MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52c81140c99fba8aa2171550c3d042ed1f6a4a2a75bb8af1e032e248ad8e1c98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52c81140c99fba8aa2171550c3d042ed1f6a4a2a75bb8af1e032e248ad8e1c98
SHA3-384 hash: d18e315ca6f72093f6bd718ee59f7bd5b50dab3c5a145bb9690640a9361c3e649ecd5f806b9269c5ded5114dd2654f83
SHA1 hash: 060f0ee12ee7dd8cd66c26bc887ce8d77085262c
MD5 hash: 511190c0790069f217e9e23aacbd6c51
humanhash: pasta-four-nuts-three
File name:Specification Details.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:455'680 bytes
First seen:2020-07-06 08:26:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:3Mu9aQkTWALwOufcPP62lQpbcYGScPvwPn3Vk:cG1kTW2wVVmabrewP3
Threatray 10'607 similar samples on MalwareBazaar
TLSH 26A4F1B70242BEDAE67D1EB4C11012800DF52C57EB70CC5ABDC835CA52B6724DEB9A75
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

From: Lic. Pablo Previtali<support@lums.ac.ir>
Reply-To: support@lums.ac.ir
Subject: Inquiry 2020
Attachment: Specification Details.7z (contains "Specification Details.exe")

AgentTesla SMTP exfil server:
smtp.mail.ru:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/21370/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/52c81140c99fba8aa2171550c3d042ed1f6a4a2a75bb8af1e032e248ad8e1c98/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-06 08:28:07 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=klebcqgjt65iviqxcvimhucc5upwusrkow5yv4paglrerlmodsma._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2a19861b5542b7a76129c027376c7c3902e38ab5d9914722af6b13eff1a28973
AgentTesla
2c79248a584b7bf4eea2d503cbd40e7471edcd2ffa28e066394ead5cc57212c2
AgentTesla
3d0a1e494ae5a0cbc4075f7cbdb2421e4840da06cf3ea998d588928c841e9713
AgentTesla
7f5082ea80243bb25ddcddc3289e2f973e858bb53716a75318bfc4848cfdccd7
AgentTesla
8be1266645d388fa35124c58831cbd83fdc9b6faac7ad44ddaf4b0f6b9d2fd09
AgentTesla
bb30fcf27be9a7cb8819f3cafdbea9be47c15cad354b838c2c4b7572ebe951a2
AgentTesla
c08b6cb15ec45d44bde739241acb6403f92bffc565a006c11cbfb4f9c10806e1
AgentTesla
da01e4c70ffd72bdc10f8816e6a81b01e6cdcb96e110075a3c20840a4858b50a
AgentTesla
e10eb374689e800446850be0977a4911b17f16b190c58f6a2acccfda9fa33ed2
AgentTesla
ece50b4530fc4e9955bf8685739750453271a1cd97b2b40dcacaa14327be1e20
AgentTesla
+ 10'597 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200706-6etlbpnwxe/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z e53f7a198f6a5c53934323a42ec8d832ef6f1612d0803f997968ddfab72a2de2

AgentTesla

Executable exe 52c81140c99fba8aa2171550c3d042ed1f6a4a2a75bb8af1e032e248ad8e1c98

(this sample)

  
Dropped by
MD5 3c3bc2767c6927bcdbfe39b9d695719f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e53f7a198f6a5c53934323a42ec8d832ef6f1612d0803f997968ddfab72a2de2
Cape
Cape
https://www.capesandbox.com/analysis/21370/

Comments