MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40ef9adfcf675caf8054ca9c3635f3e47bc0bb99f74b63781976adeedbecdc5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	40ef9adfcf675caf8054ca9c3635f3e47bc0bb99f74b63781976adeedbecdc5b
SHA3-384 hash:	1aafd500dfc0c1c22a039e9d8130faad2d71c6604a680dae34bd676d0774142afc103c5e48ffb3fcc46133357e644743
SHA1 hash:	d4503c9bf3bbf71eae9669204dc4dfcaf6199469
MD5 hash:	cc737306a457d4681063760d587cab8f
humanhash:	pluto-music-emma-nineteen
File name:	Ticari Hesap Özetiniz.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	942'592 bytes
First seen:	2020-07-03 12:25:27 UTC
Last seen:	2020-07-03 12:53:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b5e2f1cd1b2c806b5c16bbe16172ec3d (3 x Loki, 2 x AgentTesla, 1 x HawkEye)
ssdeep	12288:ZAs8PmmVUXLBugvnML2Td2Jbk1TTwz3/HzRRVxIhAiUaO/ymyxuuX:iPsBuD+cWw/9iqiFyvyzX
Threatray	11'702 similar samples on MalwareBazaar
TLSH	08159EB2F2E04437D1731A7C9D6BE275982A7D72AD28A94A7BF4CC4C4E3924139352D3
Reporter	abuse_ch
Tags:	AgentTesla Akbank exe geo TUR

abuse_ch

Malspam distributing AgentTesla:

HELO: m2.itit.hu
Sending IP: 87.229.23.21
From: Akbank Ticari Bankacılık <ticaribankacilik@bilgi.akbank.com>
Subject: HAZİRAN 2020 Ticari Hesap Özetiniz (Ref:2053878463)
Attachment: Ticari Hesap Özetiniz.rar (contains "Ticari Hesap Özetiniz.exe")

AgentTesla SMTP exfil server:
mail.jjfconsultores.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/18690/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/40ef9adfcf675caf8054ca9c3635f3e47bc0bb99f74b63781976adeedbecdc5b/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-03 12:27:05 UTC

AV detection:

22 of 48 (45.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=idxzvx6pm5ok7acuzkodmnpt4r54bo4z65fwg6azo2w65w7m3rnq._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

0f75f6670487368f4ba9f5cf419f8f96433a2c4176bd2d07c4a12d0c83963abb

AgentTesla

537f499dd0028377360979ca7ae771d7acb31c451ef806b7d05541cf541f15cb

AgentTesla

5f94c2d722aeb9ec5e324dde64992b7baec9db6f6c0ff39b61fcda6813ec16fd

AgentTesla

723ffa5603c25d3066479031406a8202e4dd62510c42b0afe4d317c90f121edd

AgentTesla

ebe66ba4d86cd90af8bfae8cafbd71d56f183b72ac6ceb332ec9fbddd3c18452

AgentTesla

f1e136159f76900454c4b84e7dee3455e2eeefadcc86ac21d1fa40750aecc5fa

AgentTesla

fc23f4b6273823d342d92e5fef7e4befc6ca4be41048054eb360ed0923db5983

AgentTesla

fd25d39f3f2eeec2ecf1db20ea303f7389a1ed1b703ab6991e656d13811af1a2

AgentTesla

ff04d83ea719cc1680374c4c5063436e8adee2b82f33a888883c1ad2655ef517

AgentTesla

+ 11'692 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200703-fgnrrcbgb2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads data files stored by FTP clients

UPX packed file

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar