MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 103e7d56674c0bbc15c3e92bccfa444dfa0d13412f9a34012e0dc1ab7f7b9f18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 103e7d56674c0bbc15c3e92bccfa444dfa0d13412f9a34012e0dc1ab7f7b9f18
SHA3-384 hash: c6eb98d60afe159b106654d928d8305a2dc96f38c6d490a2ce9bc9f97be5cea68654d14d19e5c88dbb90faefd4825f6c
SHA1 hash: cd451503cbc99bac505358b2dc7b23ae60d3b94b
MD5 hash: ff72c99585c24393f54692ebcde09636
humanhash: network-comet-charlie-skylark
File name:Machine drawing.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:409'600 bytes
First seen:2020-05-28 06:07:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:lWe0edewCBRaZVas1RPN6Li0ju+DWvfrvK8wJItrzm6yc:Ae0ededRavr1RPN6W0juqW7/9XmT
Threatray 10'711 similar samples on MalwareBazaar
TLSH A594232C66EE573AD21829BFB981943117F052057A27FB5C7EC0F29F299B3054B82963
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: rdns0.ascendmolds.com
Sending IP: 5.253.86.62
From: Alto Pack Machinery <info589085890858908@altopack.com>
Subject: Machine Quotation
Attachment: Machine quotation.zip (contains "Machine drawing.exe")

AgentTesla FTP exfil server:
ftp.chinas-ccp.com:21

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.fc.4709.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Inject
Create hunting rule
Status:
Malicious
First seen:
2020-05-27 23:00:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
32 of 48 (66.67%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3c1e86488fe5d68c50ae1d1b13138419f9d14e7ebc33c284c29b4385dd5c8493
AgentTesla
4d1192c2e4d605ff62b683bfaa5eb79f00650c72b6d532e4756239b48cbb10cf
AgentTesla
4f3a1dd374f609e7dd16e27c282c971122e9d8afbb58068a642925ed5a5065ac
AgentTesla
637b72e82538b767707282db37c0f960aa60c72e3c44c76ecaf232a9c105bf41
AgentTesla
90dcb385b06592664cb04ab1ac751748aafd8d8f9673547e19c8370bb614acf2
AgentTesla
ac6e5dcfea294b4260a82eea6cb2de75eecb7d960f3797163aaaecfd9c95d380
AgentTesla
ae9b67b930e3be156a9d7845efd534e763aa7fca2b9870d3c3af6991174fa1d5
AgentTesla
b3382a480fd0e7749a33bf51874e5b69cdcc8286fe9768c5b5dbad912ff549c2
AgentTesla
e53b85600f2e1d2c612854eb25aa5ebb3cf93a966aef11b22e186f65cb097506
AgentTesla
f8ac7b65c655d5e604540692e17267d64d0056d89dbdd3e3ff3c03db9b602f79
AgentTesla
+ 10'701 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-ajwhsvv1tj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 79afe3818ea8a1c011deb497d8af6c645a2d471554e0c95a725f8a00fd5bcfe1

AgentTesla

Executable exe 103e7d56674c0bbc15c3e92bccfa444dfa0d13412f9a34012e0dc1ab7f7b9f18

(this sample)

  
Dropped by
MD5 de82c197490e449060aa0352610c00cf
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 79afe3818ea8a1c011deb497d8af6c645a2d471554e0c95a725f8a00fd5bcfe1

Comments