MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1aa5850bed0207347b3ae757894500241e9b409004f3b762c58da5e0c4e12ad9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1aa5850bed0207347b3ae757894500241e9b409004f3b762c58da5e0c4e12ad9
SHA3-384 hash: 62aaec9bc51af18f6ae021981610346395d139b12961b31b66b1df073e5f81b40b63b4fe315f75bcc830ac03133c5348
SHA1 hash: a7c89d5fb830970b944b1a5a7d66985eca6571db
MD5 hash: 75ebe74dbf595f658b4232d1cc830dad
humanhash: victor-bluebird-lemon-tennessee
File name:payment notification.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:413'696 bytes
First seen:2020-05-06 17:43:11 UTC
Last seen:2020-05-06 19:04:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:6HT7VMv1pm/4LIHb+0D+yHqlc5aIOcuD+n7ic6ZqBuyyln9+:6z7V81Zu7D+aocXnqlyyln
Threatray 10'561 similar samples on MalwareBazaar
TLSH 2A948C359DF811B7E568977DCBD084EEB3EC929F2B119D3A1C8E524442B36C3628217B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: box.kedachina.co
Sending IP: 157.245.211.27
From: Paymentsemail@fnb.co.za
Subject: Payment Notification
Attachment: Payment Notification.r10 (contains "payment notification.exe")

AgentTesla SMTP exfil server:
mail.mygtti.com.tw

AgentTesla SMTP exfil email address:
ouriertransnet@deliveryman.com>

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.44615.28917.3381.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Heye
Create hunting rule
Status:
Malicious
First seen:
2020-05-06 17:23:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dksykc7naidti6z245lysriaeqpjwqeqatz3oywfrws6brhbflmq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0b81122767d7bd31750620d08e7e59cd3302c2f557cfa0918c5d447e95ac5638
AgentTesla
0f75f6670487368f4ba9f5cf419f8f96433a2c4176bd2d07c4a12d0c83963abb
AgentTesla
35171408c49e8a440f8c96bf47889cc94b310a9c968e771f7d8640079fb8d798
AgentTesla
4b8d62db8bc41db322d93e617367b302796f211080ca07d138699a2923aafb23
AgentTesla
74f9b9d090503f2eb3f549a9eaf80d659e5c09d89dfcdedbb3e6f3a01421bc05
AgentTesla
863671feec199c01ecef1698e6eb7285ab6c2185d72e8ef80f3fa26493089b4b
AgentTesla
96ff361eeb8ab440652d1cbb8b28146f8dd9ee8cf9885f84ff4592b2551da57f
AgentTesla
97c3cf905c068daf00bbc9c10810ff4437d953c3263e962b0454d0babcfe5494
AgentTesla
dfb0266da4ad6a4334216c26cab2383155a702a1b0738be8c8e2d671e1c998e7
AgentTesla
f94e8615fb3b739ab3ad8ec81511b5439a72d4e865a5f9975aa524ac6036d3c2
AgentTesla
+ 10'551 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-erxxnxm3h2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 788f4e7d7979e75de67be2425ef5e98f75f5e6c0ca18a95282ee8b34d372c594

AgentTesla

Executable exe 1aa5850bed0207347b3ae757894500241e9b409004f3b762c58da5e0c4e12ad9

(this sample)

  
Dropped by
MD5 59a4a2b8530142daf1be605b7146a526
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 788f4e7d7979e75de67be2425ef5e98f75f5e6c0ca18a95282ee8b34d372c594

Comments