MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3918653d4bf1fc418756b657cd02b4aaad7c26f5fbbd7cfb1ac86521f1132cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	f3918653d4bf1fc418756b657cd02b4aaad7c26f5fbbd7cfb1ac86521f1132cd
SHA3-384 hash:	999755e1679af9ee138c7332b695e04f3214308ee3635ab4f413d8b3be3f0e6d4ca76022dfe54ef782d32c833de597aa
SHA1 hash:	e38a90978cabecf7de8558f46d0eedf83fc3a45d
MD5 hash:	eb306a6d33c9b94f1096051cee603136
humanhash:	april-pennsylvania-connecticut-east
File name:	PO-Urgent Product Enquiry PDF.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	821'248 bytes
First seen:	2020-08-12 14:33:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:PI6q+jK6KVwNn6Jk9QY63zSj9a0y5B6X0To0qD:m+jCVe6JY9E54
Threatray	10'777 similar samples on MalwareBazaar
TLSH	4E05F8DE2B90200BE53D09B184B99FD22271E99F3F01C60E7D81BB8C6E127D72B565D6
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: hosted-by.24xservice.com
Sending IP: 95.211.208.25
From: SULAIMAN AL-AHMED <biomedres@emedsci.com>
Subject: PO-Urgent Product Enquiry
Attachment: PO-Urgent Product Enquiry PDF.img (contains "PO-Urgent Product Enquiry PDF.exe")

AgentTesla SMTP exfil server:
premium72.web-hosting.com:587

AgentTesla SMTP exfil email address:
ckguy@stiphil.ml

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/44191/

Detection(s):

Win.Malware.AgentTesla-7660762-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/422836

Signature

Allocates memory in foreign processes

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/f3918653d4bf1fc418756b657cd02b4aaad7c26f5fbbd7cfb1ac86521f1132cd/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-12 14:35:07 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6oiymu6ux4p4igdvnnsxzubljkvnpqtpl655pt5rvsdfehyrglgq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

54a3195e1eb2acf84a5d65549f7497c30e161c48fc5de9754d99bdd57d1ef4c9

AgentTesla

68f770cf2f06a3c28dff7e9e3282ad929834af4949e948417b4cef7eabee26ad

AgentTesla

6d31f7c6ef9d370022981a004a3e8a711abb64d2d196a38d36a95de6c7c6823f

AgentTesla

8b59bb0de82bb4ea040c01288665d92022d47b8a2c426c573181dffe650e3a8c

AgentTesla

91cfa121b109ceaceb8ca6dcef72ac69691291facec3569755f13c4a87f6da75

AgentTesla

924a88861bc8088ea5d9bd39765638b6376bcbe32930413ebb0dfb688554e0de

AgentTesla

b7f19729b194bac7f587a7cc19778e925a218fec8106b23466367b2847b99ea2

AgentTesla

ccdd4387470eb34b9bdef3aa3c4b7a4c51ae84b8c7a88fc7d059713ab1249f40

AgentTesla

daa7e0e3205d16a27855653633b9c87f3d8f95b0b7b0d12805077ce24a55232d

AgentTesla

+ 10'767 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer family:agenttesla

Link:

https://tria.ge/reports/200812-jhvjambssa/

Behaviour

AgentTesla Payload

Agenttesla family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f3918653d4bf1fc418756b657cd02b4aaad7c26f5fbbd7cfb1ac86521f1132cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar