MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a89a79e825bf330e3ea46f6a5f548529b642dc61219a8deeaec070a0688a08e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a89a79e825bf330e3ea46f6a5f548529b642dc61219a8deeaec070a0688a08e
SHA3-384 hash: 6940c453f186036d789fee25dd6edcdc5eecc8be65858ba2957d6dc2683783435393da1119b379cc63c1ebd6803a13e8
SHA1 hash: 5d2181f018ab4b8afd6b193e4651233b44ad7d62
MD5 hash: 947edeb169369ac67c5448cc2f8104a3
humanhash: mockingbird-whiskey-jersey-papa
File name:USD67,884.08_Payment_Advise_9083008849.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:881'008 bytes
First seen:2020-11-21 19:33:49 UTC
Last seen:2020-11-23 14:25:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 89589872fc7726fd761d44d4f95ea8b1 (1 x AgentTesla)
ssdeep 12288:sp7ku8t5ppfEQetKjNRfdjmrY2CprWkbR7X8uD79b7eUlgufunPQNZT:sp7Xs5otKjNR1J2YRPDR2eZfunPQDT
Threatray 477 similar samples on MalwareBazaar
TLSH A8157C52B291843BD223163C9D9BA6657B29BE052E28A4427BF59D8CCF373C17D3B143
Reporter cocaman
Tags:AgentTesla exe HSBC

Code Signing Certificate

Organisation:Microsoft Code Signing PCA
Issuer:Microsoft Root Authority
Algorithm:sha1WithRSA
Valid from:Aug 22 22:31:02 2007 GMT
Valid to:Aug 25 07:00:00 2012 GMT
Serial number: 2EAB11DC50FF5C9DCBC0
Intelligence: 22 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: DBD5BD417B78886EDC1574F5E872F3E1C0B07522B6881B95B6DD872AEDBEB30D
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
6
# of downloads :
333
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending an HTTP GET request
Creating a file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/544637
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321416 Sample: USD67,884.08_Payment_Advise... Startdate: 21/11/2020 Architecture: WINDOWS Score: 100 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected AgentTesla 2->31 33 Machine Learning detection for sample 2->33 35 Initial sample is a PE file and has a suspicious name 2->35 6 Uclldrv.exe 14 2->6         started        10 USD67,884.08_Payment_Advise_9083008849.exe 1 16 2->10         started        13 Uclldrv.exe 14 2->13         started        process3 dnsIp4 21 162.159.138.232, 443, 49733, 49738 CLOUDFLARENETUS United States 6->21 23 192.168.2.1 unknown unknown 6->23 37 Multi AV Scanner detection for dropped file 6->37 39 Detected unpacking (changes PE section rights) 6->39 41 Detected unpacking (overwrites its own PE header) 6->41 43 Machine Learning detection for dropped file 6->43 15 Uclldrv.exe 2 6->15         started        25 airseaalliance.com 198.136.51.123, 49708, 49734, 49739 DIMENOCUS United States 10->25 27 discord.com 162.159.136.232, 443, 49707 CLOUDFLARENETUS United States 10->27 19 C:\Users\user\AppData\Local\...\Uclldrv.exe, PE32 10->19 dropped 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->45 47 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->47 49 Injects a PE file into a foreign processes 10->49 17 USD67,884.08_Payment_Advise_9083008849.exe 2 10->17         started        file5 signatures6 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a89a79e825bf330e3ea46f6a5f548529b642dc61219a8deeaec070a0688a08e/
Threat name:
Win32.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2020-11-21 17:26:24 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hke2phuclpztby7ki33kl5kikknwilogcim2rxxk5qdqubuiucha._file
Verdict:
malicious
Similar samples:
1ed66c4e244784bcbddb1f678881aefd150eee95206bb6905fc38383805fe7b0
AgentTesla
21b054a3b319b950887eff329ebb237a5d442e6742e94d66d2ff17cd85f8d930
AgentTesla
29cf2f87bd9503ddd65e08e9aab1e80bfef318873e649ca0db4e6b079f31b9a4
AgentTesla
4273b1d1ede5642d214be245fd041250539f7f34779737c37856f602491948f5
AgentTesla
7e9b9bbb673e25ab8ee790dbfd2a3e489c0d3a88ab73aafe671f68982f1b41da
AgentTesla
7f9c9b969cacb0ea5d679baff92d33438a27ecb67786022aa03f9f43a4ce56f4
AgentTesla
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d
AgentTesla
bb06b854327139dfb8b3ecacff60c3dc13dc485ee74eba0e71afe575299fc252
AgentTesla
d41ec4b08eee7e5c1d34cdb17e9a9828f1901d90ef8c691a66c21c3fe72fc44b
AgentTesla
e2d0cdf0caec3c6dfa7a88840f6d6202c6d846d6ae89fe8f2ce271f3b36b6ba9
AgentTesla
+ 467 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:modiloader keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201121-lxteb61sgs/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
3a89a79e825bf330e3ea46f6a5f548529b642dc61219a8deeaec070a0688a08e
MD5 hash:
947edeb169369ac67c5448cc2f8104a3
SHA1 hash:
5d2181f018ab4b8afd6b193e4651233b44ad7d62
Link:
https://www.unpac.me/results/fe70619f-7189-4610-9104-8b84d2903a40/
SH256 hash:
0e3ee409ffe7520d55333c38ac0819c2f0e2352e00e9e9e19b6b5df127af1968
MD5 hash:
65dd69c63cc8881bdfc3e3c1780f094d
SHA1 hash:
11f79d30743bdd289cb3aed5630e815d565f9132
Link:
https://www.unpac.me/results/fe70619f-7189-4610-9104-8b84d2903a40/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a89a79e825bf330e3ea46f6a5f548529b642dc61219a8deeaec070a0688a08e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 9cba1f684829766e90de6c030625e550e0ee4b88575e35a904c5b4bcb1439b9d

AgentTesla

Executable exe 3a89a79e825bf330e3ea46f6a5f548529b642dc61219a8deeaec070a0688a08e

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 9cba1f684829766e90de6c030625e550e0ee4b88575e35a904c5b4bcb1439b9d
Cape
Cape
https://www.capesandbox.com/analysis/105200/

Comments