MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a431d0304e370e8acdc74d64ec7333b45628d903ceef803b1a5a847b58b59ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a431d0304e370e8acdc74d64ec7333b45628d903ceef803b1a5a847b58b59ae
SHA3-384 hash: 7e1b43f3f52bf8a754f8a5135cede9ec5ff01f803d327c22b830d1c86fa19d4a3f82f178bca5ce60bf121c93c8551993
SHA1 hash: 6de0fbfec3cd3ff981b290cfdc565560ed95f6e9
MD5 hash: 3ebae084a3e49c807be8931aba2a9e94
humanhash: arizona-georgia-beer-delta
File name:PO I5480.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:480'256 bytes
First seen:2020-06-18 16:44:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:YAoYSZEgn05KWhxNd9zjNXeFD4EIsfkvFcobH6sYUagr2iN:YAoYPc9WhxNd9zj/ExW6Fgr1
Threatray 10'635 similar samples on MalwareBazaar
TLSH 65A412BC17B58B29CD6D43B836B9124987B552432603EF7D0B40B1AD4FB3B65CA207A7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: emoserver6.net
Sending IP: 82.165.141.26
From: Jessica Gómez A <oficina@iremin.cl>
Subject: ORDEN DE COMPRA IREMIN / PO 15480
Attachment: PO I5480.zip (contains "PO I5480.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19831/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.gc.18170.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-18 19:19:49 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fjbr2aye4nyorlg4otle5rzthncwfdmqhtxpqa5ruwuepnmllgxa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1cf35b9dfe52fa0c91e35f34048f808cadef2951c23f433d1595b7ad48595b50
AgentTesla
27a17a1a1ea5a6fe28d30022d246f75e80942a6a9cbe483f87f8b6c103d39a8f
AgentTesla
2cd664671f3e8736a9840f60a49c1ec060e4cc4d5af71bd5c32155159ea6ce10
AgentTesla
74ab856c2d5235f78fa546a5086abab294bebfa2ae9550345e272f6a645f6d80
AgentTesla
809fdee70ce841019d1f2216d05a76701a1a2d52d08bc58a129645aae88ca695
AgentTesla
8d053866df085d2d3a41812627b3df57dec40d25dbd137fa4558b628b80089b4
AgentTesla
8dcadbefa739a5144eef16bd780e73af991e71f60966de10fd79b593a4f16f1e
AgentTesla
b82e693dedd53f108f577be970b7b27951248512b1ebde80ac36be8a8521554c
AgentTesla
e06afa0c894ebda14b627718de1c45ac92bc1037a26592f4df7751c918bb1bc4
AgentTesla
e900c3505d7f63d785fb86b4ee53ebd3def2d764f881d6015aa224ea59a098c3
AgentTesla
+ 10'625 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200624-4dt5j9y15x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

a65515f3a72f15f2c3a135dfc335789a

AgentTesla

Executable exe 2a431d0304e370e8acdc74d64ec7333b45628d903ceef803b1a5a847b58b59ae

(this sample)

  
Dropped by
MD5 a65515f3a72f15f2c3a135dfc335789a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/19831/

Comments