MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4475f56105151bc2c1e47f372e9917a6c5eb1e75cf6ba62d66822725e9b3cd2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4475f56105151bc2c1e47f372e9917a6c5eb1e75cf6ba62d66822725e9b3cd2d
SHA3-384 hash: 2fe903f9abc4dd3c42ed699c7a467a2fc29ce2961a5a64de73b127c6fed1b572ed7a2796d13d434181a07638b4127cc1
SHA1 hash: cf8a29ceebd7b8445a69e6f249814ae43847ea3d
MD5 hash: 13499b9071564da8c976ec32685b317b
humanhash: juliet-johnny-jig-helium
File name:List of FF&E items.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:426'496 bytes
First seen:2020-05-28 08:35:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:cMiXaG0UWmpigMVq0Eo5dBmBiBMBx4xb4WVkVfzc:uWLgMVq0EoPBmkBMBx4qWV4Q
Threatray 10'807 similar samples on MalwareBazaar
TLSH 3E94C078AE588BE0D5B808BEFD59116D9B90C853AECBDB47202C7488FEC33DA85C3555
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: host21.axxesslocal.co.za
Sending IP: 197.242.148.137
From: Paras Chandra <contact@laserelektronik.org>
Subject: Quotation - FF&E Items
Attachment: List of FFE items.iso (contains "List of FF&E items.exe")

AgentTesla SMTP exfil server:
smtp.ociii.net:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-28 09:36:08 UTC
File Type:
PE (.Net Exe)
AV detection:
27 of 48 (56.25%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
024d2ae81292ee130b85ecc6f3e25aae7a3b4e733534bab0a475ac4e87c32952
AgentTesla
0c5dc88bb682a7d7a2a94c0a5da41ee4133888d2d67c1ace65dce27561dadad2
AgentTesla
29f5b55f3ebf6dcd373d0e29a1eb271cf073d58a1e9e8a79cbfc5412a427c0d1
AgentTesla
483765b3081a14ec1929bf04f827517da80a51e456d06a7fc914e74adafd7a8e
AgentTesla
561edd9f70bcb31e317b9af7c23b6fcf1af80a556a5837042154880296dd946a
AgentTesla
66a2878b55d41d3e576ec08bb0e28573de3af9dbbbd08567cc730198a490d021
AgentTesla
75ef91b36f46cb8875ffaa6af3cb7f38f8689ee9c16e50f9af87966a2648962f
AgentTesla
a8c64168f72d3a7af27ae6dfff00da04467744c5bcc04f9292761359e5507cbf
AgentTesla
ccac5881ca9beeead13f5c7f05b289e9d3013a9eea7ce8a087dcb0aade9a60e2
AgentTesla
d64c548cdf246a19722734b1c94f30252f00873a2e0960dccd05101f05e845d9
AgentTesla
+ 10'797 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-lk28vtqy6e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ac161fc52d96dd32d8b62b8c3a36e9bc

AgentTesla

Executable exe 4475f56105151bc2c1e47f372e9917a6c5eb1e75cf6ba62d66822725e9b3cd2d

(this sample)

  
Dropped by
MD5 ac161fc52d96dd32d8b62b8c3a36e9bc
  
Delivery method
Distributed via e-mail attachment

Comments