MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3753dcab0eb217e15611892515399223ae49d75fa9c28fae458a4590b407f205. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3753dcab0eb217e15611892515399223ae49d75fa9c28fae458a4590b407f205
SHA3-384 hash: 393eb7c3ff59fef4563986a643373e42058c63050eed38035b2d4cc075343018e65fb2a4403d2a78f757500b1309b7f9
SHA1 hash: b93bc4b45144c1c1b88d7662c182eeb6b78ea051
MD5 hash: d731ee12e40bdb2d2b2071ffea70d916
humanhash: happy-lamp-charlie-hot
File name:quotation.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'461'760 bytes
First seen:2020-06-16 05:17:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:RAHnh+eWsN3skA4RV1Hom2KXMmHahAaBP9GCBOd290fkPYJXDfuNfNbB5:oh+ZkldoPK8YahAaBP9GCwU6CY16Nf1
Threatray 11'106 similar samples on MalwareBazaar
TLSH 4D65CE0273D1D036FFAA92739F66F20156BD7D250123892F23982EB9BD701B1267D663
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: hwsrv-735199.hostwindsdns.com
Sending IP: 104.168.152.138
From: Belle<belle@idealups.com.tw >
Reply-To: hirschmanncompany@yahoo.com
Subject: quotation
Attachment: quotation.zip (contains "quotation.exe")

AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10556/
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2020-06-16 05:19:04 UTC
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g5j5zkyowil6cvqrresrkomseoxetv27vhbi7lsfrjczbnah6icq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f35e7102902d86698a8260c38b1d0df32d11306752a7e689a04210bf9b3870d
AgentTesla
1bd7fcf59176999d49faee562f699d840b4c1dd697055fa66e6a52c0846a9b42
AgentTesla
3ce9849a8dac1e1dbc85706d28667072289247e2ecd262134b9e014a939d6310
AgentTesla
6d88a783f9115bb719123cf5d5f2f40e7c1d3073f7561df274ce72db49f35c30
AgentTesla
7127bd5267af450e0d9bd47a6b1e84add8dd1a0d44c93873ae4a19464696ace5
AgentTesla
7b0c87e7c348aeeed116a9a82845a71ca123d99aa4748911f36e0e38d1a03797
AgentTesla
9079943117ea724add13043f94f0ca39a82085d386959586eed56b5fae69ccfb
AgentTesla
aeb6249bd3a0f9549ef2351ee2cbdea0d0bce84f0633f49af6c1169ea0628f52
AgentTesla
b3f57d07595abc550783574e28253125b1d54560c372a538accd06f078ba4da8
AgentTesla
c99d0b434418dcf5e39b3389aebabfd10bd9920e5ca670bdedc08dbd0832dee2
AgentTesla
+ 11'096 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-f5qgfs6vgs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip a5efba0bc64984b1d37fee530faad1dd933fbe37028a3aeffecdb4972d907976

AgentTesla

Executable exe 3753dcab0eb217e15611892515399223ae49d75fa9c28fae458a4590b407f205

(this sample)

  
Dropped by
MD5 cb48ccbc1d987274d02e0e7ed38b2511
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a5efba0bc64984b1d37fee530faad1dd933fbe37028a3aeffecdb4972d907976
Cape
Cape
https://www.capesandbox.com/analysis/10556/

Comments