MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ff1de0297dd152c86b5e08d1f9a7b3e34451c5d480ce3371b3dfead8b951340. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash:	1ff1de0297dd152c86b5e08d1f9a7b3e34451c5d480ce3371b3dfead8b951340
SHA3-384 hash:	7faa581989796ab0802ca1f7f89e4448508b14a7e567d974a093b77fcea083db1803d2954b3d241496ac93d0f06a12d9
SHA1 hash:	3e431ae577576f458c2632a7b4a4f3cdae169f6c
MD5 hash:	f4b4e175b68a2dba98bb03c709b8c895
humanhash:	failed-north-nuts-east
File name:	MV CAPE AZALEA.bin
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'341'440 bytes
First seen:	2020-07-15 07:12:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:S2/SDJIvvde9nJYxDJIvvde9nJYCVJUWxq2dyklZIqPzm/aC+C+/n6APKQ+KkR:+Iv0nJYDIv0nJY6JRgbqi+f6Aiqe
Threatray	11'454 similar samples on MalwareBazaar
TLSH	C9557C8121455278E164F0FAE60750DAEA04EC3EE5E068B67678FB1A8474E73CDC5FAC
Reporter	JAMESWT_WT
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/25890/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/1ff1de0297dd152c86b5e08d1f9a7b3e34451c5d480ce3371b3dfead8b951340/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2020-07-15 04:42:31 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=d7y54aux3ukszbvv4cgr7gt3hy2ekhc5jagogny3hx7k3c4vcnaa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1b4e28dcbdc43bef452529271092f42190ea171e724dbf659622d170f6b7e080

AgentTesla

4d3921886e9f29681da48f378e792b39d307a1c3e39730993e60375b1007d87e

AgentTesla

7acb2b59ce9c0d47837e11811c93838730379cacae7bfd16d2d8db107da3330e

AgentTesla

a75040c1f0f11bf9629774525960c9cf35153727e1191057b575fb3c1ed0700a

AgentTesla

b65f542c74ced21ba853b4840f0cfad311027e518b1c3925bd530a2da424293c

AgentTesla

be905b9aac897739d22c1078e60be1111efc7a9ec25e205d664e03a59730dbea

AgentTesla

c230f8806524febe04ac6856d1629d92b5c3513f601b3e39bac2c7f32c0ac4a4

AgentTesla

ca1ebcfb8bfb0a2463a1e28d218d69f1b3d1d4b97be41781a43b151b7e799a61

AgentTesla

d292c703d6c7844272153236ee5fa43434264b80ee3883991a9f860f924f24e2

AgentTesla

+ 11'444 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger trojan stealer spyware family:agenttesla

Link:

https://tria.ge/reports/200715-d4gdnyshd2/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/25890/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample