MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38d67003a3e33b0ff622758a04b631ac24d0f55f04c007834fd61bf8c2e9074d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38d67003a3e33b0ff622758a04b631ac24d0f55f04c007834fd61bf8c2e9074d
SHA3-384 hash: bd7db39d151f9ffed2eeaaf005c2ba187c887a4a2f864f8cf3753d8506bcb6611d9bc52db09c6cbc25f16406f925d8ae
SHA1 hash: 5d27d32ddfb409121245cc2a57d3a67e428676c1
MD5 hash: 716957153760f6aae6b7a8a8b4825868
humanhash: utah-alpha-california-bulldog
File name:AWB#65489786.1245458TR..exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:677'888 bytes
First seen:2020-10-16 17:48:45 UTC
Last seen:2020-10-17 10:07:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:dGVOARPZokXK4A6NNCxCaQ2GupnPX/4NsLYyUExtu6:gVOMPZHXK4LNQxHQunX4iLTUEbn
Threatray 635 similar samples on MalwareBazaar
TLSH 95E4CF316B59DF95E07D1377E4A90864A3F9FD069372C62A7CE932CE29B1BE45022307
Reporter abuse_ch
Tags:AgentTesla exe geo TUR


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.cambrapropietat.net
Sending IP: 213.96.212.75
From: Başak KOÇYİĞİT <basakocyigit@thy.com>
Subject: Hava yolu faturası
Attachment: AWB65489786.1245458TR..rar (contains "AWB#65489786.1245458TR..exe")

AgentTesla SMTP exfil server:
mail.haberis.org.tr:587

Intelligence

File Origin
# of uploads :
3
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72230/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Fareit.jc.27170.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494037
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38d67003a3e33b0ff622758a04b631ac24d0f55f04c007834fd61bf8c2e9074d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 14:48:49 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hdlhaa5d4m5q75rcowfajnrrvqsnb5k7ataapa2p2yn7rqxja5gq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
026b38e8eb0e4f505dc5601246143e7e77bbd2630b91df50622e7a14e0728675
AgentTesla
1011042b7b2b5de9a160551cd8a212a24108b85935744f0cfbe29f8729b57d17
AgentTesla
5017799e48545886ac896d038e3e9706fa65fb8a8644be0879279fe608dbdf66
AgentTesla
5193daa3e21a010020f044a9167f141a4c9e62d8f19b21dc82049045a2fbee48
AgentTesla
874d56e400622b93fb1606b348a4fc41c112de5c69cc13ef0845d378db9ef6a6
AgentTesla
92210ff813da2d2b0ff5158a6385fff2d25cfa1c74836fe877da90a287611a49
AgentTesla
be83ef519ed5e3e444b10b4dd8a77515cda4993c6ce69f565405c9c2bd0901bc
AgentTesla
de92f367f0cd6124c89fca0b754bf8dafe8a6a993b56380edb5fc8676c58cdb5
AgentTesla
f825e9c3e852a8827bfd8deffef97e1b27ad1b0c0dd97e4806d07bba95c65570
AgentTesla
fc6c24e17bd06e27dcc1ac019e4080d4a1a2f10459f74c17b9bb19fb8ba6e442
AgentTesla
+ 625 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201016-bywrn1sm4e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
38d67003a3e33b0ff622758a04b631ac24d0f55f04c007834fd61bf8c2e9074d
MD5 hash:
716957153760f6aae6b7a8a8b4825868
SHA1 hash:
5d27d32ddfb409121245cc2a57d3a67e428676c1
Link:
https://www.unpac.me/results/8a0f8994-2ed5-4463-9fff-1cfff664ffef/
SH256 hash:
38535a4a0d2984aa8414a44654071ae60651dda1e9277689eb4b42ec8495d431
MD5 hash:
22b2a1821d518787f5de9b39e20c609d
SHA1 hash:
318871b804ed842e12fc03ea9e01883d4ce7671a
Link:
https://www.unpac.me/results/8a0f8994-2ed5-4463-9fff-1cfff664ffef/
SH256 hash:
f5fdccb846284eabb6431ff3ed3caefddf147668bfd51bc55553d97836a15a34
MD5 hash:
df3d03183091144c5c834df0a2978f21
SHA1 hash:
4631f0d78242572c980c051dd42cf57d61135772
Link:
https://www.unpac.me/results/8a0f8994-2ed5-4463-9fff-1cfff664ffef/
SH256 hash:
7ac5b76e51e8bc9710b79146c5a004bcea7fa8bce1ac06bf007b5a6174def95f
MD5 hash:
a46a473d1061690d738876cd5dc9db73
SHA1 hash:
901eba4f01d37e26e9c94a0d94482533a5ffd1b9
Link:
https://www.unpac.me/results/8a0f8994-2ed5-4463-9fff-1cfff664ffef/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/8a0f8994-2ed5-4463-9fff-1cfff664ffef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/38d67003a3e33b0ff622758a04b631ac24d0f55f04c007834fd61bf8c2e9074d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 34c39d87c33cbdc446afa8c57b0003b24553f19cd66d18b3789efacdcdc0a53b

AgentTesla

Executable exe 38d67003a3e33b0ff622758a04b631ac24d0f55f04c007834fd61bf8c2e9074d

(this sample)

  
Dropped by
MD5 261746319c439c728f7b28864df18453
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72230/
  
Dropped by
SHA256 34c39d87c33cbdc446afa8c57b0003b24553f19cd66d18b3789efacdcdc0a53b

Comments