MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 135745622b39e964a7dc0406ee50a938d21a3627508b0c431cf9571dd1a71403. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 135745622b39e964a7dc0406ee50a938d21a3627508b0c431cf9571dd1a71403
SHA3-384 hash: 355b139bbe2aa42b6dbf2df6f4b2df6b2ed67b6e6ea7abb6cb714e45cebbefea579ecbe3fbd178bddfe7db1bfbafacdf
SHA1 hash: 9120ad429d9045e7308ab54d0a78dc870a8b9aa6
MD5 hash: 6f0694979bcbab9939523990b2c4cbe4
humanhash: yankee-green-fourteen-solar
File name:qTjURjTjIwLWNkKuECSaUhm.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:308'736 bytes
First seen:2020-05-20 15:44:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:MGGz7XbQmLbSyBlguy9Dledd31z3P+x6abbFBWCOAUAWB61b:M5bZ7lguyvgFz3P+x6abbLWCOAU
Threatray 10'589 similar samples on MalwareBazaar
TLSH EB64197DAB88B902F23D5D7251D2122012F1D0834E12C35F6EC86BEDBF557C97A4A3A6
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Autorun
Create hunting rule
Status:
Malicious
First seen:
2020-05-20 15:43:47 UTC
File Type:
PE (.Net Exe)
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cnlukyrlhhuwjj64aqdo4ufjhdjbunrhkcfqyqy47flr3unhcqbq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02598592bee4d0e9a9b20966d8843b3541d7041a7e307b091369f0554e28888b
AgentTesla
0382884e9d5a700d9e0b587cafd5eb5849b5cf65396de1af8210e20042194bca
AgentTesla
16ea5dc52c94b89cae902c89ca1e1d5572268b83014fe2d8175061f654295ba2
AgentTesla
3e12b0587d24f1f28bfc04ac59f0479bd458d042e5ec0602276ca8044c5b77ce
AgentTesla
5ce2d2774ba40e6dc9997abefd9d8d50321eb37b26e3b6963add26877f036a3e
AgentTesla
638c1a92d23c9660163d8cc9e985189afe678096062a115ac08187d89a2e4149
AgentTesla
a4a97ffddcc1f86ee8d3c45421375fb560f3b9aa9428cc3079cffc1edf930d0d
AgentTesla
bc3401d05a180606f7593e377e8bb1070c06c90cde1e268954f43e44d8b571a6
AgentTesla
c5b7a21aec63cb037d441c6e850b500567b1937c21e4f842fbf73930a6ec62a4
AgentTesla
dc7b55d9c01a9f7812b06be0f41d45c82305f07e25a1232bea4f00a6dea45c6e
AgentTesla
+ 10'579 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-altzmr89hs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments