MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a07677e90615a17c1d659f823433fc283387255551aa314c70d1906dc9a12e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a07677e90615a17c1d659f823433fc283387255551aa314c70d1906dc9a12e5
SHA3-384 hash: f5b0afb7ad3e86f94f0af49c0c5d24fed279245c3c1729f7f8c914090edaf4d9e8425817fd6e1e7ed1b3127091d6630d
SHA1 hash: b2261b1ea8988a280afdfe416154b254442d534d
MD5 hash: 5647c5613deada84c94183e7f655c340
humanhash: uranus-comet-indigo-indigo
File name:Inquiry 18052020114824.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:651'264 bytes
First seen:2020-05-19 05:53:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:k63e53HHeUsLitgEJD6LpEH0lmdlE+/U9Ejs7P5KskGq57kjybVhCWmyvcNo7m0D:k63eJneLEt6oXEEkP0G6hCWmyvcH
Threatray 10'666 similar samples on MalwareBazaar
TLSH F2D47C3D3680A816D13C8932549599C266B6AA43BE52C74F3FCE439CAF137CE3B2564D
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: cloudhost-109205.us-west-1.nxcli.net
Sending IP: 173.249.144.251
From: Boğaçhan <starou@f-be.com>
Subject: Price List Inquiry
Attachment: Inquiry 18052020114824.iso (contains "Inquiry 18052020114824.exe")

AgentTesla SMTP exfil server:
mail.flood-protection.org:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-05-19 07:03:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jidwo7uqmfnbpqowlh4cgqz7ykbtq4svkunkgfghbumqnxe2clsq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
3eb30f7fa77eeed5c687b9514c1ef0e9cca4778a514e30a2a0c07949945407f4
AgentTesla
481fe9b310d02dfed2c5d650e64b63bab9021d9c8ece0b90f9a0d474ce6d64e8
AgentTesla
9afb1269ba69bd18c0e77c2061cbbbec9ef53143d2e39079ef729f9da2eb000b
AgentTesla
ac979891a231a3af79a31a52663f77fe151bbbddee9b13750ea02e82f6aefd40
AgentTesla
bcc9c0d2162cec6b418ab08905642c181d2c24b95a4a387242f73cd5d4410bb2
AgentTesla
c964296558dc6cf1a3e305f48af7ea8b6736ef61f01425dbfabc6fd32cd4eb87
AgentTesla
d364a64f878c7a01c622cfb107ebe9776a9defadfce6875fc37b703e695dfa50
AgentTesla
e7e7041b16466bd06811dc949564fdc2cabed3c4f7e8957581f0a4b53808ab0f
AgentTesla
e8917cab54dca8c56976f8fa973521d58d0fc5abc196906a2aaee1e31c8b007c
AgentTesla
f349c4c241a5ce1565b3d584dc1158fbc4e9766d99becca69c5d4d848de0fefa
AgentTesla
+ 10'656 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla agilenet keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-saed53tmta/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 1bf47b23946587d00ba8d00afe002d34e7f9d231be66e2dfa88146c3a8cd3d04

AgentTesla

Executable exe 4a07677e90615a17c1d659f823433fc283387255551aa314c70d1906dc9a12e5

(this sample)

  
Dropped by
MD5 552e0bbfaa01027d49e217b0e62c4df1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1bf47b23946587d00ba8d00afe002d34e7f9d231be66e2dfa88146c3a8cd3d04

Comments