MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43f7ca6a635db4dedd6c734f3af9ba5a96d87b4698f1c4eec56c8b86f6be26c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43f7ca6a635db4dedd6c734f3af9ba5a96d87b4698f1c4eec56c8b86f6be26c9
SHA3-384 hash: 73f86fb332efb4a446ee08b7ee30996eb94d4dd42bd8f69e6738f766c7adb21333db289a82bacbeda1e85b5ad10d95f6
SHA1 hash: 725102c85171219727a04d40273d97163c4cf7ba
MD5 hash: b6b706a4773a341241d30edddfcd0145
humanhash: equal-pennsylvania-december-alaska
File name:Doc-12744790974414733-031.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:628'736 bytes
First seen:2020-06-11 15:26:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:bjdaU+6VEt6r4ePVhwvgoVAmxR0GGgg8:bjB+6N0eGgi0jgg8
Threatray 10'586 similar samples on MalwareBazaar
TLSH 8ED43A3E37856915D63C093284E656D163B2A9433E02DF0FBACA6B9C9F033CB2B5525D
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.chenklins.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/9039/
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-11 15:28:08 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ip34u2tdlw2n5xlmonhtv6n2lklnq62gtdy4j3wfnsfyn5v6e3eq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2797fabdb7ec8843947933f792ef8db22cc3bab5e06f8204ab4697acd0a04d55
AgentTesla
29351837be2ee7ec1cd05fb09ee502ef3f43dfc549d23d69d4b61c400343d899
AgentTesla
3153b96e0d31eb2901117a088ffcdbe7e88ba65660171b0f0d43295ea21a27b0
AgentTesla
34408552d34edc061e6bce5aa476bdfa09f5c8a7f1936d902dea430c0fa14d62
AgentTesla
6bab78869dbbef0f84e21ff64ef79e4d2f5b5c672b3d8ef48dc520c674b81c5d
AgentTesla
8be1266645d388fa35124c58831cbd83fdc9b6faac7ad44ddaf4b0f6b9d2fd09
AgentTesla
90aa9f9ad74752d2965816d8d68399d2b1c4fdce28c2ca57753196b3a2d60b34
AgentTesla
b04580b535d7a018ff5b8933e399b7b1497b3dfa896798fef656412a925ceb78
AgentTesla
e06a362a13aefe9b5e7183c1fca36e444270696e152b8db99148967f9dd9f349
AgentTesla
f9cdc89e99a471146ead33ee9c93bca0ecc286e65cf326c4450a9d6d8597153b
AgentTesla
+ 10'576 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla agilenet keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-ql3yey9hgj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 43f7ca6a635db4dedd6c734f3af9ba5a96d87b4698f1c4eec56c8b86f6be26c9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/9039/

Comments