MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3d8eff8aae92a5b55b1b1b8b11f1722f3065d4e0d2d0d8f248942e53d139d37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3d8eff8aae92a5b55b1b1b8b11f1722f3065d4e0d2d0d8f248942e53d139d37
SHA3-384 hash: ba009f747ecb23cb19e404a7a3104bbd79024a0dae408145687ef91f2e9b53fafde37ee337e734b5c6ba2d301b735099
SHA1 hash: bbbe1f6b33c19b6ef6a38e320136f4e250d26a0d
MD5 hash: 38ded58fcd4acc3f4b473ba4033fabdf
humanhash: foxtrot-lamp-fillet-missouri
File name:SGBS_AVIS_TRANSFERTS_RAPATRIEMENT_05000812377_20200609_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:449'536 bytes
First seen:2020-06-12 08:31:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:yXbmvGfYVOmCYOVmmJCbcbRmyjijylAnzytcDHrHhNlO:ZQYommJ6cbRXjyuAzqcDHrH
Threatray 10'753 similar samples on MalwareBazaar
TLSH BAA4015C7290B39FC85BC8318DA41D50E725B5BA5B0BD30BA48752FDA94E2A7DF204F2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: 1d48368b.ni.net.tr
Sending IP: 45.158.12.31
From: EDITIQUE Sgbs <sgsn.editique@socgen.com>
Subject: SGBS_AVIS_TRANSFERTS_RAPATRIEMENT_05000812377_20200609.pdf
Attachment: SGBS_AVIS_TRANSFERTS_RAPATRIEMENT_05000812377_20200609_pdf.rar (contains "SGBS_AVIS_TRANSFERTS_RAPATRIEMENT_05000812377_20200609_pdf.exe")

AgentTesla SMTP exfil server:
mail.hospitalveterinariosur.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9999/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.gc.931.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-12 08:33:06 UTC
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wpmo76fk5evfwvnrwg4lchyxelzqmxkobuwq3dzerfbokpittu3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2b592308b29b6758a2ccfc2728f755be9f93e80e6712e39f0f95487723f808f2
AgentTesla
47f6cacd998a57442a950d19453874b725e689ae02ce9869cdec782595eab377
AgentTesla
64a41ad52d59bece56d2f40e5b37ff27043fd3cb40a390a28e18101ee2bd6c6d
AgentTesla
75baae23f80f6def274e340b17867d205068b34425fe6f7537c9667e370dec5a
AgentTesla
9b20b1817947f3b195de03856a8251019ca5f541256d450fe940c1bea7dabb45
AgentTesla
d2f382c29e58d85ead80623251160b4fb8504d3a71890a63519c22c04ecc9217
AgentTesla
dff1e27ea5797b49da2a5c7ca8ef6af4b4681d9bdc3baf92ceb0db77cb00fc83
AgentTesla
eb18282566acfa61046f56dd07ef72397528a06b8765c6b033d5153bf9bee0eb
AgentTesla
fc6d76b83d4292945015a7a7b9440f510732a070d9d1cefd26fc3d46591cca9f
AgentTesla
ff4ce18a829161a6d3e62fdcc8ae87d234b8b964abf8e7cddb9f44e761ae4a7d
AgentTesla
+ 10'743 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-ygjetqbs56/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 242bad6c5a4a24dfc10899ad1cc71955c169a1d003cabf85fd30a1045e104a09

AgentTesla

Executable exe b3d8eff8aae92a5b55b1b1b8b11f1722f3065d4e0d2d0d8f248942e53d139d37

(this sample)

  
Dropped by
MD5 cb726b64d9b947665ea94253f5d58c4a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 242bad6c5a4a24dfc10899ad1cc71955c169a1d003cabf85fd30a1045e104a09
Cape
Cape
https://www.capesandbox.com/analysis/9999/

Comments