MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3cf7a61f0ab30656aa7dd49ad4888794833ac3ae9eaf61391c4940117a4fd7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	c3cf7a61f0ab30656aa7dd49ad4888794833ac3ae9eaf61391c4940117a4fd7f
SHA3-384 hash:	31241383f3a4470a74e2603b3560c51602d2bd8c3e84d19301cd22df1a9d615a5acddaa13794420545233dff3bae48a9
SHA1 hash:	181cc51842fd88509d956700a9ced76bdd6743c1
MD5 hash:	c67bc491166752cb4a22a3bfc9fbe7ea
humanhash:	bluebird-fourteen-asparagus-washington
File name:	gunzipped
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	477'696 bytes
First seen:	2020-08-05 15:18:04 UTC
Last seen:	2020-08-05 16:11:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2ff2dc860b3be78716db0209b9220e29 (4 x AgentTesla, 3 x HawkEye, 2 x NetWire)
ssdeep	12288:IuAybmmRBkHgwNO+X85gTDTcp/AiuDueaJypYVwRwC6vkldSg:UybmMB501ag/TcdAXDueahwReYdSg
Threatray	11'749 similar samples on MalwareBazaar
TLSH	3DA4231AC2172966F7488C311F4F98FA2324505A1C43772A2E9DC42D3D71AE76B0BB7E
Reporter	abuse_ch
Tags:	AgentTesla

abuse_ch

Malspam distributing AgentTesla:

HELO: paymontly.servers.prgn.misp.co.uk
Sending IP: 185.20.50.76
From: Anatco.com <sales2@anatco.com>
Subject: - Order 28839
Attachment: scan-copy.xl.gz (contains "gunzipped")

AgentTesla SMTP exfil server:
mail.flood-protection.org:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/39755/

Detection(s):

PUA.Win.Packer.Upx-49

PUA.Win.Packer.UpxProtector-1

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-6

PUA.Win.Packer.Upx-4

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Sending a UDP request

Reading critical registry keys

Launching the process to change network settings

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/411498

Signature

Contains functionality to detect sleep reduction / modifications

Found malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Capture Wi-Fi password

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal WLAN passwords

Tries to steal Mail credentials (via file access)

Uses netsh to modify the Windows network and firewall settings

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/c3cf7a61f0ab30656aa7dd49ad4888794833ac3ae9eaf61391c4940117a4fd7f/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2020-08-05 15:19:08 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yphxuypqvmygk2vh3ve22seipfedhlb25hvpme4ryskacf5e7v7q._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

47c8fab622177ddaa495e4b9294c0949be6c7572ef15f831ee7c326af0200ccb

AgentTesla

9eb1f39ae32ed2c3289f148c0182ef2f8916fe7283400fcffd262798c08ded91

AgentTesla

a884c6f90ec51dc6d39304e05efe5820d5c11afcd90abeaca8969b4adb9448e7

AgentTesla

c04b8ae6d8b950026abcfb92547590a9ae27fe60218542ff96ea94880536c80d

AgentTesla

c905064bb651ad48f6a67415f4b982254e6f816ff03b1f19d3da32da19a8d788

AgentTesla

d223c5d9e8c4529cf905bb3c777f6850b21babd5ef85cd270db5a9e760ba4e0f

AgentTesla

da283473a2f9bd5bb26dbe283b4d037f0992a8d87fbd6116b76505958394675c

AgentTesla

df8fe4098c22cd64afb8369348581a0ed7c924ea9ad659741e2899a32ab2e842

AgentTesla

efd857b9c713b00e8359f0c58fdb42124b2b3fccbfd5de1ef95156cdee038170

AgentTesla

+ 11'739 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

upx

Link:

https://tria.ge/reports/200805-pdstzkkl96/

Behaviour

UPX packed file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.96

Link:

https://yomi.yoroi.company/submissions/c3cf7a61f0ab30656aa7dd49ad4888794833ac3ae9eaf61391c4940117a4fd7f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/