MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05217e21bc796bd6ba381874fff4a1f756b9d6616fa423c66730d2119b9cb11a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05217e21bc796bd6ba381874fff4a1f756b9d6616fa423c66730d2119b9cb11a
SHA3-384 hash: 2bf60bd5349aada93a9fa95f2a33e0cde6af139e046a19b0ab2b30ad7821d8cf1dc1a9a2b4954f22fdd1236b177a2a7c
SHA1 hash: 8ac550a3a339cb26aaed7b4c66eb63d7d1f6614f
MD5 hash: 7194fe416de1a7d585eed9e2978a3091
humanhash: alaska-princess-lamp-east
File name:Payment Advice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:674'816 bytes
First seen:2020-06-16 10:50:54 UTC
Last seen:2020-06-16 12:14:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:kZm49QjSTHr6VEJD6LpvGEpikYtzb5Wl7j4sDYXo9AHxYQJBb+0BtJfyC0d77Etg:u9QjS7r6VEt6zAzb1skH/p9t
Threatray 11'829 similar samples on MalwareBazaar
TLSH CFE42A3E7645A805D13D597345E56691A2F2AA833E02C30F39CA5BACAF027CF371536E
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: ip121.ip-142-44-173.net
Sending IP: 142.44.173.121
From: EXPERT AIR SYSTEMS PVT.LTD.<bforesythe@b-linelogistics.com>
Subject: Re:Payment Advice.
Attachment: Payment Advice.zip (contains "Payment Advice.exe")

AgentTesla FTP exfil server:
ftp.bmdonline.ro:21

Intelligence

File Origin
# of uploads :
2
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10906/
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.7331.14767.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-16 10:52:25 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=auqx4in4pfv5norydb2p75fb65lltvtbn6schrthgdjbdg44wena._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a44ee4a63f01378570de7668ee2daa17534d296a6ff2c45bc14d8f9b07bb837
AgentTesla
155065582ffa38e73b116c0d434fbcc4a5a3a1c860e018d0b921301be4187edc
AgentTesla
2a19861b5542b7a76129c027376c7c3902e38ab5d9914722af6b13eff1a28973
AgentTesla
2c0f1d7345f723c437ba09cc6b7b5b451e241c9ed8f35e09679dd6caba835c6a
AgentTesla
c5aa13bc531e8381c2e271584ef2e91eb14cde3c62b0a1d76196576f8aa7c28d
AgentTesla
da01e4c70ffd72bdc10f8816e6a81b01e6cdcb96e110075a3c20840a4858b50a
AgentTesla
dab4f3595b805cc1d2e40f0b625a553cfc6c95db176df4f0673c42f8f02e4cd7
AgentTesla
dd121330fd6e7404cb15130de59e85a3cdeee12d7b45c73482f7d7536c36f585
AgentTesla
e10eb374689e800446850be0977a4911b17f16b190c58f6a2acccfda9fa33ed2
AgentTesla
f27357769e88135e1c6e8931638d380df6cb1f1053321f0efe1025a946a29091
AgentTesla
+ 11'819 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware persistence keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200624-1698ebwbre/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Modifies service
Loads dropped DLL
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip bad1a9d8a1f0662aa3713083815334b40212534c1d7da60c8224da9003c2868c

AgentTesla

Executable exe 05217e21bc796bd6ba381874fff4a1f756b9d6616fa423c66730d2119b9cb11a

(this sample)

  
Dropped by
MD5 90d8b5a3cadc685e6ba53d16910b34d2
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 bad1a9d8a1f0662aa3713083815334b40212534c1d7da60c8224da9003c2868c
Cape
Cape
https://www.capesandbox.com/analysis/10906/

Comments