MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3484fcffef25d70f380c755917a11ef9088839383359d40888704897c2b3c1b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3484fcffef25d70f380c755917a11ef9088839383359d40888704897c2b3c1b9
SHA3-384 hash: c296aa55649195fd852fe83b9d298bc4daf28c23ec0c36b2c2e62cf3ec8e6d8d7fa350a098c1452fb445a20db0c0ef89
SHA1 hash: df969285444917ba2a3e540126bd87949fe742b1
MD5 hash: 3e321c61179e2d24e95ca1808a454a7f
humanhash: october-floor-earth-cup
File name:HL-50208488 AEJEA 81890010169430 BC ORIGINAL.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:385'024 bytes
First seen:2020-10-10 13:07:25 UTC
Last seen:2020-10-10 13:37:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c2123b55b1da3ef56598042753458327 (3 x Matiex, 2 x AgentTesla)
ssdeep 6144:Dh7igDERN6BtjgwWotU1V0px461HAdr7fr1yLJc1uL//TYuKwOkZN:c96BtjSoyQD461Cfr10q1uz/ikZN
Threatray 7 similar samples on MalwareBazaar
TLSH CA848D60F30099F9F41A007978F6F52821277A3A9329854E348A775F2EB339515B7E8F
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hosted-by.rootlayer.net
Sending IP: 185.222.57.209
From: Leticia Cruz Gutierrez <sumintern@prodigy.net.mx>
Subject: ORDEN DE COMPRA
Attachment: HL-50208488 AEJEA 81890010169430 BC ORIGINAL.zip (contains "HL-50208488 AEJEA 81890010169430 BC ORIGINAL.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69747/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a window
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/487504
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3484fcffef25d70f380c755917a11ef9088839383359d40888704897c2b3c1b9/
Threat name:
Win32.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 20:19:36 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gscpz77pexlq6oamovmrpii67eeiqojygnm5iceiobejpqvtyg4q._file
Verdict:
unknown
Similar samples:
02d200c2f53874fe8aeb1df2de6f1c46c507b808b976a6f93cf1c541b7b9ecc6
AgentTesla
182bb780697bc253a6186a077bd17cd952abf8f823ab8c87205eed570c9865d3
AgentTesla
90aa9f9ad74752d2965816d8d68399d2b1c4fdce28c2ca57753196b3a2d60b34
AgentTesla
9637aff986e8795e82308aa077349b80989b6b0ca89973e209d3dee98da1e464
AgentTesla
ec6afc29beafb4093f0aca9fa00e1c3097dac94baee4801eebc5043de4556781
AgentTesla
f23176b88ae0da50473883837d6368b64c86e2f7c5a7cc3b59566f461318d99f
AgentTesla
f532c606947a2abffb614405ed58ec56bbba9b54f71b1bb00c824e46442d90a7
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201010-qa57bpcmgn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
04a661a41e8bf74d2e18d3738e3a6fca1aa0f640c1d6567f8fa840e3e6fee8ca
MD5 hash:
d035ac9949d54cb1290113ae09a9431d
SHA1 hash:
3ccfea2c2da39de37f83d203afd26d904bf0ea86
Link:
https://www.unpac.me/results/0b26c004-fda0-4c3e-b14f-45f9acd61bfb/
SH256 hash:
3484fcffef25d70f380c755917a11ef9088839383359d40888704897c2b3c1b9
MD5 hash:
3e321c61179e2d24e95ca1808a454a7f
SHA1 hash:
df969285444917ba2a3e540126bd87949fe742b1
Link:
https://www.unpac.me/results/0b26c004-fda0-4c3e-b14f-45f9acd61bfb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3484fcffef25d70f380c755917a11ef9088839383359d40888704897c2b3c1b9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip e7984cb555a8cfeeec1e708b0db3d6ef167410eb36b90aa1f8030d475ea0faa2

AgentTesla

Executable exe 3484fcffef25d70f380c755917a11ef9088839383359d40888704897c2b3c1b9

(this sample)

  
Dropped by
MD5 758c662064c52d26b871b58595020c0b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69747/
  
Dropped by
SHA256 e7984cb555a8cfeeec1e708b0db3d6ef167410eb36b90aa1f8030d475ea0faa2

Comments