MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3aaaf20441f4c63cae5963d1a4244c443a32d517b95be1a26d8c77f2debca232. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3aaaf20441f4c63cae5963d1a4244c443a32d517b95be1a26d8c77f2debca232
SHA3-384 hash: 35f6243bf737718f6feec493fd3c9b356b76e53b3fd718429f52f5be85f174ad74eb3f3620c64b1f9c7f96a145d4cd49
SHA1 hash: 5ce4dbbf1cf175d77eae7cbfb0506c3e7cee7947
MD5 hash: c5c8044c62cc54b3c5b80fe8ccb8aaf5
humanhash: cold-sodium-johnny-music
File name:ER mexico.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:904'704 bytes
First seen:2020-11-25 14:11:38 UTC
Last seen:2020-11-26 06:49:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:D7uh2iw5IHT5zPvEVL+mZLv1ZhY/uBZ5pZspLUhbRxyHpru6vKHA0Czvh:mhn35LvEVH99BNehMbRGRuc0C
Threatray 1'609 similar samples on MalwareBazaar
TLSH 2E155A27F38C8798DF682BF490320D7A216AFE21467DE56CCED9BC675B731A80075681
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105645/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/547017
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3aaaf20441f4c63cae5963d1a4244c443a32d517b95be1a26d8c77f2debca232/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-25 14:11:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hkvpebcb6tddzlszmpi2ijcmiq5dfvixxfn6ditnrr37fxv4uiza._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0522494bc4a2bf38c14fc1bbbad35678d647c774c35c1597e294c815e773955c
AgentTesla
0a9ce88cb32da5f8aab38458eb7b58db8ca8250a06e98d6c1a9eda48d7a1aac1
AgentTesla
0f20eb4400b00c0698e5f24ca1541203eab68f6104aa15e8002bf845b0326076
AgentTesla
69b99d16f072c6ab2687da255681f3f1c3a97746bfe516b206644a5056a99425
AgentTesla
6c172122db5af54bec6f1a6255169ff95ddebce78bc550814c701ef7e2664f58
AgentTesla
a88db831c2dbd27895d7d042a3e4e604bd82caad37d51fccc76dfb81d884ffba
AgentTesla
bb9f144fc5d1937fd7763d389d52ac989d27b8511cc608ec3de09709ac429b4f
AgentTesla
e01ebcaeb9a4d013354443b10df0a2280861bb290e7c88bc32055dbfbfaa2065
AgentTesla
ea38d6c624c939a89adfd073dbd1253e6126ab202b84dac07c3d362f2b528adf
AgentTesla
ede0c266836e85d1ac3bc623377fda09bb0135a9746a0ecde6d7c52c7eddfc24
AgentTesla
+ 1'599 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201125-8xae5xtgqe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
19495c10264d88d63875faafed08f973226b2441d706471acc5efd535acf6535
MD5 hash:
15bf6b799c41af0b9ac6824ce590aada
SHA1 hash:
4fa653305654f1470f18730c2a592c3b9165359c
Link:
https://www.unpac.me/results/2061346e-cb40-4b29-8ecf-91db32edb516/
SH256 hash:
ed947da11e0d790743bec78c8833ec9b03c7348d445777b1fa15a7d42762ec7a
MD5 hash:
7dcf3ad7d07b99f78dd91ca36d1ef304
SHA1 hash:
9700da39cc7051740972fc7e1945f56098a7c024
Link:
https://www.unpac.me/results/2061346e-cb40-4b29-8ecf-91db32edb516/
SH256 hash:
4e4d7dee82b1bd64427b3f921fb7f6b0eabe108a5f2c31362af9d3dc4a696bb3
MD5 hash:
a871f8eb16b7cfd1706eea776749c445
SHA1 hash:
9b4e1104b9adbf13f1f83021b8bf1c3ef9203b10
Link:
https://www.unpac.me/results/2061346e-cb40-4b29-8ecf-91db32edb516/
SH256 hash:
a3a008b87ded765ed76c9bedd06dbae5f62edd573da15d376cb3fb91b4bd7f09
MD5 hash:
5ae25f51e2881f74cc9e057ef48c02a6
SHA1 hash:
a8e9e48e0e788e76ce01e923946bfb0c2098b39c
Link:
https://www.unpac.me/results/2061346e-cb40-4b29-8ecf-91db32edb516/
SH256 hash:
3aaaf20441f4c63cae5963d1a4244c443a32d517b95be1a26d8c77f2debca232
MD5 hash:
c5c8044c62cc54b3c5b80fe8ccb8aaf5
SHA1 hash:
5ce4dbbf1cf175d77eae7cbfb0506c3e7cee7947
Link:
https://www.unpac.me/results/2061346e-cb40-4b29-8ecf-91db32edb516/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/3aaaf20441f4c63cae5963d1a4244c443a32d517b95be1a26d8c77f2debca232

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/105645/

Comments