MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 312b49a82f8571c6c85b8322115dd46980e9005010c8e3c1d2fa27b0cb1ff0a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 312b49a82f8571c6c85b8322115dd46980e9005010c8e3c1d2fa27b0cb1ff0a5
SHA3-384 hash: 6cb536b4d67da8a7f0741a132673cf8e426557296bdd4f795fe6ec3606db16eac5dab8f317d9309e57e5265840286c94
SHA1 hash: 3bf29c54256fb74fb4d4930c6c7f5f69db63c239
MD5 hash: c351248da0db7003c219d1d98fd729e6
humanhash: undress-seventeen-seventeen-emma
File name:Shipping Document PL&BL Draft Copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:718'848 bytes
First seen:2020-10-20 08:40:29 UTC
Last seen:2020-10-25 21:18:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:mQEhSe2iNeRLkROZSHAKCmvccDCX7hwhyMrSqrldk/yBb04+mH:m11URSHAKCxcMqgqS6OyBb9+
Threatray 678 similar samples on MalwareBazaar
TLSH 21E4E07133F89F25E03E9778143061419FF1A503D762D6AABEDD11AA4FA2B924733B12
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: winmedicare.com
Sending IP: 95.211.253.203
From: Clare Liddiard (DHL) <sudeep.goel@winmedicare.com>
Subject: Consignment Notification: You Have A Package With Us
Attachment: Shipping Document PLBL Draft Copy.zip (contains "Shipping Document PL&BL Draft Copy.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
3
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73380/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/497389
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/312b49a82f8571c6c85b8322115dd46980e9005010c8e3c1d2fa27b0cb1ff0a5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 00:29:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gevutkbpqvy4nsc3qmrbcxoungaosacqcdeohqos7it3bsy76csq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3d24a5a1d350ea3d4e9bd5b02b65493835b6d9c559c3e3b7df5852916188d9d4
AgentTesla
48f8e8504e89f98adb7acc7f938cb133b7d17a4acacdf1bf36dcc02abe51e87e
AgentTesla
5b10f4a23880b51923a0df3e9e3c37f40eb0d3cc93de7b463da62f936a501385
AgentTesla
61cd0eb067277dda91558901ac1d3b45bf56f4d4fec39270e4975de550477513
AgentTesla
6c489ebc2d7b407a9058479ee3e54b83949ef2a58ce749528cea74b4f0b5db0e
AgentTesla
b29880b2403337ef4fb3c644c4b033327cb6e2828d28799a0cc6a708cc0afaa4
AgentTesla
c4417a6bdfb8727b6cb186c09a2e3700ec563324bb60d22544a6ee5b8a2eda29
AgentTesla
c8946b73ca20ba2454e510f081a9d33d60d1ba9291471a0ba5abb649ff0d25d4
AgentTesla
e5a94739fb1f6d7a06f6b9eb529037c9ab0d59be424d4b99c63651360d7ded3f
AgentTesla
e6d2c97461c6aac9ea130eaa96f9927b57998c04b5e7573a555caa729178a70c
AgentTesla
+ 668 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201020-fxnr8aqjsa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
312b49a82f8571c6c85b8322115dd46980e9005010c8e3c1d2fa27b0cb1ff0a5
MD5 hash:
c351248da0db7003c219d1d98fd729e6
SHA1 hash:
3bf29c54256fb74fb4d4930c6c7f5f69db63c239
Link:
https://www.unpac.me/results/e5230323-df5c-44c4-b015-3351e7411519/
SH256 hash:
7adf710407d8691f49a5cdef2395539f436a421b739d77823d3ed187c5639bd6
MD5 hash:
e9094e16449a4f2fc1c3bbbb1da28057
SHA1 hash:
52ee675922a3da3e006a9dd83e3e41a284bd4251
Link:
https://www.unpac.me/results/e5230323-df5c-44c4-b015-3351e7411519/
SH256 hash:
a97ea75b2bdf090b019f6b67abfec6728892226bec94fb876f22dfe8fa9470bc
MD5 hash:
b52be4cdad36eac14fe20d0bf5befceb
SHA1 hash:
56ed40b668babb657190d2b1505a40e0abdffbb5
Link:
https://www.unpac.me/results/e5230323-df5c-44c4-b015-3351e7411519/
SH256 hash:
33488933b0c4ea448eccc52490f8aa0ecfe0a981cdac34e4cb97b7fa1ef5e46e
MD5 hash:
e5b6b10038f1dea684deef3855b66982
SHA1 hash:
697f0e326e7953a9e6285cdd14efb1488d68c6af
Link:
https://www.unpac.me/results/e5230323-df5c-44c4-b015-3351e7411519/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/e5230323-df5c-44c4-b015-3351e7411519/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/312b49a82f8571c6c85b8322115dd46980e9005010c8e3c1d2fa27b0cb1ff0a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 62b7c49dd5e56ed2ef207e9c4b72c06bb0e59dfcc1d93ff9faf6c3229ae468af

AgentTesla

Executable exe 312b49a82f8571c6c85b8322115dd46980e9005010c8e3c1d2fa27b0cb1ff0a5

(this sample)

  
Dropped by
MD5 b0cfa08ff939050b2e2e8f91f29e8b5b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73380/
  
Dropped by
SHA256 62b7c49dd5e56ed2ef207e9c4b72c06bb0e59dfcc1d93ff9faf6c3229ae468af

Comments