MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d5332d39427063ae210b52204b193c7d813fa69933168de167efbc9d8a24140. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d5332d39427063ae210b52204b193c7d813fa69933168de167efbc9d8a24140
SHA3-384 hash: c53a3091f48d0bdfeb17431c0241f50a480bd78f36e39239890647f442399bd23fd0c9b4eb04ab3fc76e45697cecec72
SHA1 hash: 7a87f3a575d2e15a8cdab7b464f0ca69184d73c1
MD5 hash: e26bdd7bf67356af98089f72f4fa083f
humanhash: ack-mars-four-carolina
File name:形式订单#00101(新订单).exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:257'536 bytes
First seen:2020-10-22 07:12:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:iK1PzomrAWpotPQnutpDtlaByA7c4q/kZZ8PIj:5lzJEQYhtA7cZkT8P
Threatray 26 similar samples on MalwareBazaar
TLSH 8244AD14CF2F9A63FC887BB7FC244AFE973045185C13EB0A8A465D44DD9E7C41827AA9
Reporter abuse_ch
Tags:AgentTesla exe Telegram


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: hengjiurui.com
Sending IP: 45.133.245.213
From: sales1 <sales02@hengjiurui.com>
Subject: 形式订单#001/01(新订单)
Attachment: 形式订单#00101(新订单).xz (contains "形式订单#00101(新订单).exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74520/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% subdirectories
Creating a window
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/506749
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d5332d39427063ae210b52204b193c7d813fa69933168de167efbc9d8a24140/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 04:38:54 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hvjtfu4ue4ddvyqqwurajmmty7mbh6tjsmywrxqwp354twfcifaa._file
Verdict:
unknown
Similar samples:
023fb24e4591fcbbff6096a61e7cbfb79bc1bade9236dd0db6ede7ab1e00bf9f
AgentTesla
06b7205ba6898b1f45883d5a313c1e3e39d8c226eec0ae289f42106af070e8db
AgentTesla
2e4775c5d181f37f4a0802a9982601352f0a7de1ffd74909024150572ed6522b
AgentTesla
5b832740ae1f2a5c2c10e37aadd6d0b74d647a9ff853f091a2262ef0ae2c672c
AgentTesla
7c7ea2d4161707e247fe758ddb23f293a31affbc68820fccbe8417daa0507242
AgentTesla
8a953841629e0122e04d2b8cd56422a90919139f5d00df5f00b804752ce519cd
AgentTesla
973ebbfe874f302c2a1becf596b98ee15598919b1c86dcb9c4b078d1b4535b38
AgentTesla
b4267cab9e3e8255b44e1947b4c6bb40901d9f0654c2d0ab40690851fcacf16c
AgentTesla
d8f37e199f10881b2045823553fd64f3f52ec616e24f2235a47dae7c435a3c72
AgentTesla
ed184e1c76f982d9537a281ac7cc805179e72d9ca538e7ff202e7be38bfee6ae
AgentTesla
+ 16 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201022-6yrc5l685e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
3d5332d39427063ae210b52204b193c7d813fa69933168de167efbc9d8a24140
MD5 hash:
e26bdd7bf67356af98089f72f4fa083f
SHA1 hash:
7a87f3a575d2e15a8cdab7b464f0ca69184d73c1
Link:
https://www.unpac.me/results/bb0ae27c-d40f-4b24-85cd-e9435490a0cc/
SH256 hash:
2d9a0cda6cd82a74dd42c6448440d9355558da95999c3b4a37a9a97ffdb59e43
MD5 hash:
a5b8c200c77ba0eeb5749ac2f1fb5f0f
SHA1 hash:
2b7c7ca0e39c98b72b994699a6b1bc27f53de784
Link:
https://www.unpac.me/results/bb0ae27c-d40f-4b24-85cd-e9435490a0cc/
SH256 hash:
b89d8b76a337a192c5f4b9eb21d159d6fc91811239190e14cba2de70d0a2bfcc
MD5 hash:
dee5a07a65d718b3014258d264de0279
SHA1 hash:
ba273793db4941376439a6b180b81d16fc98b6d9
Link:
https://www.unpac.me/results/bb0ae27c-d40f-4b24-85cd-e9435490a0cc/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

xz 1235e90b597ef288e124884a7bc325cbf1f9c23ad3e839c9b695bac356add7c0

AgentTesla

Executable exe 3d5332d39427063ae210b52204b193c7d813fa69933168de167efbc9d8a24140

(this sample)

  
Dropped by
MD5 10cbc3d18440f2ebf3504cfc3449a29e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74520/
  
Dropped by
SHA256 1235e90b597ef288e124884a7bc325cbf1f9c23ad3e839c9b695bac356add7c0

Comments