MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3944c8a551e1b51be2f29adf187b63497c7dab93f88755bc086f4e7fc30a759d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	3944c8a551e1b51be2f29adf187b63497c7dab93f88755bc086f4e7fc30a759d
SHA3-384 hash:	0ddc227c61fd3abfd1cccf91d101de2b87409a3917f113df4beaff213302265fc0a46a3787178abc60860507cfa8e4a6
SHA1 hash:	8e24714b193a743a24d7a89e8838d26fc26c142b
MD5 hash:	cb51dddc71733ccc1d8294adac7c90f2
humanhash:	autumn-burger-pip-lemon
File name:	funds 1.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	700'928 bytes
First seen:	2020-10-27 12:54:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cab739e43c454c32f81b4c3978b970e7 (4 x AgentTesla, 3 x Loki)
ssdeep	12288:b5fKn2DZo86SRe1P7/vFACWnZnXmbrU7qisjOo0K9gTHQ:b00S86SRIvcZnXUob0Ot1Q
Threatray	2'368 similar samples on MalwareBazaar
TLSH	C9E4AF63B3E1C837C027293F9C4B5764A93AFE702D646946ABF51C7C9F396813429293
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: host.elala.in
Sending IP: 170.249.198.162
From: Chetan Domali <accounts1@zaleship.com>
Subject: SWIFT Transfer (103) FT20293MH3GQ
Attachment: funds 1.exe

AgentTesla SMTP exfil server:
mail.mphahlelemrattorneys.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/79922/

Detection(s):

Win.Dropper.Lokibot-9781220-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

PUA.Win.Adware.Webalta-6912039-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/513537

Signature

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3944c8a551e1b51be2f29adf187b63497c7dab93f88755bc086f4e7fc30a759d/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2020-10-26 12:59:50 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hfcmrjkr4g2rxyxstlprq63djf6h3k4t7cdvlpain5hh7qykowoq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

22235f4edec77bf047d6f5f3ea4d7b4abcc5b3468d306cb66b92e49001768fae

AgentTesla

46df88abb8b7f783add8e2688ed3fc2632020fc30f6a87172264a4f434af2524

AgentTesla

493ba8398eed500e3af5e0ae2ea45fa5bfdfbc6371bf67a17ee20c050c117927

AgentTesla

67e8fcfa65a48b5ef7288e91ac8ddab1180cf33150471357485511509955413c

AgentTesla

76e9f23704658774f7a6e20425ab60b0575ba40ab95b5ec670b5601a7c3ccb19

AgentTesla

837b0be05f233ca9b3c73bd07ffebd8c4b2e8dc667d1f5526b6f73653e4edf34

AgentTesla

9c355f67f51dabe24a8cd0374af99c91b2d04a5bb26892f3a92eced0f832b35d

AgentTesla

a20e29b157ca333fd7f6503315be7f41df98bf15172c0a8f6cab83451945effe

AgentTesla

f00571fb0c082a4a7d66d08af1628b4be7515a74e153adee51db8136ed5918ce

AgentTesla

+ 2'358 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan upx

Link:

https://tria.ge/reports/201027-8dnhdwthfs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3944c8a551e1b51be2f29adf187b63497c7dab93f88755bc086f4e7fc30a759d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 3944c8a551e1b51be2f29adf187b63497c7dab93f88755bc086f4e7fc30a759d

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/79922/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample