MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c85e3f78145e29fc8f45fb72d497f856cc1dd054d34d2588d306cb96f30e29f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c85e3f78145e29fc8f45fb72d497f856cc1dd054d34d2588d306cb96f30e29f
SHA3-384 hash: 8ca75edc571c1fc1af578754022f5c2bc5ac235a9d4c349a6c7261f10bc02f2626a0e94174305fb2a7022cb0aca53f00
SHA1 hash: e173263262b71f20c036f3f782001228f4bcdcc9
MD5 hash: 4175578b86dd6f931580e71cd816b683
humanhash: berlin-florida-massachusetts-florida
File name:Sars documents.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:665'416 bytes
First seen:2020-10-20 06:26:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:5kNzxytgxJxQAdCTmQ0ty/LNTcI14h+Fk3JwyYhqQI1NeewxeX:SBxya39CTm9thIWX3uyYETNbwxeX
Threatray 645 similar samples on MalwareBazaar
TLSH 5CE40B2C7AF87422B65EFF259D416C6007BE7057C17048AF34EE8EC893ED1972946AE4
Reporter abuse_ch
Tags:AgentTesla exe geo SARS ZAF


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: box.johnsonclean.co
Sending IP: 185.247.119.27
From: noreply@sars.gov.za
Subject: SARS eFiling Letter Notification
Attachment: Sars documents.z (contains "Sars documents.exe")

AgentTesla SMTP exfil server:
zstcznz.org:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73244/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.15976.11838.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/497083
Signature
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c85e3f78145e29fc8f45fb72d497f856cc1dd054d34d2588d306cb96f30e29f/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 16:22:51 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hsc6h54bixrj7shul63s2sl7qvwmdxifju2newengbwls3zq4kpq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d708c83b36fe0c753363337dcd0a940e8e9ce2927a9847e56deed6b98fa5b5d
AgentTesla
1a491366f51516a92c36a9adf1db7c9c18ee6ae24bb18b4a296d0e1d0f81912e
AgentTesla
66c8e38b2f545edd7660168b8e778c165f200867abb90cd07c2f033ea1ae8405
AgentTesla
83c594ac88f5f244b256a60178ece0bf715c3c4ef0d93973ff0a741453b71ba1
AgentTesla
95b6a02e3bfccd61edaa3f291e2daaed0ee8852a80f26ac7ecb6a1ed7c416845
AgentTesla
97a4e627e5182df35863f15f757d3de6f98fb7f3d94664a751df46a9d0b1eb8a
AgentTesla
9c2c04c0f5948c88fd2080f911ff1fadaf42102b513249ddc0ea867d71772fab
AgentTesla
b3c33339d1d526eebdd71c8ce0d1f3d0a12be1d5325e7678924e2bfc29a84181
AgentTesla
c5a6b816ef66b1c222ca59df4e8e75eed744b3d758430eef345c78e9417aa138
AgentTesla
d8dc17c4b3642e45151c21b7e02f12cda99c8c5ee51549a6f271c3ea1b436c3d
AgentTesla
+ 635 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201020-cjxxkt5696/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
3c85e3f78145e29fc8f45fb72d497f856cc1dd054d34d2588d306cb96f30e29f
MD5 hash:
4175578b86dd6f931580e71cd816b683
SHA1 hash:
e173263262b71f20c036f3f782001228f4bcdcc9
Link:
https://www.unpac.me/results/e338e347-037b-42c3-89fc-768a20232061/
SH256 hash:
d52132fde3da3c5f23ab0c77dfca14339996ec818b55a559e8b77d5756d96564
MD5 hash:
2886bdaf1f1a322685c6b5078d61ebaa
SHA1 hash:
0a899cff3a6cccb99b7cda052dcf5d1a619cb44b
Link:
https://www.unpac.me/results/e338e347-037b-42c3-89fc-768a20232061/
SH256 hash:
1d8b8b93deea922cbed23546c2b757fc1f8260faf182837e53b76288357190e6
MD5 hash:
9085958a70a69f3f18415a89e5dd4fd9
SHA1 hash:
a9aacdee5d5f5fb3b259aa319678f8851d46ee01
Link:
https://www.unpac.me/results/e338e347-037b-42c3-89fc-768a20232061/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c85e3f78145e29fc8f45fb72d497f856cc1dd054d34d2588d306cb96f30e29f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z af6072fa3061c3e7356f142b9a1b94fc69b1b13adaa1006c8d71266eef6fbe97

AgentTesla

Executable exe 3c85e3f78145e29fc8f45fb72d497f856cc1dd054d34d2588d306cb96f30e29f

(this sample)

  
Dropped by
MD5 b37b50c0b7a64bbe2ae43874b5e3f9bb
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73244/
  
Dropped by
SHA256 af6072fa3061c3e7356f142b9a1b94fc69b1b13adaa1006c8d71266eef6fbe97

Comments