MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0e3bbe3f48ddad4acaa28cabab76523d8fa113425365bb80b08dcbdb090bac5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	d0e3bbe3f48ddad4acaa28cabab76523d8fa113425365bb80b08dcbdb090bac5
SHA3-384 hash:	9a3a2d2f0cb3b4ab24777381fd74e6689a88f5f28c98d5a7a0208111700d0c13b61e18d64c684cabb62d57199520f058
SHA1 hash:	e49c2487840a5e76f6a0c87076c2f3dd45e05226
MD5 hash:	ffeb6aaa3499fb6f2e71c312f7fb0767
humanhash:	burger-pip-winter-eleven
File name:	Arrival Notice AWBPLinvoice and BL.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	611'840 bytes
First seen:	2020-08-11 12:04:28 UTC
Last seen:	2020-08-11 13:19:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:S+rnjbpCeovrxIn5adf9KYZTHktDOK7GDd:ys5adf9KuTEt9q
Threatray	10'750 similar samples on MalwareBazaar
TLSH	D0D44A3D3E816912D13D097A44E899D06BB1B8477F12DB0F2AC6074C6F1299B3F4A9DB
Reporter	abuse_ch
Tags:	AgentTesla DHL exe

abuse_ch

Malspam distributing AgentTesla:

HELO: slot0.soctrade.ga
Sending IP: 173.82.238.253
From: DHL | Express Shipping <info@soctrade.ga>
Subject: Arrival Notice : AWB/PL/invoice and BL
Attachment: Arrival Notice AWBPLinvoice and BL.iso (contains "Arrival Notice AWBPLinvoice and BL.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/43326/

Detection(s):

SecuriteInfo.com.CAP_HookExKeylogger.28197.21645.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/418727

Signature

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/d0e3bbe3f48ddad4acaa28cabab76523d8fa113425365bb80b08dcbdb090bac5/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-11 12:06:07 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2dr3xy7urxnnjlfkfdflvn3fepmpuejueu3fxoalbdol3meqxlcq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

33a9201ef8fd603fb8e3fb4b2c01f5f5ff9dea32afed5069c8c1224e5f5aa968

AgentTesla

350f76a14a11bfe8d35f65d21204d6f3b58f5b8b3e80946fe664c2ec28ed5964

AgentTesla

7e393bcd518415ad70e7a6924c8798391400554fce9c2a639a891dcda4f8e230

AgentTesla

9cf292ab66697e49eb983402a604a020dfe6ff544cee35a3fd252a1104349126

AgentTesla

bcfe28b074cc1d9b0fb7896ee3eb4d28c240bee33cb76578f0f9f1ef90ab92e6

AgentTesla

d7e75a0a8afcbc738cf4d9664ea6eb05f2ff4bd449efb042e2f7ab5ea6d68ce4

AgentTesla

e3854025455792e894025cff4108978ce383570b7c5361cafcc0dfbff6e29fc0

AgentTesla

e9b9c624c29a9aefaa2f235d9014a3bb4350f844d617530da216e434a53660b9

AgentTesla

f8166c3c857a7a3ba99515cf6ae242a78050fba7608e24a88e2559e0063a187a

AgentTesla

+ 10'740 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer family:agenttesla

Link:

https://tria.ge/reports/200811-vfyy14xsa6/

Behaviour

AgentTesla Payload

Agenttesla family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

0.70

Link:

https://yomi.yoroi.company/submissions/d0e3bbe3f48ddad4acaa28cabab76523d8fa113425365bb80b08dcbdb090bac5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar