MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32ef6a3c172b8ab59ed668b0fbad8c05dda82428fb2d1ec8e47d9e6db076043f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32ef6a3c172b8ab59ed668b0fbad8c05dda82428fb2d1ec8e47d9e6db076043f
SHA3-384 hash: 01ae7d92cc16f1d124036088bcdae6a28efb9a1d5cb02692b62fa1bf4291a1e45a141abffa200087da934de3892d3e04
SHA1 hash: bda01f5e1c1820f96257245c26f9f332d811af63
MD5 hash: b30a21f2b58357e6fe9b409693072179
humanhash: mexico-freddie-lima-nebraska
File name:RFQ- DMM-G-F&E477-2020.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'427'392 bytes
First seen:2020-05-11 08:28:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 94ac44d361a5151c3b27c7d1a876a7f3 (14 x AgentTesla, 4 x Loki, 1 x NetWire)
ssdeep 49152:C03z91im5SXGoWWt54zWAL5FlYxEEg7qxJqgHxbOG8mkvvTz+:CmZ0mw6q4z7PlMEEHiCxKz+
Threatray 11'056 similar samples on MalwareBazaar
TLSH B5B51222EEB04437C17316FD8D1B126C5D2ABE51F918AA4E2BE5DC4CAF3B64138661D3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: fast.kem-p.xyz
Sending IP: 206.189.147.236
From: Trung Nguyen <trung@groupunicell.com>
Subject: URGENT REQUEST FOR QUOTATION;DMM/G-F&E477/2020
Attachment: RFQ- DMM-G-FE477-2020.pdf.gz (contains "RFQ- DMM-G-F&E477-2020.pdf.exe")

AgentTesla SMTP exfil server:
mail.hajartrading.net:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Artemis85EBAC484AE7.32433.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 08:36:38 UTC
File Type:
PE (Exe)
Extracted files:
394
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=glxwupaxfofllhwwncypxlmmaxo2qjbi7mwr5shepwpg3mdwaq7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
02901340842ac53bba2ca25aa8c52300435c1c7f8c273521d54c60c4ffb92a00
AgentTesla
22165d0974fa72f7e87c8e5128cd1fc3fe6b6dc0ed8e990838229b3a92234349
AgentTesla
2d642faf36b978257eb3ecaab096fb7a47d2420cc9dbc052130aa5fdde1f4726
AgentTesla
37d7cd08ca91dc9962cfd418aafc0d115b954ee72c181feaf7d986c1f56b26a7
AgentTesla
60b66b4e182a7c2510e2abecd821a0cb30de3da1309e01ed36230cc9bc556cac
AgentTesla
7ab75859697472c8bda10b6cb7e7ffa7c8f5ce5eae3e7c67a565ffad2c6de83b
AgentTesla
8948e4e0f392197b1c1436e5f7a2a7bc326c849b6129d8cf287a6d6a03cd642e
AgentTesla
982d2699709d7a024a542a4f771a544cf987ce8d8f15cfa3dcefca157b251e3e
AgentTesla
e0e1906cf3bdce3052f97a950aef614488f566a4d587428d64d0c848f97a7a4f
AgentTesla
f2db78e5165646f19a5b9438764740b24ab4c578890cd68e292cedaed3f7ca84
AgentTesla
+ 11'046 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-t3e9978rg6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip be298767ad54766886155cdcfbe7ead13b39e506c629e5c5f7ce5b8a620b1500

AgentTesla

Executable exe 32ef6a3c172b8ab59ed668b0fbad8c05dda82428fb2d1ec8e47d9e6db076043f

(this sample)

  
Dropped by
MD5 0af486aa70e1c864ae78f11ce3591d01
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 be298767ad54766886155cdcfbe7ead13b39e506c629e5c5f7ce5b8a620b1500

Comments