MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ed02e3d62ab52224d7e809c743cc7f69b840a9bae0454cd9f88a788d02fc44f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ed02e3d62ab52224d7e809c743cc7f69b840a9bae0454cd9f88a788d02fc44f
SHA3-384 hash: 6549e5d6beea8f4b10bf3af69bd85afde9166a26dbc57fb91bcc5b6e23720ac537fe62cb395cd0975eca2985c2285153
SHA1 hash: 1d0f5e539705ba399c6da71203cfb7cfbe0c983f
MD5 hash: 9afe615404799f7e4aa8c01029a774b4
humanhash: indigo-green-rugby-four
File name:Screen Shot 2020-05-11 at 1.59.23 PM (2).exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:518'144 bytes
First seen:2020-05-11 17:14:42 UTC
Last seen:2020-05-11 17:50:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Ic1k54cz70QtxLy+Y5UhJJ2C/TMkQ73sEgf6ryEW:Iuk544ftVYiJdMkfIyEW
Threatray 10'626 similar samples on MalwareBazaar
TLSH 3DB4AD1A6108A54AD5E8F535BF82CC713380AC5E4C3296B365EF7C8BBAFC54743C6896
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: soonaik.com
Sending IP: 209.90.237.12
From: Lenito Gonzales <pm.fpl@soonaik.com>
Subject: Re: Customer remittance $85,217.58
Attachment: Screen Shot 2020-05-11 at 1.59.23 PM 2.rar (contains "Screen Shot 2020-05-11 at 1.59.23 PM (2).exe")

AgentTesla SMTP exfil server:
bisol.icu:25

Intelligence

File Origin
# of uploads :
2
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.EJRR.2938.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 17:36:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d3ic4plcvnjcetl6qcohipgh62nyicu3vycfjtm7rctyrubpyrhq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
016bf81b8cdc4fcc9ac04042ac139e89d3ad2484dc76f42085582ce957efe536
AgentTesla
6bdd8e261ca0797db3da63df3f15f121adac13e96ab268d18b44ea769242559d
AgentTesla
7d50f85be9ba623c39990f888b9d1d43ac5fa8c317529a3256f4c79d48a626c7
AgentTesla
90a3f9c16212982044dbc219b787e1ac251f48dd011a202a8c125dc049c3036a
AgentTesla
9ac8d9211067d6a7481de6c319a8b1539e60d6b63b4cf8588167fea878b5bbf7
AgentTesla
aaf458d72c1ec9e6a99d8b10d58f54b6ae6695277e69a768152d8b35ac0bd65f
AgentTesla
bca6c7e57581bc8bb91c9a9aa1f7d7d36aa35c630b37cdc4bedbd68df74e6186
AgentTesla
df696f5fa3df8ce1eaca951cad491770b1d7aeb6e6326a360bcdb266f6d31620
AgentTesla
e53b85600f2e1d2c612854eb25aa5ebb3cf93a966aef11b22e186f65cb097506
AgentTesla
ea2e7ec387cf91e0ad3d44c01b25adc702061e93b66d21f8b3dd1eab812045f9
AgentTesla
+ 10'616 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-c8fzyd14vn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
ServiceHost packer
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar f76de245f58b4e3adeaba4681ed8bb37cc628f120d30b3f6b54d23923a6e1b68

AgentTesla

Executable exe 1ed02e3d62ab52224d7e809c743cc7f69b840a9bae0454cd9f88a788d02fc44f

(this sample)

  
Dropped by
MD5 1882a6d088bf58a4f78262f753815602
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f76de245f58b4e3adeaba4681ed8bb37cc628f120d30b3f6b54d23923a6e1b68

Comments