MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3845a8f1b22212dbb08c6a9c95c3cc765a2d9676dbe367acf2c24f845b264bf6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3845a8f1b22212dbb08c6a9c95c3cc765a2d9676dbe367acf2c24f845b264bf6
SHA3-384 hash: 81faa73b53763222a6a36e0d99a6c0c5f7f4dede323003d6a03182a4874044a611b381066679cdb70648f93e17c2c9b2
SHA1 hash: 96c13097506af7965036de864bf0ff48a842af5f
MD5 hash: 8ee650d9c83e5e105e523e1431cd6d58
humanhash: louisiana-chicken-indigo-eight
File name:gunzipped
Download: download sample
Signature AgentTesla
Create hunting rule
File size:616'960 bytes
First seen:2020-05-05 11:07:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:DtvyRU+zS+ZO/6C0/KBPlHr66yO1FlDgmxH7PL2T74cx22mnPT5DXOERB+:0NfLSZlL6ufDgmI
Threatray 10'594 similar samples on MalwareBazaar
TLSH 80D47CDD721072EFC85BC472DEA81C68EA5034BB531F4203A42765EEAA4D997CF245F2
Reporter abuse_ch
Tags:AgentTesla


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: vps.grupoescala.com
Sending IP: 82.223.18.162
From: E-billing <noreply@baseonline.co.uk>
Subject: Electronic billing operation 894161/5/5/2020
Attachment: _Invoice MV2063576.gz (contains "gunzipped")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.EJWW.8935.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Nanocore
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 11:07:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hbc2r4nseijnxmemnkojlq6moznc3ftw3prwplhsyjhyiwzgjp3a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04fd9df0e5ec9e9f2ddebfa497adbe3c57876dd52d8b778cee3701f21cf02986
AgentTesla
0f3796394a5e425855d842187813997be61e79058cfc546da575b27cf8c09ffb
AgentTesla
218eadf397c142440e7c54221a6faf836e512446e8d39b850114565b0ca36331
AgentTesla
35912ff3b78d0699082450202cc16cec5c11447c39ec0e4db7738c188662f0c5
AgentTesla
5204a5f0990786d30e0f35b00f422c32f0f075461183a64f708c1215b784863c
AgentTesla
bacaaa40e0f3b6cba3fc498dfbd6f2d198a767453cd8513acdbafa9fefaeed2a
AgentTesla
bcfe28b074cc1d9b0fb7896ee3eb4d28c240bee33cb76578f0f9f1ef90ab92e6
AgentTesla
dc96599b170adfa59f1b9af065ca1608cdc0458a6678fdc84d38bbc61bcbc2b3
AgentTesla
dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f
AgentTesla
f8166c3c857a7a3ba99515cf6ae242a78050fba7608e24a88e2559e0063a187a
AgentTesla
+ 10'584 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-b9y332dkcn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
rezer0
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 89352a8608dc6df3034d4e4a4ffaf43ad12ddc8c475ea74c390aa0186b2d0188

AgentTesla

Executable exe 3845a8f1b22212dbb08c6a9c95c3cc765a2d9676dbe367acf2c24f845b264bf6

(this sample)

  
Dropped by
MD5 70e23c74d814b298d8d2a1555dd14e95
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 89352a8608dc6df3034d4e4a4ffaf43ad12ddc8c475ea74c390aa0186b2d0188

Comments