MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b1e4f6443927562d460588af4264fa5c5bdde4b29779588d5c0998269958f56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b1e4f6443927562d460588af4264fa5c5bdde4b29779588d5c0998269958f56
SHA3-384 hash: 34427b3099debf806b3e3f2760a791c4daeac2ab7617a3538c55548dbfdcdf68dba8f4706a23b436159d4154263c5dce
SHA1 hash: eeafd63dfbc6bf1382c91776339bb7961650836e
MD5 hash: 8743e93a1e028dbcc56c94b6e79fc8d0
humanhash: table-hot-pennsylvania-comet
File name:RFQ_ITT 05-05-2020.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:465'408 bytes
First seen:2020-05-05 10:08:57 UTC
Last seen:2020-05-05 11:11:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:hflPTiTqtBrFGOY6VLzXPZi6/veRASCiqy1VyAEhx6G5Q:LTiTqnRGaX
Threatray 10'784 similar samples on MalwareBazaar
TLSH FBA46BAC7A5076DFC867D876CEA85C64EB6138BB531B9203902315ED9A0D99BCF140F3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.aduamerica.pe
Sending IP: 198.1.66.95
From: DASHRATH ATULKAR <jobwork@tirupatibalajee.com>
Reply-To: DASHRATH ATULKAR <arkshopibericq@gmail.com>
Subject: Fw: RFQ_ITT 05/05/2020
Attachment: RFQ_ITT 05-05-2020.pdf.iso (contains "RFQ_ITT 05-05-2020.pdf.exe")

AgentTesla SMTP exfil server:
mail.apipharrnatech.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.EJXI.27991.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 10:36:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fmpe6zcdsj2wfvdalcfpijspuxc33xslff3zlcgvycmye2mvr5la._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a6f58799573f8dc4cab3ceb48832902460b893bc5607cb77ade332b7d4f3a91
AgentTesla
0d048612a3cb9e6113b539ce3bd2f08f56e604869cdb38edcf02400ae12c3a74
AgentTesla
18ee411e31ac1f4e3bcd2d811b147853bf2977645c631809acc75b7639e7292c
AgentTesla
5bdd8fb618fac11ac4607b9d16a0183a461366e00f37c09a651cf3fa62a61424
AgentTesla
9297d40e8a55c2bb0d833d2210859dbe1a3486503f47781ac46cbb96d842407d
AgentTesla
ac91a92482a83fc39b66e0e3f6c46839fd77d16316c38830a9921ca707e824af
AgentTesla
bb215970f09e072c24bbc17c0c255447861c7f9f01c357dd6670ca5c49dc2262
AgentTesla
c102aeafa1ba9f31a8433b1c3b14f8e555eaf7d2dd5af0cd63403ff0160134f1
AgentTesla
d92c7343d3643bc031c353f789cf3a28d5a152a10f5848bafb2ad99f4a49f99e
AgentTesla
facf028923bb080f70fa54f8c547679651df7d1dbb618cdeda7b16f8fb0f4005
AgentTesla
+ 10'774 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-2a4xxlpw92/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
ServiceHost packer
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 91780bc24c040e181ae6165a2bcd3a5aedbf8f8a2cc4245741e4b7a0845d6a49

AgentTesla

Executable exe 2b1e4f6443927562d460588af4264fa5c5bdde4b29779588d5c0998269958f56

(this sample)

  
Dropped by
MD5 6e08430f378a4ab279d6760bdd24807b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 91780bc24c040e181ae6165a2bcd3a5aedbf8f8a2cc4245741e4b7a0845d6a49

Comments