MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18a41b50c8885afe4978787aa8c44601134838f73f66e7edc520bad7d76bfad2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	18a41b50c8885afe4978787aa8c44601134838f73f66e7edc520bad7d76bfad2
SHA3-384 hash:	2a679ab6883b66c4077bd5f9e07ade7eff19303f4c6d0663ed65603e5f227b2d731b965a6a26e3f4eb1da3a46fe6e996
SHA1 hash:	d8ed043b7b4057670dfbd7d7c8039fcb0f5de792
MD5 hash:	dec84f6b8adf05075f43025708c0ccaa
humanhash:	beer-blue-sink-burger
File name:	Invoice approved.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	692'224 bytes
First seen:	2020-07-08 11:34:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c6558f8c55c7046860294c7f6ce6c298 (14 x AgentTesla, 5 x FormBook, 3 x Loki)
ssdeep	12288:Lk7Yi4Xj/tQBWi/y67k86oxVOwBSWmBm7BjUKARzSt:i14/oDnsUgkx2OjUlRz8
Threatray	11'837 similar samples on MalwareBazaar
TLSH	F9E4AFE3F2E04433F16216399D5BC77C5836BE113E695A4B2BE45D4C9F3828238662B7
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/23078/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Win32.Herz.B.6016.5488.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Reading critical registry keys

Launching a service

Creating a file

Stealing user critical data

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/18a41b50c8885afe4978787aa8c44601134838f73f66e7edc520bad7d76bfad2/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-08 11:33:58 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dcsbwugirbnp4slypb5krrcgaejuqohxh5top3ofec5npv3l7lja._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

13444c52c094b2067a66767847b8a2151da087a99c9391a2547a53a3e4de7056

AgentTesla

420da876f8efdf70da0ec0ccd1b7aaa09547b6868d5fc655c05b50eadf20c360

AgentTesla

5dbe09570ca27d28729eb1ad2da43e91349226a7f1673c07bc88411f773d7edb

AgentTesla

757bfb5a8c34123d653c92fbf978f61c40088cef27a2438142f004d90fb0eedd

AgentTesla

83d8b3913153282a251fc2f7bf74f701e02969441341297823957e5d35a5c3b0

AgentTesla

a5059c6e3bbd590aa20810ed73f51c22b0140612e59c57a349c463769a6c9236

AgentTesla

aa00f82fb3dd04417a278bc9362becdf39fcb3e4e23893327e16a8792334635f

AgentTesla

def5dbf8e48af782ccb741ff6a1e1357af8dcafb701089b7f2d1c0919ae79f05

AgentTesla

ef4ae3267d280e27deddcafd021cf4d4ac90adab048cb271001a32a339b3b227

AgentTesla

+ 11'827 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200708-8ccdte87rx/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Reads user/profile data of local email clients

UPX packed file

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/23078/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample