MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39492ca7d000a28c93084709bacf6b19357e7d79a67b3223ae2c7477bc574aa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39492ca7d000a28c93084709bacf6b19357e7d79a67b3223ae2c7477bc574aa2
SHA3-384 hash: 3a19c6eb7a97bdac4e15015e9b9c751cbab43f0dff25eb3cd77468eeadc4c21c55b8621594b2d92e16db2a8e5568ca71
SHA1 hash: cabb47c10a3c03feb079f8ffb00d655708860fbc
MD5 hash: a4352d77906441a3cd97c7d30c7e580b
humanhash: angel-spring-march-mango
File name:New PO.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:550'400 bytes
First seen:2020-05-26 07:58:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:9FpD6SgUrL7TOBMNfSMbyYNKPFB8Vdr7Z5ZmAlWp:rTxrL6KbyYwPF
Threatray 10'587 similar samples on MalwareBazaar
TLSH E8C4AE9C3690759FC827C972D9681C24AAA1BC7B531BD243A01336AC9A3E6D7CF115F3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

From: Camen Lopez <carlosg@tbadespachantes.com.ar>
Subject: Re: New PO#676863
Attachment: New PO........pdf.r11 (contains "New PO.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WBA.12835.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 08:40:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
1ca6d3246b59dbf5e36a28035595f2b886a9c26cbc4329c6ad5e77cbc272af08
AgentTesla
32e7be2844e7be1f6ae7d262eeebe64926946ebbc8e2d91ce3760b8e1d10285c
AgentTesla
36c63120981769bc6a508edf5da75eae9504ab5a1ffa0fe8d9032ed9b8c124e2
AgentTesla
3e0f73ce13623cee18d55d11189dec1fa8d3a7fe10246f29c9124ecc752b7a30
AgentTesla
5e90b08b7efbc0e845c590ae49ba28df3e5312a485a80ea69b9f8145106b12b6
AgentTesla
8a463f15c830e566292963bf3473b16288e71350e97d84359499fd33b7329a66
AgentTesla
9012e6eb19dac84e4c4c926c524b13e02fc3b8b0e3f3b6bf6d094f0c9c7b29ec
AgentTesla
9d7bf4dc88db19c1e81c020478be9a2130cb3420790fa8ae027127f2cfde14e4
AgentTesla
f5c0ac859b78587a20820b4d82fd040ce73e9d725abc55113b1adc6df0968d82
AgentTesla
f7874f0fbf38ca0f147b393300b4349e00a35f84bee132f856e2d08a60ee8e89
AgentTesla
+ 10'577 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-npf36r29r2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar fd5e31dbca53b624ebc1b148be20dc49095914002ff2537b6498b514596c7ad0

AgentTesla

Executable exe 39492ca7d000a28c93084709bacf6b19357e7d79a67b3223ae2c7477bc574aa2

(this sample)

  
Dropped by
MD5 a71e5939eaab5b64ae0caa77fd6e5ca1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 fd5e31dbca53b624ebc1b148be20dc49095914002ff2537b6498b514596c7ad0

Comments