MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1815b430c5e268bae6c954cf7d38575e131776105726c317b0aca1ec10e6cb9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1815b430c5e268bae6c954cf7d38575e131776105726c317b0aca1ec10e6cb9a
SHA3-384 hash: b80ccd05d31346258b1b051badb023807ca1d7cdc9605cbf39db8ebc84e65d0f49e10f0a2ca9fde2220bc93c9baa8089
SHA1 hash: 49e17a935a222dcc62e035f701fd21ff07022af8
MD5 hash: 3dada642ea80d2f5ebe660fc8b590716
humanhash: london-wisconsin-sink-winner
File name:New Order PI 25-09878.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:439'808 bytes
First seen:2020-05-25 08:18:50 UTC
Last seen:2020-05-25 08:51:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:CxO588/LqTvIc6GFdtHJmUiOHYpZDSIxVHP1RczYof:GhTvIc6GvXPetSeHP1azYo
Threatray 10'610 similar samples on MalwareBazaar
TLSH 6794024032A8676EE83E6BFA509120111BF2E55B6B27E34D6EC339DF0997FC11941B27
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: chapar04.afr.hezardastan.net
Sending IP: 79.175.132.33
From: Chun Wo Ho Co., Ltd <sales-tweety@chunwoho.com.hk>
Subject: New Order PI 25-09878
Attachment: New Order PI 25-09878.zip (contains "New Order PI 25-09878.exe")

AgentTesla SMTP exfil server:
mail.fakly-cambodia.com:587

AgentTesla SMTP exfil email address:
elesh.ly@fakly-cambodia.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.308.23381.12785.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 09:00:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08e3928e063f4d85e7580cb03a62d69e7c3c0ba1bd04e2867343931e335862bd
AgentTesla
15e222044508e226a53f0313f78e3214b135cc40c2df348ccc8eb1dd4f0b674c
AgentTesla
1fb56d650a87fbd1ed57929b7127488d189804096a033af3dfa22936662d2ea0
AgentTesla
2ae5e19dd2e891ea8c09b48a7e0805a2f797cdfe841c0d71acc90d58eef5e94f
AgentTesla
3b82d291e2fb62eac9616a46f75733d77f8d6287dfc54d834d60418cef7f717f
AgentTesla
4e2b3791173e3bc11fbb3be7b04c226c23e6d525b987f7e044c257f55b98df5b
AgentTesla
5b1b8f25badc68e5ea51912e4d56c879a1a2e9ba3743c87a5c31843bb0ab099f
AgentTesla
9f0ff834836defa680e364c7318932aa13074bed115f6ef52b3c08e856df6b33
AgentTesla
b2ddd3894714d2d0858f7a22c23e086e2165a05908e76d04086a125922cdf014
AgentTesla
facd926228b05b8f55db0f2dbcf6a62d88405bde4b1533cc6ee745c32ea3b205
AgentTesla
+ 10'600 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity evasion keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-matzq4qyvx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 3b7f6f8fb58190e258ea84f72c957b1fdf2d54daa5c9f2b9ab61920ff8cf4966

AgentTesla

Executable exe 1815b430c5e268bae6c954cf7d38575e131776105726c317b0aca1ec10e6cb9a

(this sample)

  
Dropped by
MD5 c6d6bdcd373dfc0fae9eba288bbf939e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3b7f6f8fb58190e258ea84f72c957b1fdf2d54daa5c9f2b9ab61920ff8cf4966

Comments