MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 353ae3fcced86a2ae12f8b249900180eeeffb722a2c56b46356c8f4ec4461925. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 353ae3fcced86a2ae12f8b249900180eeeffb722a2c56b46356c8f4ec4461925
SHA3-384 hash: aa5fb09dc005044c41695640cca55fa86db34fdf1ad48a9073ccc27d330b6038ad662ec386a5026764b455e8bfc295bd
SHA1 hash: 6e03c83fc468980003d8b6cc9a2690052c8fbe2e
MD5 hash: 2eb615a83afed8792190b04dea641217
humanhash: fish-video-solar-chicken
File name:SecuriteInfo.com.MSIL.Kryptik.WOX.31681
Download: download sample
Signature AgentTesla
Create hunting rule
File size:349'696 bytes
First seen:2020-07-07 16:03:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:veu8dx9dibsdbPr9o1GImfkfQaWkdtjO9e5BhRrDWutMXXZqXaZD3:WTRiodbPryAIm8jW4tjYQYut4Zr
Threatray 10'798 similar samples on MalwareBazaar
TLSH 8874D04C65259350C48DDA31F8C25B6643F090EBCB52EB036D4C0E6C3866AFEFA56F96
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Agenttesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/22361/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WOX.31681.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching a service
Creating a file
Forced shutdown of a system process
Stealing user critical data
Enabling autorun with Startup directory
Unauthorized injection to a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/353ae3fcced86a2ae12f8b249900180eeeffb722a2c56b46356c8f4ec4461925/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-07 14:12:41 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gu5oh7go3bvcvyjprmsjsaayb3xp7nzculcwwrrvnshu5rcgdesq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
21d9eab05cfdf3ee39d42b6b22b48ebb550dee74f57141459e26315a1750d366
AgentTesla
4163f850032d58f8df3a47be1173ff7ff5d89c989512bd08979e724261994345
AgentTesla
423c8c0b4eb6fc15b614326190cbd2b932f5480fdc1791ca9c03dc696ef61b31
AgentTesla
47f057ec789a5f82408d0efd68ccaae4864835176dae7cdef08415ec8d76d695
AgentTesla
5772f99f2fb2648a9252d6742881ed81b380ce0c6986270a600ab2b975f5c4de
AgentTesla
73f4a9ed2cc796b0a7633ddb086b405ab88b5a626875e792c89fa178f18fd1ee
AgentTesla
9023f7b2da3424f0542a1ccf961ad9a6f55c37351cf530e8811f9875bf3a6f8d
AgentTesla
923c1da2e7e5f9d534345df74620480dfd475c48319ecec7f19c686b83804337
AgentTesla
9e685dbb18a96ef4d8877f5b516ab8e5821ae79512d7dfe011330633775c289c
AgentTesla
dbc161933aaec1f13250088d9923431b800c6b1dac117c4fbbe834c43b0b441b
AgentTesla
+ 10'788 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200707-3k5gk9126j/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Drops startup file
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 353ae3fcced86a2ae12f8b249900180eeeffb722a2c56b46356c8f4ec4461925

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/408639/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/22361/

Comments