MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3fb6b53e77c6da05538f2ebe2dec18a8f04549b579057814b3d6abdd159dc5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3fb6b53e77c6da05538f2ebe2dec18a8f04549b579057814b3d6abdd159dc5c
SHA3-384 hash: 85691e6e3354543ca2229231794f976287e47ff4d08160fe21eecb0c5e2d1f43ef0dbc3c926f0b9a896ca9f4b3c18dc2
SHA1 hash: daef36d08e3f15660fa8e41eae4de0a6d432c269
MD5 hash: b974854147494cd109a6e13cbb484967
humanhash: early-alaska-golf-oven
File name:I-Group.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:630'784 bytes
First seen:2020-06-29 11:54:33 UTC
Last seen:2020-06-29 13:12:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:KvlhkLPLFuboHlRSdAISiNKQH/Ymvxip5AhMNW175JRaQer89X:NTFual0d5pYmNhMk1tJFerMX
Threatray 10'585 similar samples on MalwareBazaar
TLSH 37D40A2A7E45F504D13C5D3340DA1A9067B2A5C32A23CB0F7ECA9BAC5E4139B3E5635D
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.sgbcg.com
Sending IP: 113.11.251.241
From: Matthijs van der Weg <materials@amoceg.com>
Reply-To: Matthijs van der Weg <fewadkhan56@gmail.com>
Subject: New partnership
Attachment: I-Group.rar (contains "I-Group.exe")

AgentTesla SMTP exfil server:
mail.tandempakistan.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/16237/
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.4261.29721.UNOFFICIAL
Create hunting rule

Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a3fb6b53e77c6da05538f2ebe2dec18a8f04549b579057814b3d6abdd159dc5c/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-29 11:56:05 UTC
AV detection:
22 of 31 (70.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=up5wwu7hprw2avjy6lv6fxwbrkhqive3k6ifpaklhvvl3ukz3roa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
09c8cbd9cdfda1fcb7c6a051887213dc3e3ccf00a5877eca3d3e374f077b98d5
AgentTesla
1180c43e3a157c4281bb941803b47646935489139498167e6877822744d275c8
AgentTesla
60a29266c95ea0804f9ac2ac669d0999bd484bdb94b557a6068479a08bee287f
AgentTesla
76f3a761f1f6078dac5957bbd5c005499f97b77756c793fcfc2ec3ec9c6fa9f3
AgentTesla
862376a9e48e0c84820bfd7b013cb14f9e2a41151785f3558e7912e2e8041d39
AgentTesla
8d3e005de2a2653aa88e129673e8996751fbeb0628a2710fe0081e424a13d4ff
AgentTesla
92b3287ca777166f9231da535aa5248d3508ffdae60a53e378316ac079b9b60c
AgentTesla
9609521157307211746e70e6cc89864fa8524701074181cf4f8da9714b1f6ef4
AgentTesla
b57621a01d60fb7b8e0096c58f1b0dc6b21ba5d3f7676c443c6f0b9ccd587807
AgentTesla
e1ed2737a0634b9e3bcea6c171586b374844aabb1f3df3ee219aa3e33ed3b32e
AgentTesla
+ 10'575 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200629-ayepvgdeys/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Adds Run entry to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Loads dropped DLL
Reads data files stored by FTP clients
Executes dropped EXE
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar bccdd7c2643a2e6c47bb6ec5ecd59220cee67ea3e2fbaea8a15395feb0ae8926

AgentTesla

Executable exe a3fb6b53e77c6da05538f2ebe2dec18a8f04549b579057814b3d6abdd159dc5c

(this sample)

  
Dropped by
MD5 ff10efdd2a2cca14336b332d8ab52c40
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 bccdd7c2643a2e6c47bb6ec5ecd59220cee67ea3e2fbaea8a15395feb0ae8926
Cape
Cape
https://www.capesandbox.com/analysis/16237/

Comments