MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d28762fd17d3315647ac901942b234cbacca781014965398a2079ccc6766337. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d28762fd17d3315647ac901942b234cbacca781014965398a2079ccc6766337
SHA3-384 hash: 73c9dd28f8365dae1ff4a4225350f2f5d592a7e8880897a4e4640f8de21ebd88e13fea562b661da02c14ff04756df9d4
SHA1 hash: a230494659a7d2b6910526726f8c91f8f3b86319
MD5 hash: 85d58b64a9a36939b8569b085d7630d2
humanhash: single-apart-fillet-xray
File name:bank document.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:715'264 bytes
First seen:2020-10-07 10:58:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:Vy3LBHyEXqa+BMx8VrWzvt2+nwRisBAqKGpfG2pYKzS3fe+Lwmv4+OxbOWgog:V8BSNaVUWzvNSisBA38eMYKzx+LpgrbO
Threatray 1'231 similar samples on MalwareBazaar
TLSH 54E4F1243994BF4FD52A8E7B84520824DBF0D0BA4B5BF3876CD715EC894F6D94A312E2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server50.a2zcreatorz.com
Sending IP: 69.16.232.53
From: Dineshg <dineshg@kuehne-nagel.com>
Subject: FASHION KNIT - Payment export invoice for USD 100.122.10
Attachment: bank document.zip (contains "bank document.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68906/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/484052
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Disables Windows Defender (via service or powershell)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294472 Sample: bank document.exe Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 14 other signatures 2->47 7 bank document.exe 1 7 2->7         started        process3 file4 33 C:\Users\user\AppData\Roaming\yEbIxo.exe, PE32 7->33 dropped 35 C:\Users\user\...\yEbIxo.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp8DC9.tmp, XML 7->37 dropped 39 C:\Users\user\...\bank document.exe.log, ASCII 7->39 dropped 49 Disables Windows Defender (via service or powershell) 7->49 51 Injects a PE file into a foreign processes 7->51 11 powershell.exe 25 7->11         started        13 powershell.exe 23 7->13         started        15 powershell.exe 7->15         started        17 13 other processes 7->17 signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 17->27         started        29 conhost.exe 17->29         started        31 9 other processes 17->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d28762fd17d3315647ac901942b234cbacca781014965398a2079ccc6766337/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 09:12:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=huuhml6rpuzrkzd2zeazikzdjs5mzj4bafewkomkeb44zrtwmm3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06a10d502aec711bf0ffff177e2020fe0c3a94cb61119ea7ba320de6cbabebb3
AgentTesla
20c6424e353a9e436708bba102710844e52c8ada62ad91e6de65438ee233faff
AgentTesla
2fe5ca185c663e5d06d0ade1a4e0f5d9c0994239102a5a1725aa7e25edbbf5fe
AgentTesla
4a4f7d774032e80c392ff7fe598a05736cf4f71dc0dcf5616ce980f9cbb598ae
AgentTesla
4e0d9011480354268839674ee979b89b902a9672dc5b728c3428bd613ba65154
AgentTesla
5b48475bbc32e2dbd6ebfb746071c6192e57dfdfcfc0cfb1ae9f381663728537
AgentTesla
780a88c79396f2df8841cf5f66f6807402e45b1db65e20f10d6814e6300cf8f5
AgentTesla
96bb500afd48645a966af87ba319dc72388964f84726552f72f31c936c7628b2
AgentTesla
a0062b106277324b51718baac12082f12f735f370173fa3073abf70b86b016be
AgentTesla
cc87cc3cff16721cb3f7e6be1e5be62bcdacafd1fa70ec879c6a9c12a9b438bb
AgentTesla
+ 1'221 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201007-lw1thhh7d6/
Unpacked files
SH256 hash:
3d28762fd17d3315647ac901942b234cbacca781014965398a2079ccc6766337
MD5 hash:
85d58b64a9a36939b8569b085d7630d2
SHA1 hash:
a230494659a7d2b6910526726f8c91f8f3b86319
Link:
https://www.unpac.me/results/52a6412b-886e-4f68-a31a-c5d352bb5a6e/
SH256 hash:
284ebe6e90a1e7a355d7b3f593bd2550983a831e89c94c88d8a238f13e115555
MD5 hash:
28bd00ec068814bed9b2255b5c8c2665
SHA1 hash:
07b1589c6182f5a4254c8175e872ccb84a78792c
Link:
https://www.unpac.me/results/52a6412b-886e-4f68-a31a-c5d352bb5a6e/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/52a6412b-886e-4f68-a31a-c5d352bb5a6e/
SH256 hash:
2600a072dbb671fc41e582386f6ad2304c8b072b4c9d6dc6701bb42eda55cde3
MD5 hash:
930a5ae904a8fe5640b7bdfe470005c2
SHA1 hash:
3f1aef69a48ce91d194b01032dfb778e80c94ab4
Link:
https://www.unpac.me/results/52a6412b-886e-4f68-a31a-c5d352bb5a6e/
SH256 hash:
850e15916b57482cc66f359214927955ccd572d1d4dccedd7d2ce942499b1d62
MD5 hash:
56402aed52d4dcccca3b19969e9978f6
SHA1 hash:
a365e11fa099a18488b228324eb9eb4418679512
Link:
https://www.unpac.me/results/52a6412b-886e-4f68-a31a-c5d352bb5a6e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d28762fd17d3315647ac901942b234cbacca781014965398a2079ccc6766337

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 79be1071551b4012ec13e636740da4c5df296933b275beb7c119083690934064

AgentTesla

Executable exe 3d28762fd17d3315647ac901942b234cbacca781014965398a2079ccc6766337

(this sample)

  
Dropped by
MD5 ba0cba6c6a2d1571402946841bb5e8fd
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68906/
  
Dropped by
SHA256 79be1071551b4012ec13e636740da4c5df296933b275beb7c119083690934064

Comments