MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 186926c5114f3c21eef158cc18f815591edc48864f0f6817d3677a5e6ecef7ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 186926c5114f3c21eef158cc18f815591edc48864f0f6817d3677a5e6ecef7ed
SHA3-384 hash: 059c87196fd9d335384d0eeb3cdae2ebabdea27944399cfa636a89f7baddc5b9bc04c3e96868995ded09f038a0427e57
SHA1 hash: dd68ec45b984d8e8516cdd56cf0dd3969bcca293
MD5 hash: 7f75e3c939345bb3dd6c5f88fe936185
humanhash: speaker-coffee-diet-colorado
File name:7f75e3c939345bb3dd6c5f88fe936185.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:735'232 bytes
First seen:2020-05-21 09:23:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bd14599cca3bfe5eac2aca6e33e2157b (7 x AgentTesla, 3 x Loki, 1 x NanoCore)
ssdeep 12288:UBEm2TGS371Df9rjlPd+2ZrC0JA+FO/nrTFfDxvF8OzXD6po0:UynTR7FVrD+OXSTFfg
Threatray 11'673 similar samples on MalwareBazaar
TLSH F0F4C132F6E14837D163567D9C1B937CA82ABE113938594AABE43C4C6F393C53936293
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.gli-bar.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Mal.Fareit-AA.12164.16199.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-20 22:57:43 UTC
File Type:
PE (Exe)
Extracted files:
274
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dbusnrirj46cd3xrldgbr6avlepnysegj4hwqf6tm55f43wo67wq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
005f14d06c16be03e043dd8a6e92eadac72688491f960e0219de292eaefdfd22
AgentTesla
2f7c438e16c881ff7adb99304a629393bc220c5ea4a61190ae881898c438fe50
AgentTesla
654e546d40f7d74528c82d0a3feaf917a8a173e07e2a0ad9d5f29fb8b961bc67
AgentTesla
72085a6683fbd36131021d63dff1637225c452606c901a7ebe58bdd7795af521
AgentTesla
757207b0f638a3e70800aaa7cb4eda7e207f3641158d4a789d50b231fbe4f136
AgentTesla
8a04b41b1321999087985915c3d8ae3dadab72bb38c66fdcac918ba98559a03f
AgentTesla
963d503685bdaaaba8f23a99900beba2c959ffb71a77ec4ce71036206069b928
AgentTesla
ba4c22cd68fe1d4fee2c9e47f1749b77e3295113d2f7ca8f50c03c61dc5cd23f
AgentTesla
f4fa3604afcd80c55941153dbd9d16f4449871fef52050b6d8d12564182f4102
AgentTesla
feafbaf136b60be701a0dbd0f812d09e79c4d88bfea6b80b9569f641b7ce82b2
AgentTesla
+ 11'663 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-6z7lg3zxqn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 186926c5114f3c21eef158cc18f815591edc48864f0f6817d3677a5e6ecef7ed

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/365695/
  
Delivery method
Distributed via web download

Comments