MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c3cb2a132973c4c43fc9368f509b0122f70a6eab0b4173405f0f72309454456. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c3cb2a132973c4c43fc9368f509b0122f70a6eab0b4173405f0f72309454456
SHA3-384 hash: cfbdd109af5fa8d2c661a683e90500b25d5e22e882055590058806808043d930d276b6c11c4e2d8b45a12eefe9741f13
SHA1 hash: a3d03e66e76247fa1e94d48e9fe4208baf156624
MD5 hash: 4f6eac1366c031f9c761480b0fd59193
humanhash: queen-bravo-don-magazine
File name:Order01163PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:674'816 bytes
First seen:2020-07-06 08:16:30 UTC
Last seen:2020-07-06 09:06:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:Hy/gd95AkS7vPfI9s1uTWZ/AEusrgFR+Oq7SPTWRJMZP9pEnmn0Z9rH:Jd959SLgGLTwX1YSP99pE99rH
Threatray 10'815 similar samples on MalwareBazaar
TLSH C4E43939BB41A816D53C053584B65AD0A7B0A5873A12CF0F7ACAA72C5F037DF670A3D9
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: nsr.server2.gr
Sending IP: 78.47.58.124
From: Mar González de Santos <info.vinagresespeciales.es@pop3.cosmomedia.es>
Reply-To: worldnetofficemailer@gmail.com
Subject: maksu_011638PDF
Attachment: Pago01163PDF.7z (contains "Order01163PDF.exe")

AgentTesla FTP exfil server:
ftp.klass-hydrauliks.ro:21

AgentTesla FTP exfil user name:
images1@klass-hydrauliks.ro

Intelligence

File Origin
# of uploads :
2
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/21348/
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.3350.8958.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process by context flags manipulation
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4c3cb2a132973c4c43fc9368f509b0122f70a6eab0b4173405f0f72309454456/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-06 08:18:06 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jq6lfijss46eyq74snupkcnqcixxbjxkwc2bonaf6d3sgckfirla._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05f08d66b6f118c60851b9b3a9f86eb9db05955af1bb2b6bbdd9b5308972b3b3
AgentTesla
1ac93b118f2f6facc20288611532e4f0f898967e262a6c9cea66bc2da07ad732
AgentTesla
4052f5e207560e9b8f69df4cc3002207418a3b26438bbd1a4279d096d0e83074
AgentTesla
42559744a026afaece34c2e4175903ba2d286f269042603c26f488f43c2c0b9f
AgentTesla
56cb69331a49e5a12f173cd58e68a1ded84247588e0c33dc0571d32caec6a111
AgentTesla
a4d4f50a2dff36ea8d3f92a832578a875c3f6a3ce227f1263114bf9dcbe9e335
AgentTesla
b341dab43275abb083b31e6852485e7f21802e6ab4310020a48dd8162c8c9c69
AgentTesla
c75fa16118d5d921d598bd9ff539426dcfd7aece03815e5be6414763ba72bda6
AgentTesla
cd9532fea4c331fed21dd929be9a963c50662e545e38a63fcae56cf13199fead
AgentTesla
f106c0e340d4fb92717d3ec2fd4e1c928155b3faa06aa8f4b98e9596cb5d401f
AgentTesla
+ 10'805 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200706-2k6ara4ks6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Loads dropped DLL
Executes dropped EXE
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip b5249aea1b072240626ca6aa8db0e108125add9e3017a54b22cfeed0e0d93fb9

AgentTesla

Executable exe 4c3cb2a132973c4c43fc9368f509b0122f70a6eab0b4173405f0f72309454456

(this sample)

  
Dropped by
MD5 19a72254b4f9bb677a5c0f0697a319dc
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/21348/
  
Dropped by
SHA256 b5249aea1b072240626ca6aa8db0e108125add9e3017a54b22cfeed0e0d93fb9

Comments