MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c359f5677b780cc968723ceca8310ed20ae4bf691bd9900c7d334303b101776. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	3c359f5677b780cc968723ceca8310ed20ae4bf691bd9900c7d334303b101776
SHA3-384 hash:	8ee8b5e96824d7f4879ebad276b45335165cf610c76049f2fdb8f4370c33fdd0c0365be1e69a4320adc3408b1f91810f
SHA1 hash:	999f1cb4fac32f3f8e97e21b1c44186540c14d2d
MD5 hash:	848f32374aff34d10233e89796e1b799
humanhash:	four-fix-massachusetts-harry
File name:	Purchase Order.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	668'160 bytes
First seen:	2020-09-23 09:42:55 UTC
Last seen:	2020-09-23 15:03:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'448 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:JCGDah87AwmYuxpXGAIO5P0wtuknzuYtgwM++ro:WqAwqRIS9t7ptgwMRro
Threatray	80 similar samples on MalwareBazaar
TLSH	65E4D00132F23B09E1A84BB40259B9B3C3B54551B762C7987F4722BD96F27E07E25B4B
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/64783/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.438.8061.28013.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Using the Windows Management Instrumentation requests

Creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/473165

Signature

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3c359f5677b780cc968723ceca8310ed20ae4bf691bd9900c7d334303b101776/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-09-23 09:44:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Verdict:

suspicious

AgentTesla

0b1453de5134635dc69e8359da060210c55e2af6c875497512db6332486e3ea0

AgentTesla

15ef597d7c75003efe90c9a85c5a80066671c664a1db0ea6be28c0e0f1370be3

AgentTesla

19b7ae6956a38825ac143952843f6e046c642a9dc635e18d4f84dcff4568c142

AgentTesla

614052880e43375009bd02fcb10e8399d2e855cff58fc27ad94711dee1973186

AgentTesla

7301fa4edc89a5bd4a18479ebf5b88460ee35b4631e147a8754866a58bcae873

AgentTesla

93d22d39577ab983c75badd9019b57420a4e2bfc300d6a37d90885d823396058

AgentTesla

d98f8380522e71c61b91d1fbdf98c0528fc20388a85695529824754f00a183a1

AgentTesla

dc4eaa151b01375e0ba2392396b60e6abebab99e5590c93ab23ee3063aba5eb5

AgentTesla

fd2459ab88ff9a3215a3fa5d4a762617842bd7e4a5185b88b632caa7c52c7edd

AgentTesla

+ 70 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla evasion

Link:

https://tria.ge/reports/200923-m6z62t7jrj/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Maps connected drives based on registry

Looks up external IP address via web service

Maps connected drives based on registry

Checks BIOS information in registry

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3c359f5677b780cc968723ceca8310ed20ae4bf691bd9900c7d334303b101776

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

ace 8cc5c2cac74cb32f3bddff422a3417cf6b138312ea60a7dca322fa1cf622c4f4

AgentTesla

exe 3c359f5677b780cc968723ceca8310ed20ae4bf691bd9900c7d334303b101776

(this sample)

Delivery method

Other

Dropped by

SHA256 8cc5c2cac74cb32f3bddff422a3417cf6b138312ea60a7dca322fa1cf622c4f4

Cape

https://www.capesandbox.com/analysis/64783/

Dropped by

SHA256 cfec0f8ad0a8eb02df64eefa46d486869e9e19c4ec203e8b8f1defddc9000025

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample