MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3f038f7ea7aba5ce5e184d91ef33b9b365f3133088f21af6cf6b1e06c2b7520. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3f038f7ea7aba5ce5e184d91ef33b9b365f3133088f21af6cf6b1e06c2b7520
SHA3-384 hash: 06efaab23d70e5bf3b7c1967365160a7b536036f377c7ef348746f1d29f51247f1eabfff7300032e334be869f7538f75
SHA1 hash: dcde1beea677ef239fac2cb19521bea37b3013c3
MD5 hash: e1a92dec597ede60c04f1eed7715c461
humanhash: robert-berlin-illinois-tango
File name:New Inquiry.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:583'168 bytes
First seen:2020-06-10 07:11:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:sjXeL85uO2YXgdm8s0t9ClZTkrbdwaF6ySgTKWENpL8jJ4v68+6kAbnAc+gc7NVy:WBXem8s0tkDYrZ6ypTKWJWv68+V4
Threatray 11'107 similar samples on MalwareBazaar
TLSH 6CC4DF8D7654B69FC82BC97289A91C24AB6078B7931BD343A44726ED9D0D7D7CF002E3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.xweb.cz
Sending IP: 193.19.179.33
From: Gina (Gina) Breedt <info@auto-simek.cz>
Subject: New Inquiry
Attachment: New Inquiry.rar (contains "New Inquiry.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 07:13:07 UTC
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6pydr57kpk5fzzpbqtmr54z3tm3f6mjtbchsdl3m62y6a3blouqa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
10566a81427f90f1a6eb8b01545c41efe5d7d42602bdc6c6762930ad8f304d88
AgentTesla
5afb8b1e08dee442332deaabd3fb126ffd9d4b34056aa33e121f24776086695a
AgentTesla
637b72e82538b767707282db37c0f960aa60c72e3c44c76ecaf232a9c105bf41
AgentTesla
6a147caafb9ba563492e7974b271d469c95300eabb699dc797ba896587aafe1b
AgentTesla
7dfe5d9e3e099285a3bc63497d1ee47ac99b7012f23beb730d73557b40afa26c
AgentTesla
7f955530859680734f6742fa13e78e4b34418424279ccd7a22e1f701b286d4f5
AgentTesla
924d2110a668acae185a205cc51772d088304b941e306ae369b7f62f788d3632
AgentTesla
ac6059835dff236452027450749d077775411e277447a711e5f53bea47262821
AgentTesla
ba570d5e847509c2b56f4bd5dfb21115e1e9516481c2a89859c2f682786a0eae
AgentTesla
cea7a7d16ee12b688cccbb9dd85e7afccfff1329ca8c74ae0b7f815372252604
AgentTesla
+ 11'097 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-ysygmmmqdx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
ServiceHost packer
rezer0
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 38b4e78c90c783383d42f1437e37b2d33b6941e292bdb65b2afe484907f02446

AgentTesla

Executable exe f3f038f7ea7aba5ce5e184d91ef33b9b365f3133088f21af6cf6b1e06c2b7520

(this sample)

  
Dropped by
MD5 bddf326a3276925c8ef705e324528973
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 38b4e78c90c783383d42f1437e37b2d33b6941e292bdb65b2afe484907f02446

Comments