MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 031b0bcde6e169070993f85f816ecaf48f46a90f40f2d08cf5e0089d11d25e32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 031b0bcde6e169070993f85f816ecaf48f46a90f40f2d08cf5e0089d11d25e32
SHA3-384 hash: 2608dc514b5f23a2d51cf5ceb56757b8aa94f268af87cc3872ee465bc19e29ab5e42c2a2916c7c2a56b36507a19a8d1c
SHA1 hash: d5dc2abec666c6cdae3afa7dfc1ff6a25cfc0289
MD5 hash: cf1d5c4491577bfa85b186fbe102e67d
humanhash: quiet-vermont-maine-dakota
File name:Payment Notification.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:458'752 bytes
First seen:2020-06-24 08:34:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:DlyHVVRhd6seMX2mVWYlGk7Yf3HYpojp8Qeou+2Q1RxubKj6LdIk6rBmbadphMBh:SHSMXdIYlGk+TjpCoV/Iej+dHwme7he
Threatray 11'725 similar samples on MalwareBazaar
TLSH ACA4F10B374CA517C5BC4AF990D21B4863BA69EB6662FBE61CC076E915D3BE805213C3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: fibew.duckdns.org
Sending IP: 185.247.117.250
From: paymentemail@fnb.co.za
Subject: Payment Notifcation
Attachment: Payment Notification.r10 (contains "Payment Notification.exe")

AgentTesla SMTP exfil server:
zstcznz.org:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/13611/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/031b0bcde6e169070993f85f816ecaf48f46a90f40f2d08cf5e0089d11d25e32/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-24 08:19:41 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=amnqxtpg4fuqocmt7bpyc3wk6shunkipidznbdhv4aej2eoslyza._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
666b4d8521af8e8c149431fea4f3fce4d859b9d102e894928edb0e005ad8153d
AgentTesla
76933bfe9afdf8d266352155f09995acadcab23345fabe2518d5bf15d45c9cd4
AgentTesla
82bdf1c9eeecb62113d9b063bcf848c14e4cecf21950b129fefeb40d6ec95a70
AgentTesla
8470a2e93ae48abb1b987d9927277eb7a3bde99fe0d048274f839cc25aa3aa95
AgentTesla
91e414276a656dc9276aab26d67944f915e2267cd2b1b746193b1fc3225aaeed
AgentTesla
99a8b22ec655fd50aa2bdb93b05e8533ec539feeffacf592cf038a6ede299314
AgentTesla
b8214924a598b9fd3193099fecd6c3d09f06dc5e3a9af098642c7d5327c05cd3
AgentTesla
ba3b49260d4a7b2777b3fc983d532144bc7bab77e35f2608bbdc2854ab7a31d0
AgentTesla
bc02f7f4317f67dcc9ef60b524498431ec0ef0b261f715c4b20371e423b30fb5
AgentTesla
df517a9dbaa0829415080a30f0d2f4d0eb27082aa9f8706997c4f7b3008ebdd0
AgentTesla
+ 11'715 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla
Link:
https://tria.ge/reports/200624-6hc9hzqaws/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 32900dfa423ec196ff957b08c87d1f45e2c806dfa4fb9dc43d4d2ed2d3ea91a2

AgentTesla

Executable exe 031b0bcde6e169070993f85f816ecaf48f46a90f40f2d08cf5e0089d11d25e32

(this sample)

  
Dropped by
MD5 41b12e0b3b29c5952578f2035de1c040
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/13611/
  
Dropped by
SHA256 32900dfa423ec196ff957b08c87d1f45e2c806dfa4fb9dc43d4d2ed2d3ea91a2

Comments