MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19431ff59946eae2bff6bd9ab5dde7fe6cf57495e2ffa388c92544e24f8f77f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19431ff59946eae2bff6bd9ab5dde7fe6cf57495e2ffa388c92544e24f8f77f1
SHA3-384 hash: bf52367e3311dc74345e56137ced48ea26e341c91d1d487ac6b62ac1f249b7c5600386e21b7f8fb6a0eee83a698360a7
SHA1 hash: 1e29d1d7e9ab44ef51363715256230ac762df94f
MD5 hash: 7d92069a9a8ac8a672b62b5310b05f92
humanhash: island-carbon-foxtrot-aspen
File name:J636O1HwRb7NUme.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:422'912 bytes
First seen:2020-06-30 12:12:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:u4pRKGFfs6pZdYakSNJgik8Wcr7JO9Y1OvtZ6yxI72VK8ZcGQlnW5:u4pRKGFNZdLNyiXWcvgl/giKacGEnW5
Threatray 10'606 similar samples on MalwareBazaar
TLSH F394023563B65F29D5BA93B566B260010FB2BC17B938D32D4D9466CB0A33B509322F73
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.beeinspire.com
Sending IP: 115.124.125.172
From: Prakash International Pvt. Ltd <r.jadeja@pciplindia.com>
Reply-To: rjadeja-pciplindia@post.com
Subject: Hello Sir/Madam
Attachment: PRAKASH-550100.rar (contains "J636O1HwRb7NUme.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/17115/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/19431ff59946eae2bff6bd9ab5dde7fe6cf57495e2ffa388c92544e24f8f77f1/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-06-30 12:14:05 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dfbr75mzi3vofp7wxwnllxph7zwpk5ev4l72hcgjevcoet4po7yq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
09201fd4fd289b123e518e541812345e816181a9cdeaecd1758bb337b807f881
AgentTesla
2645e6f05ce2c3ebfb5e928cfe3216d6da26dbe57c63113d70b8447b3fd21b5e
AgentTesla
3c145f3d7a19f92700b5f14e542daa3b183736e67eee78606e37ef02cd642ebd
AgentTesla
7ac2dee76520e25a21918a6ee79eedaf1a9de51aaee643d21d9cf6346451555e
AgentTesla
ac817954a4511d2a0ffca7832b48d137db1b299d7ff055709eda1d12460e81c0
AgentTesla
bd7ff9e1c774994bdb69476411ede44d9b837f4f1994bdfdf620e766d500b1a8
AgentTesla
cfdd6d4f9c20199dd0ab9baa8c2a21e9855db1816650c80f06f72cc1b05cd40f
AgentTesla
eea3d6de7952101ff57da6f48ea85ecdbaf71bf5027d0d20478021d842a21101
AgentTesla
ef3cc252a620298fe8af185c7648888f992ac6cf8d7c299b8abe97b299533633
AgentTesla
f0f3f94877ac55a99e46669fa232ef88e1646b019864a27229be3ab23a17bf85
AgentTesla
+ 10'596 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200630-19s1jexqrj/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

fa3ac9cbd5e07d7adc4206fcdf2656e1

AgentTesla

Executable exe 19431ff59946eae2bff6bd9ab5dde7fe6cf57495e2ffa388c92544e24f8f77f1

(this sample)

  
Dropped by
MD5 fa3ac9cbd5e07d7adc4206fcdf2656e1
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/17115/

Comments