MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a646d051e183a55d297b684e6f74bc95ab57846c8ffde301338a5b60f8ed7c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a646d051e183a55d297b684e6f74bc95ab57846c8ffde301338a5b60f8ed7c7
SHA3-384 hash: 1436429fc68bcce5e4ab37abfdb96457a4550c5d00943947aca4e68518e12e78b9209a1a0dcdb3953f734a6549e0d0ac
SHA1 hash: 06ededc3d1f09a9201b810cc0ed61ced8efd4ed2
MD5 hash: 5048b25921a0da530b45c01906eb5eed
humanhash: hotel-two-arizona-oven
File name:Orden de Compra #972020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:401'920 bytes
First seen:2020-07-09 12:03:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:dU2Z8Tc0iH9F/Yh6uBerF7UFv6Yudafv3osvP:qiH9FnuErNg6DEA
Threatray 10'580 similar samples on MalwareBazaar
TLSH C384F02C1BFE0B23D5AA9BBCF5AA210087B1BD352553E7541BC0B8EA1DB3780DA50747
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: outmx-267.london.gridhost.co.uk
Sending IP: 31.170.120.152
From: Paula Dominguez <pdominguez@pablopadilla.com.ar>
Reply-To: Paula Dominguez <ventas@mingetal.cl>
Subject: Re: Orden de compra
Attachment: Orden de Compra 972020.r00 (contains "Orden de Compra #972020.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/23734/
Detection(s):
SecuriteInfo.com.Generik.FDYKDRB.9141.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3a646d051e183a55d297b684e6f74bc95ab57846c8ffde301338a5b60f8ed7c7/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 08:59:13 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hjsg2bi6da5fluuxw2con52lzfnlk6cgzd754mathcs3md4o27dq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02e52123ac380ed5e3b0b8ce9322680b8e1d8082c9f181588cc7213cd701d69d
AgentTesla
1237b8ef1ef28e7481b47113c644429a68c87858cc5ee8a020607f75696863d1
AgentTesla
13444c52c094b2067a66767847b8a2151da087a99c9391a2547a53a3e4de7056
AgentTesla
2331837cf27d223a23b000cdf14f026c383a628ae69d516726b19fcb9424359a
AgentTesla
305586aa88966e490ba86bb7cd7a2e1cbe9f195c84b70aaf5ef0c9e714961723
AgentTesla
681eec22b304d975c119e8b5721abd7b4ee6586361b51dda2c93f5a4c426abe4
AgentTesla
6e9ef93b4bb2c7ea78dbba96cb34e747294454c2d142276329951e580044ddd3
AgentTesla
7b668bf6740289b2750a497800467fcf725fb111071e3ea4e74153e5159a3aef
AgentTesla
970db37b1b904855cd21d80818893f3b1d739dd9ecaaf8a38237c07e0d455d8c
AgentTesla
ab7b7b589c80bc6ceb6f90ef56b1b9041f03cf2b67792542dd5e4f738db99c44
AgentTesla
+ 10'570 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200709-8tzrpnhrxa/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 5c675887002ec341e6e8db875051b8f0ce410d272256d62cbbc46efa9aee6a51

AgentTesla

Executable exe 3a646d051e183a55d297b684e6f74bc95ab57846c8ffde301338a5b60f8ed7c7

(this sample)

  
Dropped by
MD5 54ad8e2cce185c6f27159a0388c05b7c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23734/
  
Dropped by
SHA256 5c675887002ec341e6e8db875051b8f0ce410d272256d62cbbc46efa9aee6a51

Comments