MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f5e9228e55bcc3b1275b7781683f6465921db947bfa6897a62bd5b7a1d15474. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f5e9228e55bcc3b1275b7781683f6465921db947bfa6897a62bd5b7a1d15474
SHA3-384 hash: 1f43f2f669f660ee17901809cc05bf9358349338ec10f95688302201f3be95ff6ff301b624c5445f525d1cd22cb2993c
SHA1 hash: 3f1f0517eab6b495d72cc714c242dd81b9aa22e5
MD5 hash: 7eb65070960dce1e0cfb534f7094a31b
humanhash: montana-mississippi-floor-salami
File name:Scan copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:478'208 bytes
First seen:2020-07-21 13:57:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:c/dNOgV2sWxbRzJ4Vdaw/ywrehwG6cBkTZ8wCpiJ:c/dNOgVVWxlzJ4yUywukTPN
Threatray 10'889 similar samples on MalwareBazaar
TLSH C3A4DF9CBA6071EEC867C576D9A82D64E66138B7932BD203601701DD9A0E7C3CF646F3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: pro21.emailserver.vn
Sending IP: 103.15.48.241
From: Qin Wei <trangth@newbev.vn>
Subject: New Purchase Order Document(s)
Attachment: Scan copy.rar (contains "Scan copy.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/30172/
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.EONQ.20735.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3f5e9228e55bcc3b1275b7781683f6465921db947bfa6897a62bd5b7a1d15474/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 13:59:05 UTC
AV detection:
25 of 48 (52.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h5pjekhflpgdwetvw54bna7wizmsdw4upp5grf5gfpk3piorkr2a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ce08df0b3611911bc5afc8a1cca8ee808bcc0c4d7224910fad496244c38e47b
AgentTesla
223d7fdd2305def16cd0c966c3bc4a9094dfb6ba951f46c3f868d9a713db30f9
AgentTesla
367d1fd29045416d80d3b22efd7b0684601c184ea06cbeffad5b4562fcee0533
AgentTesla
5b4fbcacc1b3bc337a2c67318ff72d21f2c286c00472a8cb3c49bb0d19c2507a
AgentTesla
62b12b5aa0a143e4e524a373433964af7789445282fbf8247be68e57c8befaa9
AgentTesla
6b2503a98a3f1b29173e7e42867b4ac5e21a825348b791ad4a6ea12966720514
AgentTesla
c8f33116c7687f9356ff635c3aeda9244900cdcca560792079389d838940c25a
AgentTesla
e71c74d33683e14022e6d0f0e7a14efcf744c7d4aec03216934dbf17eba9eacb
AgentTesla
ee5571110d6b005c3de5cbe9672640254c3129f2b523a357da6f163a1b827c47
AgentTesla
f7fe3c3f88aef6e3994fb4fd091930f5870998c1de9785c65b1294718563af97
AgentTesla
+ 10'879 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla persistence
Link:
https://tria.ge/reports/200721-p8ar8tmjk6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Drops file in Drivers directory
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f5e9228e55bcc3b1275b7781683f6465921db947bfa6897a62bd5b7a1d15474

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 0fd798de75575345dec23629f34adeb03a021f6e403d398b9cb6bb55c43ab520

AgentTesla

Executable exe 3f5e9228e55bcc3b1275b7781683f6465921db947bfa6897a62bd5b7a1d15474

(this sample)

  
Dropped by
MD5 f7990b898f22f720aeb52dc7dc188f4b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30172/
  
Dropped by
SHA256 0fd798de75575345dec23629f34adeb03a021f6e403d398b9cb6bb55c43ab520

Comments