MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c36ec20d62327ed334bf5e0d9d8e3e7c921bfa52172d4dda74224c728487b29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	3c36ec20d62327ed334bf5e0d9d8e3e7c921bfa52172d4dda74224c728487b29
SHA3-384 hash:	713547e093facdc918c9ba5133c69f863f0d5c8e828cf5fc7066875e413c252e603c7d6991d2897d9642ce0bc330b77c
SHA1 hash:	5a6372b69418ed98560643f071887c9e6f9be50d
MD5 hash:	8c0e240161ad40e7511c9a374db9e809
humanhash:	wolfram-item-oscar-don
File name:	VW11SfYZHYnWSzE.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	835'072 bytes
First seen:	2020-06-08 19:15:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:O7+lj8nf3PLrUG7lEYscc2+ofxzZibM+SAJqByFMotx8TpyTUItbHFXPqLrQMsh6:OaOnf3zrUqd3Bv/E5Ch78tbH6
Threatray	10'751 similar samples on MalwareBazaar
TLSH	5305F18D761072EFC86BC472DEA80CA8EB5178BB831F5603942756ADDA5D887CF144F2
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: slot0.tessler.tk
Sending IP: 193.29.56.140
From: Michael Giebeler <market@tessler.tk>
Reply-To: m.giebeler@aol.com
Subject: Customer enquiry
Attachment: Item_Lists_IMG.iso (contains "VW11SfYZHYnWSzE.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

84

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VEF.23589.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-06-08 19:17:07 UTC

AV detection:

29 of 31 (93.55%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hq3oyigwemt62m2l6xqntwhd47esdp5fefznjxnhiismokcipmuq._file

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

134e6a89707dc09ee15ea58d2baac9018799421feca11db0c6549aece445be33

242f7f6ffaf359eb1b04fdd6fb1dc116066341e80838cc0a9eb8683306a98e80

2ae5302a997467e32d4822fbf756f9355d0474facb9cc70dc65eaa382f055e08

4080e1316e697c2a512e858807ce5d01b3578e52808610ec815475f7a5703d63

505fb0a37da3e27d2f40ba8ec69ed380b743f952deea93bab1e7a6167d36e586

5a7a9cb17f7c3d46e18a60c4201edbb8e93fe20723b34a9967a0fb67d2bf7896

6ce82de9b05b1a5e2cee73e45292f3e06aa8df33c904724ea5f5bdd536d44c39

865c8147240b3c3929cb5f4e992671eefb5c56caf485cb05af77361b9989a1cd

ccd2ac5dd1eb20c1e42569f55fe7ee5c428a2afbfcb909205e7ecd3077b5c677

dcd4168c853c32e4b9cf2059fb4f7ddb3af86b5f78bb845993af93a522c4b189

+ 10'741 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla agilenet keylogger persistence rezer0 spyware stealer trojan

Link:

https://tria.ge/reports/201109-4q3r16gqbx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

AgentTesla Payload

ServiceHost packer

rezer0

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

iso 7cd8cdc1a5aebf9faef915f96f733ff87f4d3e3f7a2a2679681829a8df86646d

exe 3c36ec20d62327ed334bf5e0d9d8e3e7c921bfa52172d4dda74224c728487b29

(this sample)

Dropped by

MD5 ca4b6d7db38706fa5d5d4abe375a7886

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 7cd8cdc1a5aebf9faef915f96f733ff87f4d3e3f7a2a2679681829a8df86646d

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample