MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21d19ba98de8b710605e144809cae73bc3b7606cfc49e995a267cf44e4c2638f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21d19ba98de8b710605e144809cae73bc3b7606cfc49e995a267cf44e4c2638f
SHA3-384 hash: 630947a9b9ae24919d2c2e016675d383766fe781e8e03df6fd665b719b3459facd8493d32f9ff639a6aef98adedcca89
SHA1 hash: a0a32e969872a3548a171abe78223d2b44061ff3
MD5 hash: 5e5769b61d855338e115f91ec350d27d
humanhash: ack-louisiana-pluto-mars
File name:promise cripted.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:470'016 bytes
First seen:2020-07-07 08:48:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 04726b68348c0c3cf827797a9f6695eb (10 x AgentTesla, 1 x Loki, 1 x 404Keylogger)
ssdeep 12288:54p4rqo6AW98JN3MS57jlX68BsGLXw64FJ65oDPS/2F3oRzg67DOZlcESs:5Bm8mFS57jlXSGLXw45O4K6bEn
Threatray 11'303 similar samples on MalwareBazaar
TLSH B4A423F3DB429D71D16808B240172A6843A4A17B34AF6B972F50CC6DFA365473E26B1F
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: antyca.vservers.es
Sending IP: 91.142.220.128
From: Jean-Paul Mochet <Jean-PaulMochet@franprix.com>
Subject: URGENT INQUIRY...
Attachment: QUOTATION (contains "promise cripted.exe")

AgentTesla SMTP exfil server:
mail.insooryaexpresscargo.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22085/
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching a service
Creating a file
Launching the process to change network settings
Stealing user critical data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21d19ba98de8b710605e144809cae73bc3b7606cfc49e995a267cf44e4c2638f/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-07-07 08:49:06 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ehizxkmn5c3rayc6creatsxhhpb3oydm7re6tfncm7hujzgcmohq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
0f0b1cd861f465468fd8923d54bdfc0362c79e246ff8e702790ffcb6f198cd75
AgentTesla
1e951012c34ea9b3762e742c890933a799c4c487abdc7639abae579eebf50e9e
AgentTesla
85f9449b3bf138291017bff513ccc66cdbbb81478098149bf6ddaf44410c235e
AgentTesla
8993c6ffa46e5d51e517982dca4e5bb6ba32ed168348c1d4004a41a581282a1f
AgentTesla
8eb3933e2012364a81fa9f1003c485c03c6cafd61eefaf1b4059cc8d4a4066a7
AgentTesla
9b05b77b3afaacbcbf23eadad8866e55c4d21d007e5107e9f30c0d93b51fd0b4
AgentTesla
ae29309cd07a69a999f452b2ae38f9b444e3ee7ea1b7fb3579578abe23bb5829
AgentTesla
e3574b9f84ca8cf778a664b60c2d6fde9049c51a384f5fbe49003fe806afd966
AgentTesla
f33e536c31c5aa7b5a463c4c9243b4369de785e06648ae076a8822f11797076f
AgentTesla
f7c15b22bb99bfb56eabcd9b8c985c15c5d9ed341303b39362dccb6808a6a498
AgentTesla
+ 11'293 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200707-zdt5yhp2xs/
Behaviour
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 4a2a1daa1760a7423f2b755dea3b32ccb7efc5a4b3ddd866f1de2eafcbf7c9d0

AgentTesla

Executable exe 21d19ba98de8b710605e144809cae73bc3b7606cfc49e995a267cf44e4c2638f

(this sample)

  
Dropped by
MD5 d2a4fe5fcdba15677f2a71fe64d60931
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/22085/
  
Dropped by
SHA256 4a2a1daa1760a7423f2b755dea3b32ccb7efc5a4b3ddd866f1de2eafcbf7c9d0

Comments