MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bffd1c8945804a71bca4c0861dd2f26362847c59d6adc15b8c3ecb82d5aa026. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3bffd1c8945804a71bca4c0861dd2f26362847c59d6adc15b8c3ecb82d5aa026
SHA3-384 hash: 0e5d79c1f31d059fd42494846270246bf1cd8f9a354161144280b820b7d31a7132cac950e155576c57cf661d2b14aed8
SHA1 hash: 59704eeaf746bf70512f4d5a68a8ca2c12b948e4
MD5 hash: e359451d10475730534127ad63863fd8
humanhash: potato-cardinal-ohio-thirteen
File name:RFQ No 17545 -Order-4590_xlxs.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:685'568 bytes
First seen:2020-06-19 04:18:59 UTC
Last seen:2020-06-19 13:31:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:/6d9gMdLXTk4RJGUianwofZ1tZ5QH9wY8Pw9GNrBUBped40tzB6X14y:/6vldzgInNm8YgdoVAzW1T
Threatray 10'655 similar samples on MalwareBazaar
TLSH F7E45A3C7645B446D13F0A3210B556A1AA329D477A3AC70F29C633585F332EB3B57A8E
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
3
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19860/
Detection(s):
SecuriteInfo.com.Generic.mg.e359451d10475730.19474.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-19 01:48:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hp75dseulackog6kjqegdxjpey3cqr6ftvvnyfnyypwlqlk2uata._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
131d016519d6ec1f5ce66362f5c4c917d4cdf0648242f20272b59a43764c53f0
AgentTesla
594f5fb1a4eaeb649b2f293c5eab4da72d1b193e208e966f1351ef58be16f7ce
AgentTesla
706c290e4e11ac3f5ccb73d3065d08fc536f433afaec0334ecab39d801247a79
AgentTesla
8c9a0a56e926372480efddcbfbb5664c3c17ad8d153d997ef34f34ed1ef42542
AgentTesla
99876ee50802848768d32d6cd179141603d76259e33c223b47204e33ef4b416d
AgentTesla
9f80f311d2f6a2ccaa0d4aa42ce625b6317a1785a9bb52bde2fa68f68fc7f68f
AgentTesla
bfa03a66eb0b9720abf3efe1e9a220daa682dcb69f6bb6febdbc56bb9624e77f
AgentTesla
c35b432e7065752be444cf5822063e979c7021997a7a8f963b33f8a3f4d5b318
AgentTesla
cea8cae444dd5dadf01c31def4681b170907b97e0cfb468a9ff317ce7ae736a3
AgentTesla
e7cd9d6b370e89f736e5819565f9fabc8cddad256514e75672274ae11609dcb5
AgentTesla
+ 10'645 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla persistence
Link:
https://tria.ge/reports/200624-sw6n7jbf4a/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Adds Run entry to start application
Loads dropped DLL
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Executes dropped EXE
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

75334563ff14820ace3586aa715a888cf456fe17f63e20e3e8d341e824414332

AgentTesla

Executable exe 3bffd1c8945804a71bca4c0861dd2f26362847c59d6adc15b8c3ecb82d5aa026

(this sample)

  
Dropped by
MD5 132f39fb539a2a3271919dd3aea5c5e7
  
Dropped by
SHA256 75334563ff14820ace3586aa715a888cf456fe17f63e20e3e8d341e824414332
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/19860/

Comments