MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c4b9a6e6e06ba66af9feefe1b1a585a48d242aef0034d0bcc78b7217e11dc7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c4b9a6e6e06ba66af9feefe1b1a585a48d242aef0034d0bcc78b7217e11dc7c
SHA3-384 hash: 270f925babbae740e5b486723d42de2d0f87d8b5f05c3c4126738bcbd82ea05d3f788a3a30cd4a56f24dad27d9dba788
SHA1 hash: fec4fdbcf43e4779e43d8adbad1c97fb3dbeac7d
MD5 hash: 0709491396762b7eb39ed6c2691967dd
humanhash: blossom-cat-seventeen-victor
File name:0709491396762b7eb39ed6c2691967dd.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:991'232 bytes
First seen:2020-06-17 10:48:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4c5930d78fbf43bb1310362850cf7589 (10 x AgentTesla, 5 x Loki, 1 x Pony)
ssdeep 24576:rHRSh19IxsqFRG3vtiAA0qyDIRofBkpIwEk:rq19qIHtfBKqk
Threatray 11'129 similar samples on MalwareBazaar
TLSH F225AD2AE3918433D1732A3C9D5F5775582ABE102D3C9846EBE58D8D4F3A2817CF91A3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
dutchlogs.us:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19518/
Detection(s):
SecuriteInfo.com.Adware.Generic4.BBFB.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Infostealer.Chisburg
Create hunting rule
Status:
Malicious
First seen:
2020-06-17 11:36:12 UTC
AV detection:
43 of 48 (89.58%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=drfzu3toa25gnl47537bwgsyljeneqvo6abu2c6mpc3sc7qr3r6a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
47c8fab622177ddaa495e4b9294c0949be6c7572ef15f831ee7c326af0200ccb
AgentTesla
7927d24010f7ec25ea4026291036fbab975b5ff66398658e15c59165bb71e953
AgentTesla
7f8d72a4a54926d36622fed3a0dd9f4ba33da40755ed127ba16c18ca53eccd54
AgentTesla
93a5402cb48bbdb12239e900a7f15376b5dc817a10a0bf1952d27d7762fb3a26
AgentTesla
9622729f9517d5a5eecd4a278ea564d750b17e300337a0f0e023c986bf0e537d
AgentTesla
a884c6f90ec51dc6d39304e05efe5820d5c11afcd90abeaca8969b4adb9448e7
AgentTesla
e13ff526ce3e9f7e3684d6f6e0bd9c34d8c50dd53ed82467e672c3f622e4446f
AgentTesla
e888883e6993ab7df3edd30eba22f6282c33324a21ffbed661c6478393e2296e
AgentTesla
f92996df2e909d06db8e0a3af572568fe0a321d1e09933fb7c50f7e6fc8ee976
AgentTesla
faa14b162487c010a973901cb7a91e48c512b0193fd449be475f94c32b0ff212
AgentTesla
+ 11'119 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware persistence keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200624-bwv5qnphsa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Modifies service
Suspicious use of SetThreadContext
Adds Run entry to start application
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 1c4b9a6e6e06ba66af9feefe1b1a585a48d242aef0034d0bcc78b7217e11dc7c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/393749/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/19518/

Comments