MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ee2d1e645387a169bdc6a904e47b6a2546e4d34546733b4aedb7bb22371f90a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ee2d1e645387a169bdc6a904e47b6a2546e4d34546733b4aedb7bb22371f90a
SHA3-384 hash: 30b6929169ce531fb9becd523ae5b34880cb5f0ed8bfc6db3cb76d872855a2cf7811fc6cae662cd80e7350f1ffa1a7ab
SHA1 hash: 835f1b99fa84f225dc0f45c2f70357422389346c
MD5 hash: 9b9299a298cd430f1e542bac8c4ffb57
humanhash: ten-nuts-winter-butter
File name:PO. FSTG-2005007 DOCS_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:378'368 bytes
First seen:2020-07-20 10:21:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:vBSqCcN/gMjjHnfVS/mnH5P4qrJCvNSu0MomGsUs6fcsXh5C/Br3osvnP:5SbciM3fVDPP8Nw6BWcsXO3osvP
Threatray 10'602 similar samples on MalwareBazaar
TLSH FF840210B1783B33EA7993F96418595443F63A5B1071E3186CDBA0EF2731BB886A1F97
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: ifegy.net
Sending IP: 62.210.114.5
From: Mr. Shadiman <sharmrend@ifegy.net>
Subject: PO. FSTG-20200017
Attachment: PO. FSTG-2005007 DOCS_PDF.IMG (contains "PO. FSTG-2005007 DOCS_PDF.exe")

AgentTesla SMTP exfil server:
smtp.urban.co.th:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28922/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22091.4418.UNOFFICIAL
Create hunting rule

Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1ee2d1e645387a169bdc6a904e47b6a2546e4d34546733b4aedb7bb22371f90a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 10:22:06 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d3rndzsfhb5bng64nkie4r5wujkg4tjukrtthnfo3n53ei3r7efa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
23435f105ddf404a326b4a18d051d76dd91ea1f8079675dc642c87363e12eab4
AgentTesla
2b86e3e8f7388bb64462a66353ad8f588db2d1c989e743977d16a12878c9907f
AgentTesla
6e9ef93b4bb2c7ea78dbba96cb34e747294454c2d142276329951e580044ddd3
AgentTesla
739a47a35b973adcd916d90d15a99c82f6614c2059334078fb6d548a3c7bb690
AgentTesla
88cfd3c2ab74230042107cd9a42dc7e6489ac254700fb20d66395f65de780d3f
AgentTesla
8982509c213f138ffee3d2e0a307d8cf454d5b23f0b23b6e26c05c68972e22a8
AgentTesla
970db37b1b904855cd21d80818893f3b1d739dd9ecaaf8a38237c07e0d455d8c
AgentTesla
994f1d75a5c40c22146ec369dfc81bdef9beff7b8a1ce68adebdc194a2acf36f
AgentTesla
d9351ce503256f14f917a5cb7adfcdcf07a9364973fc324dc9517d407c6bdd0a
AgentTesla
e64218ad9806b9dc3ac2b6bb6b3d47f78de3e6517bb27c0ab62b666bfbd2fe86
AgentTesla
+ 10'592 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200720-xwczfxs8ys/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/1ee2d1e645387a169bdc6a904e47b6a2546e4d34546733b4aedb7bb22371f90a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img f2ca887eb43d7b35aa257b6406b6291aae18f20aaa01ea212ddc7ca4040545a9

AgentTesla

Executable exe 1ee2d1e645387a169bdc6a904e47b6a2546e4d34546733b4aedb7bb22371f90a

(this sample)

  
Dropped by
MD5 ffec161a124621dfb447bc98d1c8ac00
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28922/
  
Dropped by
SHA256 f2ca887eb43d7b35aa257b6406b6291aae18f20aaa01ea212ddc7ca4040545a9

Comments