MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0af91caf5bfd256133203be73629b6fc15dda3a6d11b007549babf7118763cfe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0af91caf5bfd256133203be73629b6fc15dda3a6d11b007549babf7118763cfe
SHA3-384 hash: b32de48fb3ecfdee760a754d993128c15c9b7c40cf7bca80c2ab105e4b3ef174c89c1eac7aa7d79da63968b2505f9bc4
SHA1 hash: ae00fde799f39f523d81f018deee725e002c3504
MD5 hash: b1a04a9fd721408693d5db518a5a5df3
humanhash: ohio-nevada-king-monkey
File name:docs.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'457'152 bytes
First seen:2020-05-26 11:07:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:Ytb20pkaCqT5TBWgNQ7aHTGpO45pF6qkHfkR6A:hVg5tQ7aHTEOqpPac5
Threatray 11'033 similar samples on MalwareBazaar
TLSH 3E65E01373DD8361C7B25273BA25B741AEBF782506A5F96B2FD4093DB820122521EB73
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: conticoshipping.com
Sending IP: 103.207.39.104
From: sales.mum@conticoshipping.com
Subject: RE: Invoice for the subject shipment ( Original BOE , CFS , Liner Invoices )
Attachment: docs.r15 (contains "docs.exe")

AgentTesla SMTP exfil server:
venus.worldindia.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27681.XorExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 11:36:46 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
23 of 48 (47.92%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4b396e4fff0dd60a786b60655dc16cdb19dafae9bb3a3b46802adaa0d7c5db7a
AgentTesla
4bff91911fbfbb6f44a3879a87f21b04b8dfee9653ae8200e954da862afa3b94
AgentTesla
56b9f46d444fc00ce61dd5a62bcf079275e5a13ae984c9b8415202068fe6b257
AgentTesla
5a280ac4b15b1c6ed5a6c96c88d99c681574bd8a363ee386e69bffe62b995e6e
AgentTesla
68d01ee51cc0c90ef40afbd0b6a914de7d80c8cc347ffd80c1a7e0e888bde437
AgentTesla
6920173eb3c5031387b852bd2dce1bdce04ed1199b914b72a009fe257d7e6766
AgentTesla
9350e2b52b57a3f17169e6b46a888559dea995d2de8c61a4cdbcbb340d530dff
AgentTesla
b78e0ed795cb86a85ec771f41d364d584b46fefcf84a5151e92d017334b5ab94
AgentTesla
c0e9834e978646714b1e771103705e34e4211894fe3987d1e09bc6353827b1e0
AgentTesla
d3955b520c38bb369e6d3c5e3304fb29e4699cec3aa549fbb8b7f7fe137abf5f
AgentTesla
+ 11'023 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-vgn13zqfws/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 8162f72598ab8e69ef39f02de95436aa21f3d433503c263cc5fee47185c3ba15

AgentTesla

Executable exe 0af91caf5bfd256133203be73629b6fc15dda3a6d11b007549babf7118763cfe

(this sample)

  
Dropped by
MD5 954416cc79acbba0afd1ea5462689fa5
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8162f72598ab8e69ef39f02de95436aa21f3d433503c263cc5fee47185c3ba15

Comments