MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e5a8f8b4f91747935f9f40474b21de8d345653189e370c5c39715ff57ccd414. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e5a8f8b4f91747935f9f40474b21de8d345653189e370c5c39715ff57ccd414
SHA3-384 hash: 8cefed99ab73b0a99db9c5a25c9fea1a42c0ab864e790c4d0a4cea7367b3d1862ad43841219bffe79dda2a64386318b1
SHA1 hash: 7e09546b68d8e8413313ad06cb6dfa589773ef28
MD5 hash: b4ce868cad04e1f56adda8e3c7e1d274
humanhash: princess-avocado-butter-uncle
File name:ORDER FORMS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:953'328 bytes
First seen:2020-06-11 06:13:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:w5GlBrHx8rXBj4moc0YmThVsxfXun1zu+l:eGln8rXtdoNThuxfXu9u+l
Threatray 389 similar samples on MalwareBazaar
TLSH 3515F1211F2DF851C90C88F3F65384CB6A70AE6457C1EA93796BBA3F417C352AE1D11A
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: apollo.t.mk
Sending IP: 195.26.152.35
From: khrbitola@t.mk <khrbitola@t.mk>
Subject: BOOKING
Attachment: ORDER FORMS.arj (contains "ORDER FORMS.exe")

AgentTesla SMTP exfil server:
mail.radiomeff.mk:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/8913/
Detection(s):
SecuriteInfo.com.Artemis.4166.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-06-11 06:15:09 UTC
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hzni7c2psf2hsnpz6qchjmq55djukzjrrhrxbrods4k76v6m2qka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
10aea232a4a2b22d37b55a27d8ccd6b035935700fddfe63c4ec0f0a4e5b7a7ce
AgentTesla
1d4b91dc88ea2559572438fe3b57c6449bb5e0a66c9f3f9e90a22393caf5d30c
AgentTesla
5205f5e4d159f32f819aac8c870fffb7612b13c0a0d12236730743b9239251df
AgentTesla
b07fc0cda6cbe5231e96b4a53ff2519f6531bc048e9bede988fdaa94fb1a3863
AgentTesla
b186287c6298b4ca285cb9da1e82ffd351c4195f7673d93aa595aa987cb01676
AgentTesla
bcbc247fa3511376777587035868c9a0f8fda850fa5f7d84c81fa5de905bc0d6
AgentTesla
c166a4a1899462e20516825c87f9545cdc7b24654d1f18b864da4ee641af5ace
AgentTesla
d1cd1dfe3657445da551255b38ae6eab649729dde0bf68a3df112c4059855df4
AgentTesla
e1a319fa7beb45eb37027f911eaf5b74840319f5dafecde1a4e6c201aa0ea46d
AgentTesla
ebb0640f2e9c9893b4dee06e69dc547e19570980e94eaacb0b4e77436966cd0d
AgentTesla
+ 379 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-g6e7kxdvmn/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_blackremote_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

arj fb22cb7c87a1e0d1ba42b8ef5776782d5edf805d497cc65c2bcdb7d17e1410c5

AgentTesla

Executable exe 3e5a8f8b4f91747935f9f40474b21de8d345653189e370c5c39715ff57ccd414

(this sample)

  
Dropped by
MD5 9e5e974a8ceb2eb56250004bf6d6a567
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 fb22cb7c87a1e0d1ba42b8ef5776782d5edf805d497cc65c2bcdb7d17e1410c5
Cape
Cape
https://www.capesandbox.com/analysis/8913/

Comments