MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8a3fed3476b3f28b4d158607b92c132d395a86ca2375a64b9d3f0b617bdff7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8a3fed3476b3f28b4d158607b92c132d395a86ca2375a64b9d3f0b617bdff7d
SHA3-384 hash: 1e6c318e96ca7be1b3cc6167ce8ec9620d002a5af8c75fe37943c5e4e12da503b7c23ba54472e54c454c8ea494d84143
SHA1 hash: 081a4f85480bea28289fdf84d4e274cf830e13e2
MD5 hash: 059b5d11a3a5331bd00783c6a24c13d9
humanhash: louisiana-five-cold-alpha
File name:Tekrarlanan Siparis.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:636'416 bytes
First seen:2020-06-15 12:29:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 6144:laUPSn6VEJD6Lp3ZSk9aj6OspRZgKUuCtwDT4m5RyNmP1dpgE9f:laUo6VEt6TSk9aj8JUuCtOGmtAif
Threatray 10'662 similar samples on MalwareBazaar
TLSH EBD44B3D3685BC01E13C093344995A90A3B2EA877702C71F7ADA579CAF127DF3B95289
Reporter abuse_ch
Tags:AgentTesla exe geo TUR


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: sivatek.com.tr
Sending IP: 156.96.62.208
From: Selcuk Bostanci <info@sivatek.com.tr>
Subject: Tekrarlanan Siparis 28102019
Attachment: Tekrarlanan Siparis.pdf.uue (contains "Tekrarlanan Siparis.pdf.exe")

AgentTesla SMTP exfil server:
mail.bestinjectionmachines.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10386/
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-15 12:31:04 UTC
AV detection:
28 of 48 (58.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zcr75u2hnm7srngrlbqhxewbgljzlkdmui3vuzfz2pylmf55756q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1adb1e77313a4404c1133c255cece52584f329eeb223d6567beb97d9754125ce
AgentTesla
1eebe4346f9ef87b9be5bae1875e17097501a28a201e2cf500df658a3727b47b
AgentTesla
41eacb31f32da496ed3d78e3b90797bea286f56808a09ab339846ee3aa18b643
AgentTesla
602539024550629c94790807ab0f6b99379a53767b14375963e64b71a2185408
AgentTesla
8a0dfa424d15f228b79cf8e773937af51dbf53251168b44afa554fd62db25f85
AgentTesla
ab79b2c6cca235d1b6a2bfdc550a15497c03d193d622feaa2e48c3006ef7c0b8
AgentTesla
ad7db1393e62d89dcb0039aa5ba64a897e88d3f6b76d146ccf419e952e57c317
AgentTesla
d0be07347ce319cbce0fa252c4a030834dafe118c2ea50a6e05951ecf06b20da
AgentTesla
ef7a8f1478e57d2dedf96a00501903b7b5a571680286502f2f329ed2c8728b2b
AgentTesla
f3635e26f70dfb1240a5f8c7b09ea634ee9e5b6692cb73829b0124c0b2505281
AgentTesla
+ 10'652 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla agilenet keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-15qxlqry52/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 32ce30b24b4edaca7edd13457bf53d9e01bbf95b259f1d4749824ed875d43ead

AgentTesla

Executable exe c8a3fed3476b3f28b4d158607b92c132d395a86ca2375a64b9d3f0b617bdff7d

(this sample)

  
Dropped by
MD5 f800807a741c8977d8c973a7575b8927
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 32ce30b24b4edaca7edd13457bf53d9e01bbf95b259f1d4749824ed875d43ead
Cape
Cape
https://www.capesandbox.com/analysis/10386/

Comments