MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ac30db53be8d2e9192aaed438e7259355d340cefaf5d964ba25fc710db47be5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ac30db53be8d2e9192aaed438e7259355d340cefaf5d964ba25fc710db47be5
SHA3-384 hash: ad35421fdc0d579a875e3a07e48337bc855093aa679b94e619569d1ed1e89cad71f0f30f446aac6f8889dd8a8b42812b
SHA1 hash: 54088a9c82cebdcf6b201f8cb1bf6eec990bb35d
MD5 hash: 0a886f0cdc407a7481e92bd19b78b97d
humanhash: tango-cardinal-robert-double
File name:HS1-1909260019.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:483'840 bytes
First seen:2020-06-29 05:55:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:81SBaNmyfyCPJk82Mhu3Ir5dVSR7AOoF+HIVq9pTr:8oBOZPJt293Ir5G2p2
Threatray 10'598 similar samples on MalwareBazaar
TLSH CFA4E02073BD5BA7DA3E83F5156145218FF66DAA6922E74D0EC720EB1932F008F51E27
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: p6.mail2000.com.tw
Sending IP: 220.130.127.162
From: service <service@moduleaudio.com>
Reply-To: service <service@moduleaudio.com>
Subject: Re: new order No.305930960MN
Attachment: HS1-1909260019.zip (contains "HS1-1909260019.exe")

AgentTesla SMTP exfil server:
mail.cabseal.com:587

AgentTesla SMTP exfil email address:
goodluckoffice@yandex.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/15325/
Detection(s):
SecuriteInfo.com.Fareit-FVR97B1CDB35EA0.28661.UNOFFICIAL
Create hunting rule

Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4ac30db53be8d2e9192aaed438e7259355d340cefaf5d964ba25fc710db47be5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-29 05:57:04 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jlbq3nj35djosgjkv3kdrzzfsnk5gqgo7l25szf2ex6hcdnuppsq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06ea54f9d48465183fbdefa051e212dca50f8ae3d7da0fe781953ca3e3d9a974
AgentTesla
20fa03ed146d67328f48a4609fd5a1f2f584576dcb93450661d4b6e1f9c269da
AgentTesla
22c8b886622a8f8b14fc4cc6c4f476c5f00077f21518fb73f8ea9d48f9b6f499
AgentTesla
4a6e3e734e7545019cfe79f1fa90d2267db5f2115322451c4079b42f2e5a9e51
AgentTesla
73b78f2caff5099ed61689ba82eaa2d6dc19bb1fa2d619b9429d5f876a0ecd68
AgentTesla
7850417d2c934eda23e7c968df7b7ef4d76c85328092b10826c3a8652388dba7
AgentTesla
8d8a182ec1056ddb74380d90ce73b3f14fc7cf119d8b1902bdd31de2dcf8c47e
AgentTesla
8f901388287c1af2dd8b842b84148350d8ea853c72b6f5d4fe3d8de7d87d8484
AgentTesla
96be4c022a685da66e80a8a7ef911b33bcf3c96116e927faedbfe7f35f483c8b
AgentTesla
9847654714ecb412b6af1f270d2ede9b8683580e5280def0131b6bc27a9f27e6
AgentTesla
+ 10'588 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200629-egk4ccrcfe/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Modifies service
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip edc8d510348bb516bad4cf033e13b9f8fd3e6551a2637938f9e4cab4a2ad8d67

AgentTesla

Executable exe 4ac30db53be8d2e9192aaed438e7259355d340cefaf5d964ba25fc710db47be5

(this sample)

  
Dropped by
MD5 6b5dd3406cec1eba398e5872690e70f2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/15325/
  
Dropped by
SHA256 edc8d510348bb516bad4cf033e13b9f8fd3e6551a2637938f9e4cab4a2ad8d67

Comments