MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d067ec61abc3cb032027093834e84d7d4f7b0601024b152adb26481b420d683. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d067ec61abc3cb032027093834e84d7d4f7b0601024b152adb26481b420d683
SHA3-384 hash: f5d009fe9befc24fe1e0317f7d9fb0834fa4d39ecd0a8b719ebfbd9e24766ae33f87d900adf5b7745f4055b75495ec53
SHA1 hash: b43629b77f7ad21c1547bf9ebf61eae32d5542f0
MD5 hash: 7f1668bbf43b350bec0225ec86770058
humanhash: network-fourteen-ceiling-eight
File name:4Bt5r.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:866'304 bytes
First seen:2020-05-13 13:49:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:SAHnh+eWsN3skA4RV1Hom2KXMmHapDtl5:Vh+ZkldoPK8YapD5
Threatray 11'117 similar samples on MalwareBazaar
TLSH 37058B0273D1C036FFABA2739B6AF24556BC79254133852F13981DB9BD701B2263E663
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Script-PowerShell.Trojan.Povertel
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 13:49:09 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
21 of 31 (67.74%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=budh5rq2xq6lamqcocjygtue27kppmdacaslcuvnwjsidnba22bq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1d08ccd9e353e6684b90cef223afd58b740d0b391381c03636b56da17f44e6b9
AgentTesla
3945669106668a82fcc127f418ea0b028c8d73057b4b1715bb296627901023b0
AgentTesla
4297b0f564c12f9b864cb9c48b6b408ca13349dcc557c3243fe398d4921a8a8b
AgentTesla
551b22090262c7afc91b582469fd348fb365ea1ac39cf8ce75b55f069feddfc0
AgentTesla
5a7a9cb17f7c3d46e18a60c4201edbb8e93fe20723b34a9967a0fb67d2bf7896
AgentTesla
5dd114148f9cf40a9d80c1631cc582a4f19ee62d5f64c1b33e28a6ac5c5b0d53
AgentTesla
7832b802927a0d0c8a6500dfcd73512794fcf8b26fd6c8d61de254c48b2ef29e
AgentTesla
aafabbc33c3dcab75195c0a68e244c0b65043fd2fb966e8e66c46f76a1fca7dd
AgentTesla
ac6e23eef94b16aa7d6c2bdc35fa311bdf54019b2215d04b4e94384c4716ae84
AgentTesla
ce172721c1da61b4401d9b00414c050c72d33835962489ee6b59ddd4bc42ed37
AgentTesla
+ 11'107 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-s5p3zyk5pe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Blacklisted process makes network request
Malware Config
Dropper Extraction:
httP://paste.ee/r/ZyLny
httPs://paste.ee/r/gv1vS
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments