MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34cf69d94adcbf7c3646400b9d457de10e974790ffa71278291b61426005f13e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34cf69d94adcbf7c3646400b9d457de10e974790ffa71278291b61426005f13e
SHA3-384 hash: ae0a7232fc5068fcce088f8457ff03506a14785af664193500ed9831e5eb4c7902793db64606298f70f857ab7b9a5be5
SHA1 hash: 0fa6a924943f23db0a598903280ac8b8bea84943
MD5 hash: ca8c87affb36ce80079f499ca8dd3182
humanhash: california-magazine-london-robin
File name:DRAWINGS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:377'856 bytes
First seen:2020-07-13 06:23:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:xo2+2GhNrf+tNy+zooi04Ff43W7y/6QnB41XwkYLgynCID7tGKIhK:k2iNw6n4GA6Qnm9KgGCIDZ3Z
Threatray 10'678 similar samples on MalwareBazaar
TLSH C68402F9A3948A26CD7F07FFA4A67D20C7B56B0BA5C7E15C4ED870A41B7A7C1010076A
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: cp01.knexel.com
Sending IP: 213.136.82.245
From: LIWA PURCHASE <office@as-ltd.az>
Subject: LW/20/12192 - RFQ # 97572681
Attachment: DRAWINGS.rar (contains "DRAWINGS.exe")

AgentTesla SMTP exfil server:
smtp.blueskypaclficgroup.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/24973/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.44431.17737.21968.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching a service
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun with Startup directory
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/34cf69d94adcbf7c3646400b9d457de10e974790ffa71278291b61426005f13e/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-13 01:46:57 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gthwtwkk3s7xynsgiafz2rl54ehjor4q76tre6bjdnqueyaf6e7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04803c612483d76474860d5942b69d5ee3a68987a258b76283d60b345c188c62
AgentTesla
2449c1f1a898c241fd99ef81dd67ea37db3944708a37a3229f19bf572d7136d8
AgentTesla
38e8792c30ce78e21339820ebb5c607b3b1a2195eae7999c07eca46af5239772
AgentTesla
580930d1a3f4ce1e942b21e4a6b400071952241e6f17bceee44c1fd5621f9190
AgentTesla
72aedefba6c5dc3e13064e87ae4389a18d0293b58214a157ef4c87a8f1538b33
AgentTesla
a9cf92e1eeda276eae412eb2236216cadcb6342d6c4e638ea337349693f633b9
AgentTesla
ae5d3796c3f5cb07398607db131f984843b529115cfa13a6a9590991f29f5db0
AgentTesla
e19036840b004b79bb9ba2de79789e5404c833033f0b22e74e8eb98c1cba3b64
AgentTesla
eaf9e97b4d055b54d926265c1859acf33153daaa94e95c23d4c0849b48c391b5
AgentTesla
fda70d68d95854fd28bf29b6128d0d97b437d20798a532e6bb5c5e26d0785594
AgentTesla
+ 10'668 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla persistence
Link:
https://tria.ge/reports/200713-2q5v114jdj/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Modifies service
Adds Run entry to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 111fbfe545923deaa9231d110acd4d123ed84df3f13c803cfe064d8efdf34e96

AgentTesla

Executable exe 34cf69d94adcbf7c3646400b9d457de10e974790ffa71278291b61426005f13e

(this sample)

  
Dropped by
MD5 0a389707c85287bbeb3560a16dcef916
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/24973/
  
Dropped by
SHA256 111fbfe545923deaa9231d110acd4d123ed84df3f13c803cfe064d8efdf34e96

Comments