MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ac44f96c1937f01a4a0f0a69d1a310a8e98e5a547fad95b38afcc4030af1646. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ac44f96c1937f01a4a0f0a69d1a310a8e98e5a547fad95b38afcc4030af1646
SHA3-384 hash: eeb9d15474d1a5e103616409438ea08a01ba7664a1c42c3bab1c51ca4f2be7f061c7dd6929f610eb35c02372781900e5
SHA1 hash: 10a7d2cf62c1eb577199d15ed3e9d330120579b7
MD5 hash: f0c93708667f00954236a2049d906ed8
humanhash: asparagus-video-jersey-steak
File name:Sat_Alma_Emri_6000000.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'425'856 bytes
First seen:2020-06-04 13:23:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:QaUDdu6VEt6YXsuDV+O0Q+2Gk7aiSu5euSESB0MX6rtqYuVh8qx6kP:2w6NYPV0Q+2BSu54lBDgwYstHP
Threatray 10'934 similar samples on MalwareBazaar
TLSH EEB54F27EC058657E02C03FDF8574DB56A2E6705B543ABFE61B60ECE2E0125A2E9703D
Reporter abuse_ch
Tags:AgentTesla exe geo TUR


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.engrafik.com
Sending IP: 79.98.129.253
From: Göymen Demir Çelik İnş. Şarkı söyleme <ocavus@targim.com.tr>
Reply-To: redorange.110@jyzaustin.com
Subject: Re:Re:Re:satın alma emri
Attachment: Sat_Alma_Emri_6000000.img (contains "Sat_Alma_Emri_6000000.exe")

AgentTesla FTP exfil server:
ftp.lilangelness.com:21

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-06-04 13:36:30 UTC
AV detection:
22 of 31 (70.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hlce7fwbsn7qdjfa6ctj2grrbkhjrznfi75nswzyv7geamfpczda._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1c2bc64a7bfeaa6b61a5094ee4562008df806659b49e81f449e74be07bfcd80c
AgentTesla
2ee5c01d6740b2f12626d965b629f396451e22badb6d209b4f988bdf5ce5fbed
AgentTesla
34cf69d94adcbf7c3646400b9d457de10e974790ffa71278291b61426005f13e
AgentTesla
6f8656097253e7c03da9888a3c217581e576f5062075096e2bdd52f5d6515d83
AgentTesla
72aedefba6c5dc3e13064e87ae4389a18d0293b58214a157ef4c87a8f1538b33
AgentTesla
c389014fe07b309ae01e364e5cfa078f0a8239495092a420576a7d94ec4e93e8
AgentTesla
e19036840b004b79bb9ba2de79789e5404c833033f0b22e74e8eb98c1cba3b64
AgentTesla
eaf9e97b4d055b54d926265c1859acf33153daaa94e95c23d4c0849b48c391b5
AgentTesla
ee9ee2abef95ddfdcad61d9314b9fec9deb37695427b57b85248ff3adfa8fdeb
AgentTesla
f5c5bb6cc50ad8b292fee420d4aef9d5100d6703f6ef10b52fe98d98ce9bee54
AgentTesla
+ 10'924 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla agilenet keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-sr6bc8pgrj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
ServiceHost packer
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 33875f866460e2bfb19f9893dab65ceb36eb29266ab2dd08de31f9e23ca0d7cd

AgentTesla

Executable exe 3ac44f96c1937f01a4a0f0a69d1a310a8e98e5a547fad95b38afcc4030af1646

(this sample)

  
Dropped by
MD5 a42d9b5166827e8b19f0f38d64d86c78
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 33875f866460e2bfb19f9893dab65ceb36eb29266ab2dd08de31f9e23ca0d7cd

Comments