MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2331837cf27d223a23b000cdf14f026c383a628ae69d516726b19fcb9424359a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2331837cf27d223a23b000cdf14f026c383a628ae69d516726b19fcb9424359a
SHA3-384 hash: 66da9e9e14c1f8af7b145a294e9cf2206de0f20b01117eb3b4bc0a160e720bf8efc1f5ecf528a3e81a565335159a403f
SHA1 hash: b8beb89a50fc14b0a077b5ca48015a8a73ac9e77
MD5 hash: f8867101a2ca99c571360d7d95a8116d
humanhash: lion-missouri-oregon-tennis
File name:P.O#972020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:544'768 bytes
First seen:2020-07-09 07:48:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:OKOEacTaulCSRO6d1OBwhT9v73UOtmEyyFoTH6n77:DLTESRVT9v73YEnFozG7
Threatray 11'289 similar samples on MalwareBazaar
TLSH 49C401BA32E42C37EBB804FD51E2FD504FB4890764A9E7C85DD920DA90F6FD816411AB
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: outmx-267.london.gridhost.co.uk
Sending IP: 31.170.120.152
From: Paula Dominguez <pdominguez@pablopadilla.com.ar>
Reply-To: Paula Dominguez <ventas@mingetal.cl>
Subject: Re: Purchase Order
Attachment: P.O972020.r00 (contains "P.O#972020.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/23546/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2331837cf27d223a23b000cdf14f026c383a628ae69d516726b19fcb9424359a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 07:50:14 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=emyyg7hspurdui5qadg7ctycnq4duyuk42ovczzgwgp4xfbegwna._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02e52123ac380ed5e3b0b8ce9322680b8e1d8082c9f181588cc7213cd701d69d
AgentTesla
1237b8ef1ef28e7481b47113c644429a68c87858cc5ee8a020607f75696863d1
AgentTesla
13444c52c094b2067a66767847b8a2151da087a99c9391a2547a53a3e4de7056
AgentTesla
305586aa88966e490ba86bb7cd7a2e1cbe9f195c84b70aaf5ef0c9e714961723
AgentTesla
3a646d051e183a55d297b684e6f74bc95ab57846c8ffde301338a5b60f8ed7c7
AgentTesla
68127a3666833ba7ab999e65ed3c94b02f6fded7b3d468cecc3895ef340ef833
AgentTesla
68f9789527e83e614dc50e0279316745c15b43c7f72f8e7c5d4b99d8a656ff12
AgentTesla
9d3c04431db8d2630361ac69def49189101a5bf017627be2f147bcd66f3c8d29
AgentTesla
ab7b7b589c80bc6ceb6f90ef56b1b9041f03cf2b67792542dd5e4f738db99c44
AgentTesla
dc3245988d1435d304f7e634a8525165b4703360b3d176a3508a7595c96dc301
AgentTesla
+ 11'279 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200709-v1vfff23sj/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

08058384cd961bc4f1366ce2af0c535f

AgentTesla

Executable exe 2331837cf27d223a23b000cdf14f026c383a628ae69d516726b19fcb9424359a

(this sample)

  
Dropped by
MD5 08058384cd961bc4f1366ce2af0c535f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23546/

Comments