MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2956ff2a2dfc07ae7b96a45244d06162a03759c40120ab764c29e25a833d26c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2956ff2a2dfc07ae7b96a45244d06162a03759c40120ab764c29e25a833d26c0
SHA3-384 hash: 8ac3ec169110d5eb88295a9ac24724028c24999d5f98e3edba1fb3ce5d128329b6a13bde329f5ee3bc83853db7235c86
SHA1 hash: 702f223fdb1a230e369b4e8e994a0965045660c8
MD5 hash: de713ccd4360afd9c39c4c200efac410
humanhash: spring-mirror-winner-maryland
File name:PO.NO.062.jpg.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:462'336 bytes
First seen:2020-06-15 12:25:28 UTC
Last seen:2020-06-15 16:56:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Nhd1c7N5T4xNdgTHS5qcu7cNfxfeLplgBdnnnMk:Tzc7N5TYdI+qJgNfxfeLHgBtnM
Threatray 10'561 similar samples on MalwareBazaar
TLSH D9A4F1093BE95B25E0FE9B7A45F215400371B46B6A22F38F4EC530992A73BD4DA51B33
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: blsgroup.in
Sending IP: 103.99.1.173
From: "BLS Purchase"<blspurchase@blsgroup.in>
Subject: RE: PAYAL POLYPLAST GOA PO-0422
Attachment: PO.NO.062.jpg.rar (contains "PO.NO.062.jpg.exe")

AgentTesla SMTP exfil server:
mail.aquariuslogistics.com:587

Intelligence

File Origin
# of uploads :
3
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10374/
Detection(s):
SecuriteInfo.com.generic.ml.25383.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-06-15 12:27:06 UTC
AV detection:
23 of 30 (76.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fflp6krn7qd2464wurjejudbmkqdowoeaeqkw5smfhrfvaz5e3aa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0189ad2e08f8bb4c487e31502a7e86ccf2bfaba40fda638f316cb5c9ca80d767
AgentTesla
1a15237891c202365373b5699d8de5f087da47b52690c70d9bd69d747e669799
AgentTesla
77aed51893a8a5e2ab24824dddad42c99cfb46baba36dbe90c72cd8ff6723b7f
AgentTesla
80b4c56e36ef0b631c43b78c0b3d8c27c67244300b0ce703bf945534912e3e99
AgentTesla
9e3c0f860aecec23f638ca83419ead2ea19e42923b0953b0585f9246e1650a23
AgentTesla
b5d738ea5a80bc92eb43fb1eddf4d628412684eda0bdcd2a325a206d1fac0b2b
AgentTesla
bb6bf1c0fb36e175528bcef7e126b0345cbaab84206b0b835c14b98787753219
AgentTesla
d525e111135a2e896a657e0ecb849340a683e13c47893c3df15bed3ee5f5aa90
AgentTesla
e4a764560fc747261834c1568d5280725a64036f720ad42ce847353cb4841331
AgentTesla
ffd474ba42b484a0c7eb8688e37334d55e65c49dcb88dcf3bc542276cd7d5348
AgentTesla
+ 10'551 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-y7vp7llzk2/
Behaviour
Creates scheduled task(s)
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
rezer0
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 15487ba85862bf7584245c2297193f9d3939d007c84b9df8832c9ba63bde7d6a

AgentTesla

Executable exe 2956ff2a2dfc07ae7b96a45244d06162a03759c40120ab764c29e25a833d26c0

(this sample)

  
Dropped by
MD5 d1a35f6dc32de3a278fa8d32e04e6d29
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 15487ba85862bf7584245c2297193f9d3939d007c84b9df8832c9ba63bde7d6a
Cape
Cape
https://www.capesandbox.com/analysis/10374/

Comments