MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 271d081750e61123ceda8a898533f5b636254030a65f14a71ecae2b8ea649443. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 271d081750e61123ceda8a898533f5b636254030a65f14a71ecae2b8ea649443
SHA3-384 hash: 0d1c27193a2525776240a2e54dfe9acabc4cd62e23ae4d0729a9454ecc740950094a266be2626f33eb5992af785dc353
SHA1 hash: 605f27f06e2c1d845bd7103ad240a0a0f69b278e
MD5 hash: 64d8456a1135c085e268baf3f222a356
humanhash: october-twelve-cold-sweet
File name:Nasco Emirates WLL - 27052020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:396'800 bytes
First seen:2020-06-01 07:55:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:S7v72J/5pq7Z8kVeamDepKzL1r6b9W0iWiyOCQqzmCwk6RfUMLCd/d:S7v72l/qVZVEDepk5ajiyOCPSCwk6Zm/
Threatray 11'279 similar samples on MalwareBazaar
TLSH 7884124C233C0A2FC3AE29F819E5746053F4DA96669AF7D38EE110F62D963D0CA01D97
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: nascoem.ae
Sending IP: 209.58.149.66
From: Peter Victor <peter.victor@nascoem.ae>
Reply-To: Peter Victor <poonam@mafemobile.com>
Attachment: Nasco Emirates WLL - 27052020.uu (contains "Nasco Emirates WLL - 27052020.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Genkryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-01 06:33:22 UTC
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e4oqqf2q4yishtw2rkeykm7vwy3ckqbquzprjjy6zlrlr2tesrbq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0e79063958c1813f1809eed7653c0b682acf7270b234187374856c07f93c7b6b
AgentTesla
0f3fe234c700b316a460c05098c843efbb0965b672d0e7a6f58028669c37ccb9
AgentTesla
400ad786bf1e76812b70a3ab4ba345668fe07c176743f412f6ff5372238c2320
AgentTesla
63b4e4beaf7cb64789e465392b51d438b73184676d7ab496112a53e8651d41e8
AgentTesla
99e3fe0d987e5351288ec41b56373bcf5a7094ea41af08b998e801a6ec1ed092
AgentTesla
a3f8c63b9925504706f889dc1bc944a5485144007b80b042cf53accda4f650c1
AgentTesla
ad98f33158ced7ab0acb3166f2d14ea2cf74c39276f478b3922bd0224a0f49f6
AgentTesla
ee02d4480e7e74c5015af1c4617271afb1ea208b0992050726ae3bf44e268cec
AgentTesla
f0006754d451556014c91039915ea9505f348f80538e536d30b75c5ef252d73d
AgentTesla
f4b3f3f1705bb5ab7ed5d0dc4bcbae09fd927a760aadbce66762d311450750b5
AgentTesla
+ 11'269 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-j13ee2qc5j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 8d3c84850698b94b745a7ab54428780e02317d81165c18bd3a8bfe7a459150c4

AgentTesla

Executable exe 271d081750e61123ceda8a898533f5b636254030a65f14a71ecae2b8ea649443

(this sample)

  
Dropped by
MD5 895e8ec08f80cb1524b32fc1c740151b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8d3c84850698b94b745a7ab54428780e02317d81165c18bd3a8bfe7a459150c4

Comments