MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fa8d147ff833b5f17193a61ea67be8ee5105af5b9059877f2f3feb965d5e679. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3fa8d147ff833b5f17193a61ea67be8ee5105af5b9059877f2f3feb965d5e679
SHA3-384 hash: 31730192fd62e4a304acb1365111e5e18b2d606dd82c2ee35439c2d7bc1df55db702ee7894b07b3cb0b75058efde41bd
SHA1 hash: a8bff5b7f9d0704a7a102049826c2a4f5d46c38b
MD5 hash: d0ebe8162fd3ed35301719781c6e5194
humanhash: bluebird-uranus-arkansas-jersey
File name:Order_0720PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:995'328 bytes
First seen:2020-07-06 15:02:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:I1pzhaAs/COZQ17ZubhXSl2H+/X7M5dRGzD5vy5sb8k1V2m:YplKQ10XZHiw5dEzD5v71V2m
Threatray 132 similar samples on MalwareBazaar
TLSH 89255BD13169DBB7C2F393B765388C2943AA0E8110B5E1A1649D3EEF5BB3360C2197E5
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: ns351952.ip-91-121-78.eu
Sending IP: 91.121.78.8
From: Tapani Koskimies <charlotte.perret@kemone.com>
Reply-To: worldnetofficemailer@gmail.com
Subject: VS: Поръчка 0720PDF
Attachment: Order_0720PDF.7z (contains "Order_0720PDF.exe")

AgentTesla FTP exfil server:
ftp.solarcenter.ro:21

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21691/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Launching the process to change network settings
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3fa8d147ff833b5f17193a61ea67be8ee5105af5b9059877f2f3feb965d5e679/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-06 15:04:07 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h6uncr77qm5v6fyzhjq6uz56r3srawxvxeczq57s6p7lszov4z4q._file
Verdict:
malicious
Similar samples:
3e65f5a5983ed021643425c83b8ffc1f324402a3acd38bf6625658218a690fa0
AgentTesla
52f1036c20ed23f457be56d231119ad5471564e4095ffd0cc9d614fa89ef9356
AgentTesla
65b904f1a835b7b95e8644177287c03b1eae3a75432dd397347c7416be0ce253
AgentTesla
934ccb45d0e7f922e94cdb4a03152adf1b050b9575bf0790fecb0a4b3c68540b
AgentTesla
c901b6665268a9f5eeaa9e29c8fe5b9fbacbdce09be63191fc137ce573898fe7
AgentTesla
daff03c089c0a114d704efa30ca148d8b04d92b0439f9b2a5cb16306623a4379
AgentTesla
dc2d666c38ec7694f487798c8b9574d1e9f009c8c4d2a57a5ab1de6297adf855
AgentTesla
df049efbfa7ac0b76c8daff5d792c550c7a7a24f6e9e887d01a01013c9caa763
AgentTesla
e6b62ef1705eb10b32890c775836744bb1bd996aa60d34181a088fea4ac7125a
AgentTesla
fcfc827205cd38cdf997f72b1d58eba51ac12da6ba5939279b626522b11fd938
AgentTesla
+ 122 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200706-2vrazwxvye/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Modifies service
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 10226cd6bef93e092848b402a24dd7d3bd54472f57c91c4799b6ee11fe3ba70b

AgentTesla

Executable exe 3fa8d147ff833b5f17193a61ea67be8ee5105af5b9059877f2f3feb965d5e679

(this sample)

  
Dropped by
MD5 be3f74182f7bd5ae70ac4a2981e1963b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 10226cd6bef93e092848b402a24dd7d3bd54472f57c91c4799b6ee11fe3ba70b
Cape
Cape
https://www.capesandbox.com/analysis/21691/

Comments