MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06dc2ec5236a90bb95beb6d6e524ffd81c64edc88ba89d01743c224d6585674e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 4 File information Comments

SHA256 hash:	06dc2ec5236a90bb95beb6d6e524ffd81c64edc88ba89d01743c224d6585674e
SHA3-384 hash:	16f9b910c5fd4eec51360f12aeed69220f08f32d4f83f75cfbb49920b002ac523ee1ee6eeec0b8c1152d2b8efbaecc55
SHA1 hash:	620731e5f840c66ea2087dce6797822a1e55eb48
MD5 hash:	ad5620af877261409669e7bb49a662f0
humanhash:	georgia-pasta-twelve-video
File name:	NEWORDER.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	396'288 bytes
First seen:	2020-05-09 06:08:09 UTC
Last seen:	2020-05-09 07:10:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:o2TxWUWRU8j2+fIjVF7/uNzyDI8mgcILCniR3qd86uKL12W063RWyNvyt6jl9ZZC:nE2+fIfGNzyEgcIWnoqGM3068geUekq
Threatray	10'605 similar samples on MalwareBazaar
TLSH	1F8412990E9C27BFE57D29B88B199E0653FED1573402FB4EFD4831606EC27884B107A5
Reporter	jarumlus
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.ArtemisAD5620AF8772.4395.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Agensla

Status:

Malicious

First seen:

2020-05-09 01:59:40 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 31 (80.65%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=a3oc5rjdnkilxfn6w3lokjh73aogj3oirouj2aluhqre2zmfm5ha._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

216c6b02a878dd3c0e20e476bcbb0e74a6d0841587118eda96ab3bc620d85d1f

AgentTesla

45bea748d6714e636270097d0dca1ec13a2442359b3b9bc09204cd73dfb4dae0

AgentTesla

5f5e348e8dbe8f7d7d97abefd6a2d686569a65720b97827082b2a82fb0430670

AgentTesla

60dcbc267b3ed28ae812ac76ac9b7881f27520e6279060a887482f792d26e773

AgentTesla

6bece1991883897d6c949fa8eeac82f1bc6b7fbfaf581f5b5be776c4230bd007

AgentTesla

7aa2fa4a7ad5d966f7b62e65a4ffc0cd4a7f5bf08b8759aff02ede48275002b7

AgentTesla

c4822e5b8ce242f6a39acb3db0dbd81ed1c2f630324f35afd3e4d7ecebb9538b

AgentTesla

c92de8b1d039535db38a206be0757239560a527e9f7d92b5f9baa1a36fa966b1

AgentTesla

d09cbb481136d7766db12c79dc6c82fee1eb89056d4e7b8bc989a7a5d38467af

AgentTesla

+ 10'595 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence rezer0 spyware stealer trojan

Link:

https://tria.ge/reports/201109-jjcr62rgnn/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

rezer0

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 45bff1f76027399ebaa4975d5bb76bc0724335a6c4580c16fe56737ba442b8dc

AgentTesla

exe 06dc2ec5236a90bb95beb6d6e524ffd81c64edc88ba89d01743c224d6585674e

(this sample)

Dropped by

MD5 3299b7ea0de75e1baa0e7af75ae4c8fe

Dropped by

SHA256 45bff1f76027399ebaa4975d5bb76bc0724335a6c4580c16fe56737ba442b8dc

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample