MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b5476d1b1fb4ba019b8e7620f3a2194000d56db26196f5a94014a78f3cac669. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b5476d1b1fb4ba019b8e7620f3a2194000d56db26196f5a94014a78f3cac669
SHA3-384 hash: 8bff03ad484d90f80e74cf23b6ba786dfa0afdf1a8a263afd6d5dc3d0ffcadd791ea4118e008845f98ce52c30a9fdbc3
SHA1 hash: a68ccd73fb39469b1a70b6107f5fed5e9ef42372
MD5 hash: bb279041576c64a18e886f61637185a9
humanhash: bluebird-one-mike-delaware
File name:DHL001173980290PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'594'880 bytes
First seen:2020-05-25 13:02:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:Ttb20pkaCqT5TBWgNQ7abTK1oOWVeBRJuMdzfj0yrvsSTpWbpuQ+6A:QVg5tQ7abTK1dWWVjwovTWuv5
Threatray 11'021 similar samples on MalwareBazaar
TLSH BF75E02363DEC361C7725273BA26BB41AE7B7C2506A5F56B2FD4093DE820122521E773
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: web23.abo-net.ro
Sending IP: 91.206.207.209
From: CONSEGNA EXPRESS DHL <e-billing.es@dhl.com>
Reply-To: info@cyklosportsr.cz
Subject: DB_DHL_AWB_00117390021 / AD
Attachment: DHL001173980290PDF.iso (contains "DHL001173980290PDF.exe")

AgentTesla FTP exfil server:
ftp.zzv.ro:21

AgentTesla FTP exfil user name:
webshop@zzv.ro

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AutoIT-3.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 07:49:22 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
007ac20801e4bd954545cdcd275522fb87687179ed8dd160ceb6e906998a0558
AgentTesla
0644b00b5884d167142693487ce70de79a73630bafceaa94f83e5e7051b63c2e
AgentTesla
17fa709f1a866d573f997f8f1288d537de382cccc5a4f9c1811db9da34c016b2
AgentTesla
47d82ba4710a3924c4c552d64568cc4e7384776ba1bbf1d84e2e9104a4e094a8
AgentTesla
49921e6531eac85bf200970640a074072f6071b7a18d23af56706788cd421c1c
AgentTesla
5e09510e834b75413af64e013eda43df867fab6080facf4227a08ca64861a244
AgentTesla
6b6c089ca78bae3ca6f4d42e4287f9e9303b271196eda028785d8c074c397f40
AgentTesla
6fb3eca3bc35ceba9ce806f93a2855cec717897923851643f40e62dcecc2f14f
AgentTesla
795f7fa0f7b342d1182983efaf179583c126f772ed1bcb634ea4b5468a9a6dfe
AgentTesla
9096390efef4b3849e90bfa158d8dd4a8b2ee858bcc2b8daae0d7dd0b1105963
AgentTesla
+ 11'011 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-j2c5nl61ts/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 05f2f58788699fb2366349901630df5da9a9840f6d5ce927e823887ae818d9d9

AgentTesla

Executable exe 4b5476d1b1fb4ba019b8e7620f3a2194000d56db26196f5a94014a78f3cac669

(this sample)

  
Dropped by
MD5 9b38670ed5998d82841e984bbaf87413
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 05f2f58788699fb2366349901630df5da9a9840f6d5ce927e823887ae818d9d9

Comments