  
Dropped by
MD5 1a2f48748bd34b040afe8ac36e12dbb7
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 32b57a44358ac8512999e93d61cf9e65902e9e660142ba1193ea5dd58e2e2935

Comments