MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14e5f96ae6b8740535a954d5e0add90e7f41b5839dae197a8f1d6e89dc5708db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14e5f96ae6b8740535a954d5e0add90e7f41b5839dae197a8f1d6e89dc5708db
SHA3-384 hash: 1a5f2db2f84ccefceb20f8f6caa68578866c31da62e93ba2b4046559b327488667450d9717dd53a55091c078d4ce92cb
SHA1 hash: f2466879160d8ce4934af14996e69fd535c2743b
MD5 hash: 7bdb1e6ee2564b4af09649b8a0e502d9
humanhash: fourteen-may-hamper-crazy
File name:PDF45678.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:542'208 bytes
First seen:2020-07-21 06:46:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:d+fUYeG3jM3w6/7Ek8myRw6TBacLtMNJ/ZPd1LfD9lBEDFO3t5wJbpm+PNfCnjxH:dP7uzmxPXDT6y5YbpTCN
Threatray 130 similar samples on MalwareBazaar
TLSH ADB48B10E7B84AC9E3BA57BCE870011187B4B91AA7F6E7591B91F0ED1822710CB53F67
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

From: Anita Morgan <askgilchrist@gmfco.com>
Reply-To: Francis Morgan <askgilchrist@gmfco.com>
Subject: Dubia Buyer: Order Enquiry
Attachment: PDF45678.rar (contains "PDF45678.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29741/
Detection(s):
SecuriteInfo.com.Trojan.Malware.300983.susgen.3147.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/392594
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/14e5f96ae6b8740535a954d5e0add90e7f41b5839dae197a8f1d6e89dc5708db/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 06:48:10 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cts7s2xgxb2aknnjktk6blozbz7udnmdtwxbs6updvxitxcxbdnq._file
Verdict:
unknown
Similar samples:
0c14de05af14835140799c2d9be3c80da30d7938fdcffc22edc9f6e0ec4b9994
AgentTesla
78fe45d6d5097ad57ebd01a350321546e60e79451b89ff0c45ca781f3c4e35fd
AgentTesla
7985804e27ef80e2dbf7bafc62ca022f600ceb1b9f636a90d0e3826eb2aeb978
AgentTesla
95f2db0071adb3c99b50c41ecdecbe4c6c18e9318bea7d8cd6743aff619a9f8f
AgentTesla
9d604c08ee1d3c2f747a0813ba0b38fb34477eca74a73176939f5a37a1ba5bc5
AgentTesla
a25e8f53a69b01074187de880fcb4a2e8fba9b32d781957162fb8fef4fac85b1
AgentTesla
c3418a3272d2f9a7b3121655ac783ce213a3d4557def273d3d3ae170ace88974
AgentTesla
d17f81844d81aab1740d9fc2992ae741df0636cd8eee2be31caa84a480e561ab
AgentTesla
f0bdd59b67a442209f68d9adf125fbadd7e99324ca917822d5f5f29e976b5b26
AgentTesla
f1677cc4e344449edc0f1aee639dd24fedd8a91bf17b4be11e3b71543bac301e
AgentTesla
+ 120 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/200721-yhfxbmmk7n/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/14e5f96ae6b8740535a954d5e0add90e7f41b5839dae197a8f1d6e89dc5708db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar fda2966fa481173fe579327a3de9fb8647cf7cb1836e2ce4408c0a1376305084

AgentTesla

Executable exe 14e5f96ae6b8740535a954d5e0add90e7f41b5839dae197a8f1d6e89dc5708db

(this sample)

  
Dropped by
MD5 5c86f6638d281ee91f7a0528d000bcd3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29741/
  
Dropped by
SHA256 fda2966fa481173fe579327a3de9fb8647cf7cb1836e2ce4408c0a1376305084

Comments