MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c35b432e7065752be444cf5822063e979c7021997a7a8f963b33f8a3f4d5b318. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c35b432e7065752be444cf5822063e979c7021997a7a8f963b33f8a3f4d5b318
SHA3-384 hash: 96f8cfeddf885385f76de8f4cb96fd805529b98b8341a83405019212252c818228922a4beef2005a547ef0e3bc69f874
SHA1 hash: f312ce265ebff4f22c8d4781efda234e1d7be5fd
MD5 hash: 062cbdf61004886a7658c255c7156559
humanhash: sad-robert-fourteen-tango
File name:PO-2008520096 PR 11662526_xlsm.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:753'152 bytes
First seen:2020-06-24 05:28:50 UTC
Last seen:2020-06-24 13:29:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:TSLeDi+22aojboLXDK7oHAtsXnhAs9YU+GDDhQi1cPXA2FUvoQNrZ9tg0Q4ye8:TVCojKDKt66WbqjmJl960QTj
Threatray 10'671 similar samples on MalwareBazaar
TLSH 85F45B7A7641B48DD13F093224B81891AB32AD472736C30F298BB7585F3529F7B4798E
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: slot0.ekhtong.com
Sending IP: 204.48.19.247
From: MIRALSOL FLORES <info@creative-sour-co.ml>
Subject: RE: AMOS PO-, 20/085, 20/096 PR #11662526
Attachment: PO-, 2008520096 PR 11662526.IMG (contains "PO-2008520096 PR 11662526_xlsm.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
3
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/13390/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WMI.28766.UNOFFICIAL
Create hunting rule

Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/378817
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 241548 Sample: PO-2008520096 PR 11662526_x... Startdate: 25/06/2020 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected AgentTesla 2->42 44 3 other signatures 2->44 7 pcalua.exe 1 2->7         started        9 PO-2008520096 PR 11662526_xlsm.exe 4 2->9         started        13 pcalua.exe 1 1 2->13         started        process3 file4 15 Intellx.exe 7->15         started        30 C:\Users\user\AppData\Roaming\...\Intellx.exe, PE32 9->30 dropped 32 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 9->32 dropped 34 C:\...\PO-2008520096 PR 11662526_xlsm.exe.log, ASCII 9->34 dropped 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->56 18 cmd.exe 1 9->18         started        20 Intellx.exe 1 9->20         started        signatures5 process6 signatures7 58 Multi AV Scanner detection for dropped file 15->58 60 Machine Learning detection for dropped file 15->60 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->62 22 AddInProcess32.exe 2 15->22         started        26 reg.exe 1 1 18->26         started        28 conhost.exe 18->28         started        process8 dnsIp9 36 smtp.yandex.ru 77.88.21.158, 49738, 587 unknown Russian Federation 22->36 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->46 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->48 50 Tries to steal Mail credentials (via file access) 22->50 54 3 other signatures 22->54 52 Creates an autostart registry key pointing to binary in C:\Windows 26->52 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c35b432e7065752be444cf5822063e979c7021997a7a8f963b33f8a3f4d5b318/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-24 05:30:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ynnugltqmv2sxzcez5mcebr6s6ohaimzpj5i7fr3gp4kh5gvwmma._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ec43ae5c8b1e95538f25ffe83123138a3d6083f5d9b2bdee312844689fa1f05
AgentTesla
131d016519d6ec1f5ce66362f5c4c917d4cdf0648242f20272b59a43764c53f0
AgentTesla
3bffd1c8945804a71bca4c0861dd2f26362847c59d6adc15b8c3ecb82d5aa026
AgentTesla
594f5fb1a4eaeb649b2f293c5eab4da72d1b193e208e966f1351ef58be16f7ce
AgentTesla
706c290e4e11ac3f5ccb73d3065d08fc536f433afaec0334ecab39d801247a79
AgentTesla
8c9a0a56e926372480efddcbfbb5664c3c17ad8d153d997ef34f34ed1ef42542
AgentTesla
99876ee50802848768d32d6cd179141603d76259e33c223b47204e33ef4b416d
AgentTesla
9f80f311d2f6a2ccaa0d4aa42ce625b6317a1785a9bb52bde2fa68f68fc7f68f
AgentTesla
bfa03a66eb0b9720abf3efe1e9a220daa682dcb69f6bb6febdbc56bb9624e77f
AgentTesla
cea8cae444dd5dadf01c31def4681b170907b97e0cfb468a9ff317ce7ae736a3
AgentTesla
+ 10'661 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla persistence
Link:
https://tria.ge/reports/200624-ggev3hlfna/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Adds Run entry to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Executes dropped EXE
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 65ae8617a8d87a196d469a58f2edd475c9884a45b912ce3ecb2efa6a5c9e1e53

AgentTesla

Executable exe c35b432e7065752be444cf5822063e979c7021997a7a8f963b33f8a3f4d5b318

(this sample)

  
Dropped by
MD5 c52b04084439dcfa091bc99f7dfac28c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 65ae8617a8d87a196d469a58f2edd475c9884a45b912ce3ecb2efa6a5c9e1e53
Cape
Cape
https://www.capesandbox.com/analysis/13390/

Comments