MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58ef2bdbbafce86268cb8f4eb76b8d723402e70fead4f28ea36c1e7aaa99e1f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	58ef2bdbbafce86268cb8f4eb76b8d723402e70fead4f28ea36c1e7aaa99e1f5
SHA3-384 hash:	5d92938ce4147de7d2ec9d3cda6ba6ee432418d74d08eb6001f85491beba44c7d5c6ee56c0b2d8bc5a75c73b75730ea6
SHA1 hash:	dabd4e5987cf59b43d6c3dc54037fb10f4768ad2
MD5 hash:	0f78c2a1d78687e0ad037217d95f0612
humanhash:	minnesota-failed-nineteen-mirror
File name:	XED6oGGlOxdk73l.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	485'888 bytes
First seen:	2020-05-12 10:56:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:VFLKGKMsRdpgaM33HjOzBY1Cs+OjrK+co/vyF:DqHgl3zOV1sLjrK+5/K
Threatray	10'712 similar samples on MalwareBazaar
TLSH	2EA401257398AF07DB7F55FFC440552603BC90966E82F3DA1CC264DA21E4BCA46A1E8F
Reporter	abuse_ch
Tags:	AgentTesla DHL exe

abuse_ch

Malspam distributing AgentTesla:

HELO: gateway22.websitewelcome.com
Sending IP: 192.185.46.126
From: Wendy Cordero (DHL) <Wendy.Cordero@dhl.com>
Subject: RE: ESTADO DE CUENTA - FERTILIZANTES DE LOS ANDES
Attachment: XED6oGGlOxdk73l.img (contains "XED6oGGlOxdk73l.exe")

AgentTesla SMTP exfil server:
mail.impresionesypublicidad.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-12 11:36:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ldxsxw527tuge2glr5hlo24noi2afzyp5lkpfdvdnqphvkuz4h2q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

12e5755daaddafe1456ea2d7e8aa1731d1e6d00add4967859dc0c43bb760a920

AgentTesla

1eee887b16c1d789c1869219de2609fbc29ef3ee0c0625f2907c71e9ba701daf

AgentTesla

21dba41b37835f29fa4166786b44915d69109229a0fd19ee46d14cb2afa7c35b

AgentTesla

9aaf988f70bcd0e53ebb665226e48a2c72e2df70f9dcf0b92ae879ec68bb8e22

AgentTesla

acacc7f3cc09e7a711e1f7f4f9fc6633b4c48b21f17e793ec9a91c26173c1232

AgentTesla

dff01b9f8946ed3792fe4e32ae3f95834c892f16ca219dc99d78fd15064f82a2

AgentTesla

e4392c3867a7b38a96f352f3249358e0144717bde4adf6473e5f994904a98bb3

AgentTesla

eed00acb5b2bd676ab5ae74611ed880e6ef40d855d401ce9a938d5700f2b1de1

AgentTesla

f29c7a735adfcc42de35a17646ead9eaf23ae1a0cc99ad468b720d0e3be7dad6

AgentTesla

+ 10'702 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201109-2c9c1t5evs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

8c51c8cd475de485028f4ad1fe4bcff0

AgentTesla

exe 58ef2bdbbafce86268cb8f4eb76b8d723402e70fead4f28ea36c1e7aaa99e1f5

(this sample)

Dropped by

MD5 8c51c8cd475de485028f4ad1fe4bcff0

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample