MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39a76f88dd2a2ebc1ef8a21c852813b486cb969d062a973610b60eeaef436e11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39a76f88dd2a2ebc1ef8a21c852813b486cb969d062a973610b60eeaef436e11
SHA3-384 hash: 554901377fcce65a487765cf5eee8240c0db501a237b9ad6cc857a61342407a9780da7dfbef0030f72e9078e304d1228
SHA1 hash: ece5813bbcbb9e67516ffabfc285f909a0a99a9e
MD5 hash: 4c420c50f66b416a244d38c8b255638a
humanhash: burger-gee-snake-monkey
File name:invoice pdf pdf pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:76'584 bytes
First seen:2020-10-13 07:56:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 768:J8NH8HQzK7H7wKYEahRtP1hwz0uBPL2+x86RmJ6eCbr5SdMnffTcBclllBz+OGlj:PvBnrEm1us53d3C3d3TA6Uf
Threatray 497 similar samples on MalwareBazaar
TLSH FC73BBC6AE467822FD3B4234E65423CB0EAB573BD979CF19C989D8B890E02DC1BC7545
Reporter abuse_ch
Tags:AgentTesla exe Yahoo


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: sonic305-22.consmr.mail.ne1.yahoo.com
Sending IP: 66.163.185.148
From: benco incorporated <dougles_g_russell@yahoo.com>
Reply-To: bencoincorporated@yahoo.com
Subject: Fw: latest PI
Attachment: Products_Pictures_logo_Designs_ pdf.rar (contains "invoice pdf pdf pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70338/
Detection(s):
SecuriteInfo.com.PUP.Optional.AdvancedSystemCare.18249.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/489381
Signature
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39a76f88dd2a2ebc1ef8a21c852813b486cb969d062a973610b60eeaef436e11/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 06:18:36 UTC
AV detection:
24 of 48 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hgtw7cg5fixlyhxyuioikkatwsdmxfu5ayvjonqqwyhov32dnyiq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1cee45036baef97e9be4d746253f962163c4addc173c3b1d401d54d16b66c36d
AgentTesla
210c6f413be18ff3ba11a0ba9886179cf98e73e43d3e0b366960d04b925e9283
AgentTesla
39738c9fd5866fa8f6eb0473bb8bf03766e4fff79875f184823269e4fedb50c4
AgentTesla
8d706befed861457d7fcf22d6c23b5b66c0ad7fec59552410f07b34723924fed
AgentTesla
8ee2c58f8a8fc555dc2be25df0f819e83f2c6c36a7513c18ddafe160ac94bf11
AgentTesla
94493ff262c556d80e0cbfd7bb7741003335e4a10f80111b2756499c6cd058f9
AgentTesla
9db4c4a75f04844a37e15aa0762751beed2422027496e06b76a435c953d94330
AgentTesla
bd5a89235b1e44222a7cda1b6349967af2152683661cef1d8c8ef515d1706828
AgentTesla
ca23807d51b989324e04dafc821c7611cf0ee25d04aa9a20c41a6b92303ca81f
AgentTesla
e63d9fff34fc1c54b4e9bcb779e8101ca5e65f84d84e153c0788dec7d8ee5d42
AgentTesla
+ 487 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
evasion persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201013-cvaenmlwn2/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
39a76f88dd2a2ebc1ef8a21c852813b486cb969d062a973610b60eeaef436e11
MD5 hash:
4c420c50f66b416a244d38c8b255638a
SHA1 hash:
ece5813bbcbb9e67516ffabfc285f909a0a99a9e
Link:
https://www.unpac.me/results/989c6703-d82d-4bb0-9f29-341ce7da86ed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/39a76f88dd2a2ebc1ef8a21c852813b486cb969d062a973610b60eeaef436e11

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 89e2021ab6fa9ec200cf0944db86008d8fee7dd6ff60f2d040665f4bc6dd2a29

AgentTesla

Executable exe 39a76f88dd2a2ebc1ef8a21c852813b486cb969d062a973610b60eeaef436e11

(this sample)

  
Dropped by
MD5 250f06ae1d8b19ad6059ab9dd54a7a6c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70338/
  
Dropped by
SHA256 89e2021ab6fa9ec200cf0944db86008d8fee7dd6ff60f2d040665f4bc6dd2a29

Comments