MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c39ac13cc69cadcb6badd8700e1a667274b9cd9eaa102db3f506bbf35372a29c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	c39ac13cc69cadcb6badd8700e1a667274b9cd9eaa102db3f506bbf35372a29c
SHA3-384 hash:	17639041e5544f280c96a8612cc80d641e17b52a8adc5d773ce922a6de1f528a97dfd8bf7154d0cc32abd5244f289499
SHA1 hash:	3ec24f582ee1e9b624e623d309f2642fc7633b66
MD5 hash:	48c0f7941f12ebf4f4fcf92de06cd93e
humanhash:	neptune-jupiter-robert-one
File name:	new order123.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	221'184 bytes
First seen:	2020-10-06 05:55:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:3e/AcytTUb5Mz/C+rVUA4/WqH415W8jcDE:8vgCm/jOB/E
Threatray	331 similar samples on MalwareBazaar
TLSH	2C240856178CAE21CB7E02B8C057821833F19633876F938F6AA2D8FD1B456C9FD1A5D1
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: chalco.com
Sending IP: 156.96.151.232
From: SHENG ZHENG <sales@chalco.com>
Subject: FW: CHALCO CHINA Order No.AT231256
Attachment: new order123.r00 (contains "new order123.exe")

AgentTesla SMTP exfil server:
mail.alaried.com:587

AgentTesla SMTP exfil email address:
mshaaban@alaried.com

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/68420/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Using the Windows Management Instrumentation requests

Setting a keyboard event handler

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/482325

Signature

Antivirus / Scanner detection for submitted sample

Found malware configuration

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c39ac13cc69cadcb6badd8700e1a667274b9cd9eaa102db3f506bbf35372a29c/

Threat name:

ByteCode-MSIL.Infostealer.DarkStealer

Status:

Malicious

First seen:

2020-10-06 01:20:28 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yonmcpggtsw4w25n3bya4gtgoj2lttm6viic3m7va257gu3sukoa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

60db9d2df465b5bfcf2d1c0a71559c57c561d0746a0f3fd7f4e8b9203871cfb8

AgentTesla

64c4d370517d05b2add478ca85855bf94c4c51ed05e9e02a92afecc04459ea38

AgentTesla

818343ec8323d98752f067ddc9c04d0f2bddcb4e4d14137b6c16ee01a8fae41e

AgentTesla

8600c1896f8c6835a9a5c44631ac45b319c0cc9b2e0a50a72bb37436a84ea96a

AgentTesla

a98127f9a0d540a5aa091013a1134d8a8434e50b7f8e8b959ddaac0f45feac04

AgentTesla

af78e9a2d4a82521ad67cc63493b8525ebf8c2c1b1fb2530162250daafeb2ec7

AgentTesla

e8e343cbb5ec9cf1c0d2d4ce34773c03b18cbdc29811acbee054b0731660ad02

AgentTesla

eed860fb0b48051582b2f34f20bc47f0fa5cd2273d20df99d339d1058e79113f

AgentTesla

f23c845c6c2450e632e8894be99fe3eb8a6a42eedc749c593431665c18e37d03

AgentTesla

+ 321 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger trojan stealer spyware family:agenttesla

Link:

https://tria.ge/reports/201006-b1bl36jv72/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

c39ac13cc69cadcb6badd8700e1a667274b9cd9eaa102db3f506bbf35372a29c

MD5 hash:

48c0f7941f12ebf4f4fcf92de06cd93e

SHA1 hash:

3ec24f582ee1e9b624e623d309f2642fc7633b66

Link:

https://www.unpac.me/results/6b1cfe7b-1e76-46e6-9531-a87ef6536218/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c39ac13cc69cadcb6badd8700e1a667274b9cd9eaa102db3f506bbf35372a29c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.