MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c424e2399b9c7c6137ebd07c82955103e205ec70fa52518ea73fa82ef5cf946. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c424e2399b9c7c6137ebd07c82955103e205ec70fa52518ea73fa82ef5cf946
SHA3-384 hash: da3a21d11984ea4401447529788f07eac4d0b770f520ce27354a29b780fa4697fcc4426347f45b81429e3ff9c1e65944
SHA1 hash: 0f8cca416e23b09d9581220afdfdf40b368f0ff7
MD5 hash: 22ed70b48024dd116b39bb441ccc491b
humanhash: delta-kitten-bacon-victor
File name:WT0045679 (2).exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:576'512 bytes
First seen:2020-07-16 07:56:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:6CfBng12k4zUmYpRbyiCWfKtJLWrT6VD4zIAuZlh6z:TPYXbyiCNbLWq+
Threatray 11'104 similar samples on MalwareBazaar
TLSH 74C48CCC3910719EC51E8D764964EC70A6202C62F7FBD20763C36E9FB93D696DB112A2
Reporter abuse_ch
Tags:AgentTesla Endurance exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: 142-4-22-49.unifiedlayer.com
Sending IP: 142.4.22.49
From: Li Wang <ningxj@ccdc-ec.com>
Subject: RE: Remittance Advice
Attachment: WT0045679 2.r01 (contains "WT0045679 (2).exe")

AgentTesla SMTP exfil server:
smtp.canbest4x4.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26482/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Enabling autorun with Startup directory
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/389419
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3c424e2399b9c7c6137ebd07c82955103e205ec70fa52518ea73fa82ef5cf946/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 07:58:09 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hrbe4i4zxhd4me36xud4qkkvca7caxwhb6sskghkop5if3247fda._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00e8d6de1e2450594b8e61c5f8ce0b7c0b0aff075e72e79b7be035203511abbb
AgentTesla
56cd939651c9ee93f11c373aac8fcb3a97d5403a381f6e2b20e4f723993430b1
AgentTesla
57234a3ec3bf2d3e6539a25221595d791fcf68dbed39a942651819c74fc3c664
AgentTesla
672890fe585891106f1f8b275f6084f6ac05855aae825a2c0ada8899da2be91d
AgentTesla
6d64f2c47bc182a160e02ceebb8e194dd627fb83d762f9d1609d4f1d7cf3ff89
AgentTesla
91ec8e2e85917775a7055500c887bf49371679f772bd917c69dfb2b628f4a680
AgentTesla
94213bb74d440f1782526a2a47f1820545963ad6b07aca628718c4e9113649e4
AgentTesla
ac6059835dff236452027450749d077775411e277447a711e5f53bea47262821
AgentTesla
cd48e7228ffe8ca44b77d71d3fabd0d77b07a7c6cae4239ea83568389c20731d
AgentTesla
f32433910c4e4cfc2c310279138f0c977abdb9878661781bf28c752b15b92df7
AgentTesla
+ 11'094 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200716-c51r7hya4n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r01 606779b06d9ec8c5baff47ee0963659820389a3083a7fb360ebc89356f64256e

AgentTesla

Executable exe 3c424e2399b9c7c6137ebd07c82955103e205ec70fa52518ea73fa82ef5cf946

(this sample)

  
Dropped by
MD5 6cebfc4c0b20346ff28aeaeb42076746
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26482/
  
Dropped by
SHA256 606779b06d9ec8c5baff47ee0963659820389a3083a7fb360ebc89356f64256e

Comments