MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ca89270a1e4ae27056087ab556bdadd89ba1ab27b505afa53a812c5f2acabc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	3ca89270a1e4ae27056087ab556bdadd89ba1ab27b505afa53a812c5f2acabc8
SHA3-384 hash:	288780aa3942d160375bd73f1f4565e700790fd1921af963babe609cc2bad846b14883d5536e446a2b9307b2ae046aff
SHA1 hash:	805b78c882e54850e18b2a205a86e32019bc1e7f
MD5 hash:	28ee824cd3b33dbf89e42445185c94b8
humanhash:	robert-kentucky-bacon-bakerloo
File name:	PO.PAK220050019.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	586'240 bytes
First seen:	2020-07-09 13:43:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:41OEacTaulCSRO6qnRyPle20H32BzA9oVAL+O0+CWtE6KIXR8DG:4LTESRdPM2232BzAAwZ1C+E6XyG
Threatray	11'285 similar samples on MalwareBazaar
TLSH	86C402BA72642C3FEAB808F594636D411FF0941718A8E3E91CDA21C9A4FDFD8654C16F
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/23846/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3ca89270a1e4ae27056087ab556bdadd89ba1ab27b505afa53a812c5f2acabc8/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-07-09 05:26:33 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hsuje4fb4sxcoblaq6vvk2623we3ugvspnifv6stvajml4vmvpea._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0a0ac8e138fdddc9e18357375ff41da88e340ac4dfc225d2d60976607dac8d8c

AgentTesla

1c2f10aaf4e8b9a9e90316e8b470616bac893609cd85374cb11bb4a1a3971e5b

AgentTesla

48ce0e9cc96cb8d9ebe92bd7c1982e84d48baffdbada44d5949370a58ebae901

AgentTesla

80f41a09d12356205262bb77b16daeaf2a284a89fd737b042149a4207f16c702

AgentTesla

997de5ed7182657e00985a8b1e5f91656a8d7ad171c504780c5edbdda5fd5835

AgentTesla

b16313623225240e8d7e449c11d808f59807a3cce123b65aee197e5cc38a2a60

AgentTesla

bd2bf7c79dda8208f9ec0c2199d1ec61058aa43bbe6f8548623444fc143a3aec

AgentTesla

d6fb73252e37f4b2e507e97ddd633c789f7f947ee48b1e564330f4c1529eefb5

AgentTesla

e60131e245aac591c455594f208de438d18da96de8cd08c4990c973c7956c38f

AgentTesla

+ 11'275 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://tria.ge/reports/200709-851618lewa/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Maps connected drives based on registry

Checks BIOS information in registry

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/23846/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample