MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cad6de93886014f460477497c10b086c05531b368f9f7dd7ebab4c6d18fc53a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	0cad6de93886014f460477497c10b086c05531b368f9f7dd7ebab4c6d18fc53a
SHA3-384 hash:	1be445dac2cd07f01b32a52b0bd8a3f39638966774babf25f95c08215227e0ff678097f6d5a37619deb0ec4eb65307a5
SHA1 hash:	3ece5ef6cafd18a6c9e652faa6bae34f0a990a5f
MD5 hash:	187fd4d54ca0aff6a2425c556d421b13
humanhash:	stream-chicken-paris-blossom
File name:	Purchase Order # 4775 for JUNE_2020.PDF.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	863'232 bytes
First seen:	2020-06-04 07:04:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e92fa7ccd490db33ccf0235eae4258bb (3 x AgentTesla, 2 x Loki, 1 x HawkEye)
ssdeep	12288:e6+mn9A32uu5hZqBnxeu5cfM+BIjvTxGKUlOtzz1Lww40n3JVkwSJSXOdCfon:e6d97ZMmNgTBJ1oQMC2n
Threatray	11'594 similar samples on MalwareBazaar
TLSH	CA059E22FEA04437C97317399C9B97B49C2ABD107D24B98E3BE4CD4C5E396913A35293
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: ygw2.ni.net.tr
Sending IP: 93.113.60.146
From: John Fluman <info@degiad.org.tr>
Reply-To: John Fluman <john.fluman@intranstcch.com>
Subject: JUNE 2020 PURCHASE ORDER
Attachment: Purchase Order 4775 for JUNE_2020.PDF.zip (contains "Purchase Order # 4775 for JUNE_2020.PDF.exe")

AgentTesla SMTP exfil server:
mail.hanovredisplays.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-06-03 23:33:20 UTC

AV detection:

38 of 48 (79.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bsww32jyqyau6rqeo5exyefqq3afkmntnd47pxl6xk2mnumpyu5a._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

073c3d60993b41a1ea5847c06dab48a4bf4e3da87e74d26d8d51a1c11e0dae0c

AgentTesla

33fefd2ae3ff75bcae6718f2abbc99bc7ca047a4543c5420883eb39e1128e9e5

AgentTesla

69f0b47ce8a9aea88c84a436e06a6569715461960f48fa5b10af6b7ae0b94202

AgentTesla

725cd49294a79dc41269efe8765a70ca9e745460d1af90c5e1b019c1f2e1a0b4

AgentTesla

923d6f2e83a74acdd4e501f42f737b720ab266e1ed7312994bd99e259bd15464

AgentTesla

bfd903ae09de79cd3936769741aeac74c4f3d5178c487353237b377e08154466

AgentTesla

d146eb20c0c3745f4e74267f468a4fc870c1639b48bdd634d10f82856e7b59e9

AgentTesla

dc9b22b1af973bd12495cfd6e2c6621eb21e347a3f6a32edafb823a91d4e721a

AgentTesla

e8832bdaa159f1e5a0f7e4ce323c8a302c0db9cd7eb6ba0434fee843d7333129

AgentTesla

+ 11'584 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan upx

Link:

https://tria.ge/reports/201109-w9pmmh74va/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar