MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c6ade352dcf983887305516d4badfef0c2ba06e20f90cf34f09c4cf928196b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c6ade352dcf983887305516d4badfef0c2ba06e20f90cf34f09c4cf928196b5
SHA3-384 hash: 7a2fd7a41c269d83809599ff7bbc68cdb96e36b85915d6e60cc31ef0c2fee51db90949b7a1d75c075d4098af569570fa
SHA1 hash: 94e926134ae62e79e3c76bf4f11e13bb73bee718
MD5 hash: 1d03e0012f36abbd2453692cdd0b1e02
humanhash: zulu-oxygen-south-louisiana
File name:Ziegler Hellas SA GROUP 1X40 CNT #PO101166 .exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:480'768 bytes
First seen:2020-05-13 07:18:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:5JskmSJ7rGN/IIEs7IzCGXHGZbWSJb9VmDk1pvumQr2EQdLet4Gz1HMUxL:5JsVSJG/ZDEmGmjJ5QDgJySXds4GzV7L
Threatray 10'936 similar samples on MalwareBazaar
TLSH 4FA4DF297244F22FC9816578E023F4513EA0BF215051E60E6A8B727A713A78749FFD3E
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: slot0.biokorntackt.com
Sending IP: 45.95.168.106
From: Nikos Lathourakis <info@biokorntackt.com>
Subject: mixd ctnr
Attachment: PO101166.zip (contains "Ziegler Hellas SA GROUP 1X40 CNT #PO101166 .exe")

AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Grp
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 07:36:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
20 of 31 (64.52%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hrvn4njnz6mdrbzqkulnjow754gcxidoed4qz42pbhcm7eubs22q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00c63f44b1367e22d7d7887651bbee0ff02e40891480bb0b88d3ae636b912ece
AgentTesla
333ad0464f9d81f73f020ce2cde4d3d69ca607931ad7be40213fb56458b85c6f
AgentTesla
3a66b84fad0de0a2ce0fd2d36242b338cdf621d442f1b2ef12a07c7f97371791
AgentTesla
3fc3fb7bfc4691907a80f689bd914ef1331e8d2a43585a377e18cfdd199e7fdb
AgentTesla
43d9cf724e29e3ebfa8343e50e9e08ae89ebacea0bacdcde4d7c8d827ed51570
AgentTesla
a7b1a7fff061e31af64a38658b4f8de3a537a2b35f3d753f7a8341b68e7a7bae
AgentTesla
cee75468b5e72c5859de410468220a3d897b5eea8cd633fac8db04ad90d48e3f
AgentTesla
da64ba6aa9134a524cb31e5d92a4c6c31980c17f8e49a9d4ab93f6a9040c9d01
AgentTesla
e9eb4d205fad12909fcee34a44bceec578b13b8dd5c887b116d2f3c9c4818f66
AgentTesla
eb241442be478aaf79ad13d352ed730a2d442b9dbafd5c962a5442a6b9f82a0b
AgentTesla
+ 10'926 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-xrnhdnwrbx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip ce0dea969f425255b8d83bb730aad6fa2348fadc7d56338772793e9ff74f3020

AgentTesla

Executable exe 3c6ade352dcf983887305516d4badfef0c2ba06e20f90cf34f09c4cf928196b5

(this sample)

  
Dropped by
MD5 10be33d08f597288f7cc3f6896fec457
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ce0dea969f425255b8d83bb730aad6fa2348fadc7d56338772793e9ff74f3020

Comments