MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a66b84fad0de0a2ce0fd2d36242b338cdf621d442f1b2ef12a07c7f97371791. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a66b84fad0de0a2ce0fd2d36242b338cdf621d442f1b2ef12a07c7f97371791
SHA3-384 hash: 630e277af3b62d49062cda5e44d6386d1bb0ad23ed5adf293b172836e902da97709f34702fe400c6197734559832b794
SHA1 hash: b5d3a01e8d3ed49e21ff00a71f03b086e4f9a286
MD5 hash: 486fea9f5196249d4ee4414c17b173cd
humanhash: floor-johnny-cardinal-nebraska
File name:sars document.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:361'472 bytes
First seen:2020-05-13 11:13:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:m3BOyvQLjTEvxyHh+pyZdgzBLqGDFyyrHGssdIrvBGzDHZnj2su:m8yvQPT2g0BpBmsMOvcpq5
Threatray 11'165 similar samples on MalwareBazaar
TLSH F2741216E2DD9A7FD5F809744621224483F4AAB35413FBB67D0E82F859613EA4B013F7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: box.dysstar.com
Sending IP: 64.227.96.209
From: noreply@sars.gov.za
Subject: SARS eFiling Letter Notification
Attachment: sars document.r10 (contains "sars document.exe")

AgentTesla SMTP exfil server:
zstcznz.org:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 12:24:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
19 of 31 (61.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hjtlqt5nbxqkftqp2ljweqvthdg7miouily3f3ysub6h7fzxc6iq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00c63f44b1367e22d7d7887651bbee0ff02e40891480bb0b88d3ae636b912ece
AgentTesla
0b4d001811a23c80e46ea16c0da379ca1ba36db182ff9f1a4d8ca0b61b992d03
AgentTesla
172c74e8e96c4890d099911ab0781d1e2c067f7379ce99d6389943fc36947afb
AgentTesla
3c6ade352dcf983887305516d4badfef0c2ba06e20f90cf34f09c4cf928196b5
AgentTesla
43d9cf724e29e3ebfa8343e50e9e08ae89ebacea0bacdcde4d7c8d827ed51570
AgentTesla
9294a8ea74f411cd80db8d5b32d098e98baf1d035a64e85bca26508014ab3371
AgentTesla
a7b1a7fff061e31af64a38658b4f8de3a537a2b35f3d753f7a8341b68e7a7bae
AgentTesla
c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500
AgentTesla
e9eb4d205fad12909fcee34a44bceec578b13b8dd5c887b116d2f3c9c4818f66
AgentTesla
eb241442be478aaf79ad13d352ed730a2d442b9dbafd5c962a5442a6b9f82a0b
AgentTesla
+ 11'155 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-3svk868lz6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
ServiceHost packer
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar a53d53548cf8f67323c1f64adaaaff1ca98a793e5b5544f9e4d7922b218af3ac

AgentTesla

Executable exe 3a66b84fad0de0a2ce0fd2d36242b338cdf621d442f1b2ef12a07c7f97371791

(this sample)

  
Dropped by
MD5 469e89daf61bc198ddc1fdcbe4a63cc5
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a53d53548cf8f67323c1f64adaaaff1ca98a793e5b5544f9e4d7922b218af3ac

Comments