MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c324d9dd65de8e5ad44795db94a24c3b2b3db5cdd88d5c35de386e039772a364. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c324d9dd65de8e5ad44795db94a24c3b2b3db5cdd88d5c35de386e039772a364
SHA3-384 hash: b406850b47d4e23c69ee7a9e92a812698004ae86977e7dc8e3cb35fe99f0225cab118ff59611dfc8262e186a191fe173
SHA1 hash: dcb35d17e4df834d0d1d6666c3f06b082248c745
MD5 hash: ffff0929aa619672f34a16a852e975c5
humanhash: mirror-nineteen-gee-oven
File name:rfq Img docs892712.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:980'480 bytes
First seen:2020-05-11 14:11:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:M9i9ycjhngD+gw8dmuOKerBiD9P7GjAo5fGdva9fxp/4ad2bfZ:M09Njhn0wc9XDp7GVo4T+a0l
Threatray 860 similar samples on MalwareBazaar
TLSH 9A25CE8022ADD3A5E4391BF4C965A4F1CBB27D2AE8A4D21B5C953DC936F2F41C811F27
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: lin231.loading.es
Sending IP: 91.146.101.231
From: indiana purchase <vfernandez@colegiohispanobritanico.com>
Subject: RFQ supportive docs
Attachment: rfq Img docs892712.z (contains "rfq Img docs892712.exe")

AgentTesla SMTP exfil server:
smtp.akonuchenwam.org:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 14:37:10 UTC
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ymsntxlf32hfvvchsxnzjismhmvt3non3cgvyno6hbxahf3sunsa._file
Verdict:
malicious
Similar samples:
0ffa7ac2091ab004e6755e1e66539633b6a628e90094d80357895df0e6092f9c
AgentTesla
11b4c682e2712b0c6516b3800b48afb967015dae3b4a06307281539d691aee86
AgentTesla
2222ddfcb76c8c278bbabf1b094e47950023f1319ae484d44dc502b91700db17
AgentTesla
239fca3f5df496aab1b7c7696aaa26d77174501abc9cb1c1e12a188584d745cc
AgentTesla
3ab173f1c673d450f1f9640193efc87c76e64687e4c43ea0024287c875cde792
AgentTesla
5f2f26cf27b0ffb53cf4a5ddec0d2fcd1236eaf7f4af3a7b78d9d23a23e4cb50
AgentTesla
67a5b58d36ef0884ee86d601a72ffb085c02aa9cfa40cd3a869ea6806084a011
AgentTesla
92fe26c8230e536786caaa0932023f795e94d364ef3221a728d81d7ef90afd2a
AgentTesla
b8a97b4c697cfa9f47414d83d6dbc0bf21b52281c1d018904ebcfe52cf88a108
AgentTesla
d17e7aae62fd256c264b2602f913c5b918501a1416abb5c58a4f14bcafa2b0d6
AgentTesla
+ 850 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger coreentity rezer0 spyware stealer
Link:
https://tria.ge/reports/201109-jjnqt2sthj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
rezer0
CoreEntity .NET Packer
MassLogger
MassLogger Main Payload
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip ca175c94eb00b4846925e068678e41edc91faf50950303699635ee3f0546683b

AgentTesla

Executable exe c324d9dd65de8e5ad44795db94a24c3b2b3db5cdd88d5c35de386e039772a364

(this sample)

  
Dropped by
MD5 34dd4d75d410583c2f9ac5675f31965b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ca175c94eb00b4846925e068678e41edc91faf50950303699635ee3f0546683b

Comments