MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2891f7e6c9ba11f619eb1288ce08e05e98b2d6881737903cf04fc7043099a8fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2891f7e6c9ba11f619eb1288ce08e05e98b2d6881737903cf04fc7043099a8fe
SHA3-384 hash: d9af372749925ae795188545c0cc0b89b99271a0a5869843e7dd104df8e4339244da3b229241ba51dd8985bc1b598357
SHA1 hash: 1ac626eac454b0b90af0c7d40e8f4bd9a8f16bd0
MD5 hash: 1b4c9567d62ebbf90b96767e8d489004
humanhash: eighteen-bacon-wisconsin-march
File name:Despatch Note - 6183111.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:465'408 bytes
First seen:2020-05-12 11:43:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:EWAWAJzBdlvMkVd/0rNx0qzvsOXPKgN32UKX1BZD5G05PGnfsryeVjf4sE7yoah7:EA4dtSrPFjkUirtTuBmrEyoa+JIjbx
Threatray 10'665 similar samples on MalwareBazaar
TLSH ADA4F1267298AF03D27E51FE8451D344437DA09267D3F3DB5DD290EA12E07C64A89E8F
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: madison.co.uk
Sending IP: 103.207.38.237
From: Madison <customercares@madison.co.uk>
Subject: Despatch Note - 6183111
Attachment: Despatch Note - 6183111.zip (contains "Despatch Note - 6183111.exe")

AgentTesla SMTP exfil server:
mail.dormakeba.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR.32156.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-12 12:41:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fci7pzwjxii7mgplckem4chal2mlfvuic43zaphqj7dqimezvd7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04f52aeb0c5923b55f2576643009018b6ac3c7fd3569340312f3bc3fd1eb1120
AgentTesla
0cbeec037901550f7d50076bd0aef2937cafe6699a81c3859c47debd90fee98e
AgentTesla
0ff96346be4508292ddabc6d9b32fc697b710d5f826e9bb213f7c2f4492d2937
AgentTesla
131d016519d6ec1f5ce66362f5c4c917d4cdf0648242f20272b59a43764c53f0
AgentTesla
2c96b6799b4a15f6cd01ae6aabae3181b13d128b7b085854c77ee71253139040
AgentTesla
39dc873bb74e369b04ba0b7c06fae772f38b68f7f7faf5cd80fed361664cc2c7
AgentTesla
8cc3eb1b92635cd89929ba1f304db7653487042bb9b04218fefecde8a5974fca
AgentTesla
a452cdb62ce6e25a0202e638112c3837fcd9fc7eb9b8d21b49fac3da79d2e27a
AgentTesla
f134ea682b658d440872d3bee407f639781cc715e9427942bbf896db8822a112
AgentTesla
ff39d5481f489cbb3d09f5377d437b6d65b137f6616b3439846a617d924649f6
AgentTesla
+ 10'655 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-v3cvqdq42a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

81052832456e4dcfbe37581e3a4b8551

AgentTesla

Executable exe 2891f7e6c9ba11f619eb1288ce08e05e98b2d6881737903cf04fc7043099a8fe

(this sample)

  
Dropped by
MD5 81052832456e4dcfbe37581e3a4b8551
  
Delivery method
Distributed via e-mail attachment

Comments