MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 380a52805ef62b6314493e5147dfa951d682d0e079fe34852806422b2bf7e869. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 380a52805ef62b6314493e5147dfa951d682d0e079fe34852806422b2bf7e869
SHA3-384 hash: 5f69976242833fe95a0893cbeb1b665b113660c84e388f94aa4d02de5bd48ef1d5e4ea52cc7f775b8b5ee250597bf2a2
SHA1 hash: f935375f26af9e4744011bd310f7a607446d3c38
MD5 hash: c2a4f7048f469799f45552baca473514
humanhash: ack-gee-gee-bravo
File name:PO#65220_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:470'016 bytes
First seen:2020-05-07 07:15:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Vh1S7FgXyfp/yY4LCDRoWLHMm57RfE2NjCoU0KQNGf:Lwe2/rMm57q2NjpGf
Threatray 12'092 similar samples on MalwareBazaar
TLSH CFA402EC3264B1EFCDBBC4726BAC1D546A61B4B6831B4507E00396EDAC9C897DF441E2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: adm-creative.com
Sending IP: 103.26.42.148
From: Smith <pbailey@sw.rr.com>
Subject: Plastic Bags PO#4472230266
Attachment: PO65220_pdf.gz (contains "PO#65220_pdf.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.48469.8365.23954.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 01:14:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hafffac66yvwgfcjhziupx5jkhlifuhaph7djbjiazbcwk7x5buq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
16a372b8bf67ed98f8065274e22b1c36ad0b0a6fbd8a8a4a4afb0e9b07665612
AgentTesla
36ffff33584d663103bfe648c7ef4a78538587b88709976c5583721afe658c91
AgentTesla
415f51fc45bfa2cc9d08ef68776efa27b5495043c1e180fdba23998d42a1edeb
AgentTesla
79794051c590b50104a0346855c0ac6c13058e34f1caf3a4f054c12fa2b41ef5
AgentTesla
9196d4a0129eb39729deea14281b69dfd4e59dfa145e3f186ac6abab385fb14e
AgentTesla
a142c942f9a16d223b3591c321dd47b72526689fb52a883dae9952a5d53b2707
AgentTesla
cc91f115d2bae877c7b29b2e150743fdc1e3a7aa931829a3694ad3d621a9832f
AgentTesla
da95177191327894415885bd683840bbe593fefbe4ea00a4b054c264a3e5e88d
AgentTesla
e12e8d3c045eaf7bcf729f25e39ed21114088534fef748acb3c8e0d2423b45bc
AgentTesla
ff0b6df1ebbe0c832da7869563f4ffd729fdc190e620347ac93b5d2cf31896ae
AgentTesla
+ 12'082 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-mdt429cwvs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 352bab967532bd581ec1cc06d7379174341a1fd8e945091e9d75b4696d9a8a53

AgentTesla

Executable exe 380a52805ef62b6314493e5147dfa951d682d0e079fe34852806422b2bf7e869

(this sample)

  
Dropped by
MD5 85b9ee0562e62f7b7a3c8ca073b0fd82
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 352bab967532bd581ec1cc06d7379174341a1fd8e945091e9d75b4696d9a8a53

Comments