MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f4689ec7f18f1c30786b9953ed1fccb79f806a233aeb730fff83b432adf87bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f4689ec7f18f1c30786b9953ed1fccb79f806a233aeb730fff83b432adf87bf
SHA3-384 hash: c59bf9ca3dbc51297800d615108aab3fc4ef4a3277d6e9a5ca927d6fe18da03ffe37cffa3ee296573f98f6354c0d1e10
SHA1 hash: 4014c2a9308acaea0b6acbf29f299a4abfd4d560
MD5 hash: a129a256b9113b4a9283d4d755fbdee1
humanhash: floor-lake-enemy-potato
File name:Bookingreference.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:5'473'792 bytes
First seen:2020-12-17 09:09:17 UTC
Last seen:2020-12-17 10:29:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:ZtL/BgbcDRxypFiyd9HoHvoIBtcGji/YolqTBbYutp:ZzgiydeHA4+I
Threatray 1'868 similar samples on MalwareBazaar
TLSH 8546AE543C22325BF58A31B056EB56E889E5391C2570272B9CD3B87CFA2D9477C8F872
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: secure.zrl.com.zm
Sending IP: 216.194.164.118
From: Beenzu Hamaimbo <beenzu.hamaimbo@zrl.com.zm>
Subject: REVISED 1 Month booking for 12 PAX
Attachment: Bookingreference.zip (contains "Bookingreference.exe")

AgentTesla SMTP exfil server:
mail.pacificwests-deilv.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Generic.mg.a129a256b9113b4a.11685.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/565168
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f4689ec7f18f1c30786b9953ed1fccb79f806a233aeb730fff83b432adf87bf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-17 09:03:33 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h5dit3d7ddy4gb4gxgkt5up4zn47qbvcgoxlomh77a5ugkw7q67q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0b02286faa0d5f7a7c239bbb459252a5dbc499562bba488034c75d8c04e29cd3
AgentTesla
119ea5a2268265102382111254f38977bbdc06c4fb7d51f4ad21d248596bff1a
AgentTesla
14e825ebed2c7886f5e5841724b4ae7f5c0b7bd2c46ea94dffee74381e1fc73f
AgentTesla
38cf806ecaf30b5209ebce1a41e7ac877d3201cec05f4a665fe85797a7069bbc
AgentTesla
428b4819734a979d5685b235d190ab9e07bfd6e5098e22ee9195cd386dc701d0
AgentTesla
53c1425f389198255d64a1654f9e03fc92d28ca53937f75edec2c500d9373c76
AgentTesla
61060fa22e8fe8c29f2cd7b2b4b9bc4d350fc9331a6dfcbc2f873bec00f6818d
AgentTesla
72b63832c576de64ecf5cf7ef03f9658ebd495c9ecac7ce9a3e1bbf7bde38e75
AgentTesla
ba3548566c5eda9447bd910346549f92ecc5cd51f959f51cc7bc836a2ce49501
AgentTesla
f37614ecb7916b27340fd6270d6917b8778c0b92b8edf0ff9e4aa65f3883f626
AgentTesla
+ 1'858 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201217-3ytsptp8ra/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
3f4689ec7f18f1c30786b9953ed1fccb79f806a233aeb730fff83b432adf87bf
MD5 hash:
a129a256b9113b4a9283d4d755fbdee1
SHA1 hash:
4014c2a9308acaea0b6acbf29f299a4abfd4d560
Link:
https://www.unpac.me/results/62b3f016-1d30-49ce-be05-61ce6a3760c0/
SH256 hash:
2ed00e171f73a48996959d926705d4003c1e82f294260d6e8d7d58cc744733a7
MD5 hash:
320b9eaf75ad941a027592b3717250db
SHA1 hash:
144ba0c4e341ec9c8dea6fac09728de200c5d9e3
Detections:
win_cannon_auto
Create hunting rule
Link:
https://www.unpac.me/results/62b3f016-1d30-49ce-be05-61ce6a3760c0/
SH256 hash:
90d389f8f632062df0830dc39551db311b2921f7321637d2be3d19911cd57676
MD5 hash:
90a219497aaa24dbbe5b02853f43137f
SHA1 hash:
e3aa8b0824d5dddd11d78ea42f02c897bf6e7d93
Link:
https://www.unpac.me/results/62b3f016-1d30-49ce-be05-61ce6a3760c0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f4689ec7f18f1c30786b9953ed1fccb79f806a233aeb730fff83b432adf87bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla
Rule name:win_cannon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip aa6be860f24dbe6c5b6a03fdf7a0fd1478f32ed933e3b6dc17318e36395883a6

AgentTesla

Executable exe 3f4689ec7f18f1c30786b9953ed1fccb79f806a233aeb730fff83b432adf87bf

(this sample)

  
Dropped by
MD5 440e7ba792205d7432c6576fa94fcb72
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 aa6be860f24dbe6c5b6a03fdf7a0fd1478f32ed933e3b6dc17318e36395883a6

Comments