MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 414bb3f2c1e4c38d1e59fdef2342ab4119d135c09a87b678a4646a777b95db7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	414bb3f2c1e4c38d1e59fdef2342ab4119d135c09a87b678a4646a777b95db7f
SHA3-384 hash:	245cf10e56801b6227e4541432ca6af9c5bbd4be228d38416287888667b5e68af7a4ea1cb793f34cd4d36e5cc931b888
SHA1 hash:	5406861813f923bd22d91e605a450d398cf4c4db
MD5 hash:	19ba63741ff38f210bb936dcdd97f5d7
humanhash:	cardinal-thirteen-video-nebraska
File name:	Rq_2020_11006_TMYR_Project.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	428'544 bytes
First seen:	2020-06-16 11:41:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:5zOm+ELK40L9kY4hC1s9yr6aT1ii1t/FPzOgNArncI2TbzM0TElh9bLkp247xq:5zJs4a9bleQr6aR39zArGjonCPt
Threatray	10'614 similar samples on MalwareBazaar
TLSH	0C94021D52DD9739C57C4ABD84F1181143F5B0773523E3AE6E8032BE6C67BE02A12A67
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: vie01a-dmta-lc01-1.mx.upcmail.net
Sending IP: 84.116.36.160
From: UNION OCEAN<sc.yang@solu-m.com>
Subject: New Shipment [MT Taimyr] Order JUNE 16, AE MAN B&W 20/27 project Engine
Attachment: Rq_2020_11006_TMYR_Project.zip (contains "Rq_2020_11006_TMYR_Project.exe")

AgentTesla SMTP exfil server:
mail.sevenstars-travel.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/10950/

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Generic.gc.16372.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-06-16 11:43:04 UTC

AV detection:

27 of 31 (87.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=iff3h4wb4tby2hsz7xxsgqvliem5cnoatkd3m6femrvho64v3n7q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

69edeb3d6fd141dcd84b1ccf4d26eaf1633bae81803b078a7b24e4f0058828f3

AgentTesla

7b2d4e5a835b5d367a47867bee1be5f7bc6cb3f322a7bafe785785e00217ad03

AgentTesla

800fb677fa27f623dd81422dd8dd0d7517f55d9deea48160fc64e9732c414f26

AgentTesla

885606243d421252d4319bf5a5e4e26b094bec3ad01cb306e8139d771141bbe8

AgentTesla

ba4c72b934177106117b877643418c2346bfc68aaf8eee80301cd2620fb48c4a

AgentTesla

c1a234de258c217baed47f488a8a2cc414ec307f960480c41678b14dad063445

AgentTesla

d46ec805aedadd50a7b9aec3c283c25b29e2e17808d6956ba66d16d51d4fb4db

AgentTesla

d76f0bd1f51c30e542ba1e6dbc01e5937123afb5bcda0a88c0541a3d66c9346d

AgentTesla

fc0baaddb45b01c001d06f6d819cdc37c1df3e210508eb1e71d365a696d37144

AgentTesla

+ 10'604 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200624-vfmynhsche/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar