MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f81b89148442875962b35680334d7fc7b5827ad3764891fa990552fe77ea28d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f81b89148442875962b35680334d7fc7b5827ad3764891fa990552fe77ea28d
SHA3-384 hash: b986a76d96362edcaa1f0a4342e9357ad293ff0f5cd739508b0be0ddd4dd1abe8fcb34fa1ee11c8e6760992e86932573
SHA1 hash: 83b0b6d820ccedb5dc701f3ba277c71fdad0aaf6
MD5 hash: 3b759921e862aef424c4fdf4799a80d8
humanhash: queen-yankee-juliet-william
File name:P.O 18-1445.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:483'840 bytes
First seen:2020-05-13 15:45:44 UTC
Last seen:2020-05-13 17:07:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:kW5gkFoIMGahiuiEI8ggSSO8Lx8f5cIJXJpMCqaY3PgiQsfms:CcRzqSJ8g9x8LxSVJ9u
Threatray 10'596 similar samples on MalwareBazaar
TLSH EEA4CFAC312576EFC85BC57A8E982C28AA603077535BD207916325DEAD0CAD7CF245F3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: aaturkgroup.com
Sending IP: 103.145.254.227
From: Abdul Rahmanali>sales@aaturkgroup.com
Subject: Re:new purchase order
Attachment: P.O 18-1445.rar (contains "P.O 18-1445.exe")

AgentTesla SMTP exfil server:
1st-ship.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Artemis3B759921E862.8355.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 13:39:00 UTC
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j6a3rekiiquhlfrlgvuagngx7r5vqj5ng5sish5jsbks7z36ukgq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0e2bc8b5fb749983b95d2e5b4d8c79b1d1c90645a0b2d5e95923a8558bc73bd6
AgentTesla
618d791a22f2a8bcd4eb2fd672f47b443cb4c732ae1cb63e201d07a96f3343df
AgentTesla
662e434ffc2542e1d89c3ff9433eacbd50e235a8ce50072f675f5010a422c73c
AgentTesla
91236da59c95dd764f85a84297238f215ef0cd3d0fbc37f2a2f15d2f302e2dfd
AgentTesla
93d5e54bc0eedf04d893416ef597e0c833c7d7870f9f793fdd7e5f1b23382273
AgentTesla
974edc62c329ce314f5c8c745cd145779db4c5a5d46188def7351cf11be83eec
AgentTesla
bca2dfcc165159c1432087a9adf1921baf2f53dd52b69be50e5cf400f4c0cd8d
AgentTesla
c4c8770d23abfebf060ae159e67040f060e9e0dbf5b2838a089533b1a7278cf4
AgentTesla
f518f0a8e6238b33a99b3c030da878a1230d278dff2cac740c2a6c089b7801b3
AgentTesla
fc0054e78d6ff68732c092238f77b6791ac1937f56f0d738ff603a1d3bd6dbd3
AgentTesla
+ 10'586 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-srh15pqgh2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 52231debcfe8956d52f217ed6e950e574525f22b370719e9dab3c8ce3e8de905

AgentTesla

Executable exe 4f81b89148442875962b35680334d7fc7b5827ad3764891fa990552fe77ea28d

(this sample)

  
Dropped by
MD5 97daae9cd251d952d2388fff0a716831
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 52231debcfe8956d52f217ed6e950e574525f22b370719e9dab3c8ce3e8de905

Comments