MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 308ff6f4141951ceb5332c273a6bb6782443482b229f47bc32a8ebd0cb57fbfc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 308ff6f4141951ceb5332c273a6bb6782443482b229f47bc32a8ebd0cb57fbfc
SHA3-384 hash: bfdd6d26180df5b0acd13c0a6661c4f11da1575623d257893b924abb203c6ce5367bf6f28690656cfe07693a10bd9585
SHA1 hash: 9a21cdc731962a485c703ba0bf47ac6d99b6882d
MD5 hash: 3ec42d240d2d4539cfec8fd34da38e8b
humanhash: dakota-batman-fanta-edward
File name:Past Due Invoice Unpaid.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:798'208 bytes
First seen:2020-11-03 13:28:03 UTC
Last seen:2020-11-04 11:26:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7019f6d8353af8d9769c4901ee56f7f6 (4 x AgentTesla, 2 x Loki, 1 x HawkEye)
ssdeep 12288:76lf28cLnCpZpA75eLXnEjuAkxXNcoMvASnbolgdZKgD:O5eU0MXELeXNckSbolgdZjD
Threatray 2'468 similar samples on MalwareBazaar
TLSH 2B059E22F5915833D3632A789D1B5764983ABE13393DA9463BEC1C4C5F3928C397A393
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
4
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/82037/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Changing a file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Moving of the original file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/519168
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/308ff6f4141951ceb5332c273a6bb6782443482b229f47bc32a8ebd0cb57fbfc/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-03 13:29:06 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gch7n5audfi45njtfqttu25wpasegsblekpuppbsvdv5bs2x7p6a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ea9a1325e5cee80f559671e5eb244320f9e86cde7f3bfb98886dc4950d6002e
AgentTesla
22235f4edec77bf047d6f5f3ea4d7b4abcc5b3468d306cb66b92e49001768fae
AgentTesla
3f643208ad4025825d073c43dc40f4453df1cae39be3cc31b647236d76657fa1
AgentTesla
404a8a0adbd4a85e364eb3083b802c19282bfd1cb34a74ca257141db1fca34bb
AgentTesla
512a3ca963394c011a96212499373a7baa29456fa0d501f72f42f49dd224f4a9
AgentTesla
be9f5e6022d9789d876755aec74c292164c2a751ddc977db7a0f9c800967b56d
AgentTesla
d622d02dfd5ebd085c835d848b2a25091c06751f150575b9092bb99e98f94e31
AgentTesla
e4ef5297d417e9facedcefdc568d9f09deb3df0217d94a69dfa23c1238e1eced
AgentTesla
f030d590fcb9a74113d0e1e3b912bda207354996313320bee267f209be4a6129
AgentTesla
feb639dabb33ddc8d08dc3065a7a869225419d52be2aa0ec247377607a426ef3
AgentTesla
+ 2'458 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/201103-gfb487lg96/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Unpacked files
SH256 hash:
511058f494007d6e3d4457ce79903d2aaa379912a5f6ae35e1c46dce678f45cf
MD5 hash:
707c8ea9ec4113bca573f3cb73894f0e
SHA1 hash:
ed39d29654c1058659c5c95105b31b8f0f0c289d
Link:
https://www.unpac.me/results/64ed0913-1812-4d28-b16f-1a74e3449f2b/
SH256 hash:
41fd1b93791e6ba0d2aa9b780355e0bd1ae4f7d22b07aa4c5ae8dba99b7dfdd1
MD5 hash:
06f7d94d7186ae852600b430aaeec4d1
SHA1 hash:
f5bc73a435d69dbd586c72ed749d099c56ebb661
Link:
https://www.unpac.me/results/64ed0913-1812-4d28-b16f-1a74e3449f2b/
SH256 hash:
308ff6f4141951ceb5332c273a6bb6782443482b229f47bc32a8ebd0cb57fbfc
MD5 hash:
3ec42d240d2d4539cfec8fd34da38e8b
SHA1 hash:
9a21cdc731962a485c703ba0bf47ac6d99b6882d
Link:
https://www.unpac.me/results/64ed0913-1812-4d28-b16f-1a74e3449f2b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/308ff6f4141951ceb5332c273a6bb6782443482b229f47bc32a8ebd0cb57fbfc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 40925bd30adef223430065caf0f5af2be5dbd57cbf02769213b5e597eddae297

AgentTesla

Executable exe 308ff6f4141951ceb5332c273a6bb6782443482b229f47bc32a8ebd0cb57fbfc

(this sample)

  
Dropped by
MD5 837354456a6e5e1fb4a94176fbcde295
  
Dropped by
SHA256 40925bd30adef223430065caf0f5af2be5dbd57cbf02769213b5e597eddae297
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/82037/

Comments