MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be34c89f025f7c0309049f197eb3c50402094440bb8f83cc554975c674ad304d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 3 Comments

SHA256 hash: be34c89f025f7c0309049f197eb3c50402094440bb8f83cc554975c674ad304d
SHA3-384 hash: 1dd45ac2fa82f8ce0c4572c87e2123595ce2df90bed30f1de8d0dbd0e177fed273b1732c9f3003176a5078094236559e
SHA1 hash: d4d2a3292d21280cdbd1cb60da182e8a266d22d3
MD5 hash: 5e4518fbae6a46e0a54f8ac692228635
humanhash: zulu-may-lactose-asparagus
File name:hf3cTSc1CVm268N.exe
Download: download sample
Signature AgentTesla
File size:446'464 bytes
First seen:2020-06-24 14:27:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 12288:a2V9MXxPRNZCEx1J3qgQAF7GgQj0/Ks9MEtw:DINZCEx14g3MQyszu
TLSH 0B94020A3BACA917C5BC06F9E8D26F4163F64DAB7512F6D82C806AD514D3BF46A113C3
Reporter @abuse_ch
Tags:AgentTesla exe


Twitter
@abuse_ch
Malspam distributing AgentTesla:

HELO: mail.amdigital.ro
Sending IP: 176.126.172.55
From: Sales <order1@prismindia.com>
Subject: Re: PURCHASE ORDER FOR PRISM - // 377475689724
Attachment: NEW PO_ 377475689724.bz2 (contains "hf3cTSc1CVm268N.exe")

AgentTesla SMTP exfil server:
mail.prismindia.in:587

Intelligence


File Origin
# of uploads :
1
# of downloads :
45
Origin country :
FR FR
Mail intelligence
Geo location:
IT Italy
Volume:
Low
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Launching the process to change network settings
Threat name:
Win32.Trojan.Wacatac
Status:
Malicious
First seen:
2020-06-24 14:29:05 UTC
AV detection:
36 of 48 (75.00%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory

Yara Signatures


Rule name:Agenttesla_type2
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe be34c89f025f7c0309049f197eb3c50402094440bb8f83cc554975c674ad304d

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments