MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e3d152759cbe2a09c5d88af90483638866ae67101b7094816248c739d0917b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 3 Comments

SHA256 hash: 3e3d152759cbe2a09c5d88af90483638866ae67101b7094816248c739d0917b2
SHA3-384 hash: 8c7bcc4c2d66bb10ea9f3888a19454ca4777cc248ea4340ee6d788914b905ccb4dff76a8763697ff8c31e3f2b5ca3f5a
SHA1 hash: 74efd44bd9ed7c3ae5d4f6b0487a6dd6bb4a57af
MD5 hash: f505beac7f7bc5012780705a42338ac2
humanhash: triple-december-mirror-yankee
File name:Payment4758475.exe
Download: download sample
Signature AgentTesla
File size:449'536 bytes
First seen:2020-06-25 09:36:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 12288:pbDMXdOfgH0A2sjjML10vvHYg5nmr8luXiGmS:Bhg016crziGZ
TLSH A6A4F10B3B5CE913C5BC19F9D8D25B8413B59E6AF291F2EA2C8079EA25E37D044127C7
Reporter @abuse_ch
Tags:AgentTesla exe


Twitter
@abuse_ch
Malspam distributing AgentTesla:

HELO: puppy.vivawebhost.com
Sending IP: 174.136.57.132
From: sales@sunrvun.com
Subject: RE: PROOF OF PAYMENT
Attachment: Payment4758475.rar (contains "Payment4758475.exe")

AgentTesla SMTP exfil server:
mail.sunrvun.com:26

Intelligence


File Origin
# of uploads :
1
# of downloads :
40
Origin country :
FR FR
Mail intelligence
Geo location:
IT Italy
Volume:
Low
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun with Startup directory
Unauthorized injection to a system process
Gathering data
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Behaviour
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Adds Run entry to start application
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
AgentTesla

Yara Signatures


Rule name:Agenttesla_type2
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 3e3d152759cbe2a09c5d88af90483638866ae67101b7094816248c739d0917b2

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments