MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1826975a0565110397ae2d9f71bf3654350bb7f73e70381b16d2a4b66e08220a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1826975a0565110397ae2d9f71bf3654350bb7f73e70381b16d2a4b66e08220a
SHA3-384 hash: b6d3908fbfc1715362535603b5593a5b6311f28f194da58c78e8b700eb11b06b5a330659f5dc527e85f134568210d80c
SHA1 hash: 687cef26aa031aa02c991ae088cf8ae410f3928f
MD5 hash: a7eac1a9ae5f8e9f3da0a6567076aead
humanhash: maine-coffee-beer-neptune
File name:uPzEcKikmnRh2Eh.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:656'384 bytes
First seen:2020-06-18 19:49:25 UTC
Last seen:2020-06-18 20:35:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:RCjFmV+0NTuEHJl5gkHj9GdaME8tFppp1/:RC8+iaEHJl5tHMaaFppp
Threatray 10'607 similar samples on MalwareBazaar
TLSH 87D47AA3D28001B5FC1E5F3962375C2225A3BD7B1AF4259D329DB1725BB3681006EE6F
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: vps.chronicgames.biz
Sending IP: 45.95.169.105
From: info@chronicgames.biz
Subject: REQUEST FOR QUOTATION
Attachment: REQUEST FOR QUOTATION.zip (contains "uPzEcKikmnRh2Eh.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19858/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.42908.11237.1334.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-18 20:35:36 UTC
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=datjowqfmuiqhf5ofwpxdpzwkq2qxn7xhzydqgyw2kslm3qieifa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ca8c0c5ebf25e694725d965acf1d3db4a299c633fd895ea6f2dab80082d7337
AgentTesla
2b5d96d018098da5990f2d6d721ab925efd4422c13cccf031775b6fddd5f801e
AgentTesla
4ba3daeca73f3cde751424f8ec9972e274e0ffe915ce7c58eac0bf4d278920b1
AgentTesla
50d83791145d6b09c47fc90279d568bff571181c97d9dad9ab63c3e9c9b935af
AgentTesla
6173db36930ac991797a937156838a278e4b41633b1152a2f400300f313658fe
AgentTesla
61d9ac86c9e84f051340bf2adedaa4eb4fc7960e01f8a00d66d2ebd4201489e2
AgentTesla
69adbed423ab81bfaeefc5b61a60cb6888c5c682ccb239220c521be70a140ebd
AgentTesla
8433ac6d87185d65251a833f4f37ac4095395d2751da1ff95e8d9d4e53656480
AgentTesla
df9e063f4337de010612602b800dd6c3c3bf0d5c176ee5cb7f2a286617d106d1
AgentTesla
f344f9a579f46f453c4bd43a970d90c7def7882718f87fc3abed83fdfef087a5
AgentTesla
+ 10'597 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200624-4jv95jktw6/
Behaviour
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 42a3e98cca517cb3cc670c9ed9fc0b17d3b60e63499ee46ea6d6c22b2ff0d126

AgentTesla

Executable exe 1826975a0565110397ae2d9f71bf3654350bb7f73e70381b16d2a4b66e08220a

(this sample)

  
Dropped by
MD5 8f4c9fc2a975f184b6a473d23b63bf1c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 42a3e98cca517cb3cc670c9ed9fc0b17d3b60e63499ee46ea6d6c22b2ff0d126
Cape
Cape
https://www.capesandbox.com/analysis/19858/

Comments