MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3da3a9487da78db1490c1aee12eb806925363678188034dabc1983c27d6eac4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3da3a9487da78db1490c1aee12eb806925363678188034dabc1983c27d6eac4
SHA3-384 hash: 64da680def91395d06e548a0ca65195d40099815e566f1d4e9f9bad81dabf20295696228be7654603a149b6575bbfc43
SHA1 hash: 9d136fca00d3451077bceaf8c5039f4d33465340
MD5 hash: 558f002df267284bbc8141146e3d5f26
humanhash: floor-nevada-mango-bakerloo
File name:558f002df267284bbc8141146e3d5f26.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'207'608 bytes
First seen:2020-06-29 06:05:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 24576:bNA3R5drXdFd5tXjKVsiyljbjxtF3q+7UXxz1oK+BJMny1r3U3U:G5NTK2iyl9T6gUhxolJKyAU
Threatray 10'853 similar samples on MalwareBazaar
TLSH F5451202BBC588B2E5732E31583AA361797D7C301F30CA6FB7C49A6D9931181A535BB7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtpout.secureserver.net:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/15341/
Detection(s):
SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/379698
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 241989 Sample: RFQ0723272983.exe Startdate: 29/06/2020 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected AgentTesla 2->50 52 Yara detected AntiVM autoit script 2->52 7 RFQ0723272983.exe 70 2->7         started        11 jjgdxemns.pif 2->11         started        13 jjgdxemns.pif 1 2->13         started        15 jjgdxemns.pif 2->15         started        process3 file4 34 C:\99353652\jjgdxemns.pif, PE32 7->34 dropped 72 Drops PE files with a suspicious file extension 7->72 17 jjgdxemns.pif 1 3 7->17         started        21 RegSvcs.exe 11->21         started        24 RegSvcs.exe 2 13->24         started        26 RegSvcs.exe 15->26         started        signatures5 process6 dnsIp7 32 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 17->32 dropped 54 Multi AV Scanner detection for dropped file 17->54 56 Writes to foreign memory regions 17->56 58 Allocates memory in foreign processes 17->58 60 Injects a PE file into a foreign processes 17->60 28 RegSvcs.exe 2 17->28         started        36 smtpout.secureserver.net 21->36 62 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->62 64 Tries to steal Mail credentials (via file access) 21->64 66 Tries to harvest and steal ftp login credentials 21->66 68 Tries to harvest and steal browser information (history, passwords, etc) 21->68 38 173.201.192.229, 49738, 587 AS-26496-GO-DADDY-COM-LLCUS United States 24->38 40 smtpout.secureserver.net 24->40 70 Installs a global keyboard hook 24->70 42 smtpout.secureserver.net 26->42 file8 signatures9 process10 dnsIp11 44 smtpout.secureserver.net 173.201.192.101, 49737, 49742, 49743 AS-26496-GO-DADDY-COM-LLCUS United States 28->44 74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->74 76 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 28->76 78 Tries to steal Mail credentials (via file access) 28->78 80 3 other signatures 28->80 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3da3a9487da78db1490c1aee12eb806925363678188034dabc1983c27d6eac4/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-06-28 23:26:57 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ypndvfeh3j4nwfeqygxoclvya2jfgy3hqgeagtnlygmdyj6w5lca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
251c55b7c7c02eec9a87eca94bb01f653317ef5d8278aeb2b511194d7057a675
AgentTesla
38701fe4b63d1436ba2e26cc7e268327299b58bcccbf074bfb2cbbcf57ceb2ea
AgentTesla
4cc5f468994fd62cc832482404cfc7e45232f059b9d355d3df41535a170b3470
AgentTesla
61f312d2472d658a6570f3e96fc4543309a304d9415e86b1c9306f2baacc9563
AgentTesla
69f0daa863cb586a1e2b00b6335bc69f7f06615b44b2f81bb5445d6912f6a80e
AgentTesla
9a40f0300c23e940e1e6abdab04d0d52218ac9a28b96075238de1fb9acd88b77
AgentTesla
ad26de7b388b0d667f98b6fc939bf942f284752b6353b033b93d31556ad9b461
AgentTesla
c21dfa284b8375b585e7d3933846c3d61337a2e0ed66cd69f1bfa81a40e4b10b
AgentTesla
d35f40a630b2e4b24ec76c354e1e66d927afe339aaba45ff3c750ed52193c910
AgentTesla
d71b477cd43b0b25d958391d04579451cdcc8ea6f3cb880459822a17361ebc62
AgentTesla
+ 10'843 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence keylogger trojan stealer spyware family:nanocore family:agenttesla
Link:
https://tria.ge/reports/200629-1sp5m7bvhx/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Adds Run entry to start application
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
NanoCore
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/15341/

Comments