MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5afb8b1e08dee442332deaabd3fb126ffd9d4b34056aa33e121f24776086695a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5afb8b1e08dee442332deaabd3fb126ffd9d4b34056aa33e121f24776086695a
SHA3-384 hash: 79ee5803eae48f962fa9107749d753df6cb88b6be355b76f25a50592ea293ef2189f49152f6c0dd77f51dc1aac02fde8
SHA1 hash: c2fe7bb8962258708ba1769cbf1afdf15cabeecd
MD5 hash: fa4f1460275e418e806f1aa28697c2ba
humanhash: fillet-artist-victor-minnesota
File name:Inquiry Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:548'864 bytes
First seen:2020-06-02 07:27:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:bMLp6JJJz5WF7y4AfCu/s9uSgkE+C5LNNsjC7pXl6A/4GpkgHAqb:bq8JJxDCu6uj+Cd
Threatray 10'874 similar samples on MalwareBazaar
TLSH C4C4AEAC325476DFC86BC5BADAA81C64EB60787B430B9203941721ED9A1DAD7CF144F3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: smtp5.intred.it
Sending IP: 62.97.32.61
From: Gina (Gina) Breedt <eugenio.braghini@intred.net>
Reply-To: sanpoyan@staff.hkbu.edu.hk
Subject: New Inquiry Order
Attachment: Inquiry Order.rar (contains "Inquiry Order.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 04:49:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
17 of 29 (58.62%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ll5ywhqi33seemzn5kv5h6ysn76z2szuavvkgpqsd4shoyegnfna._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c630248507337f2835d5ff76bcadd48aca15cc50c4b334eabea3a93bac8a6cb
AgentTesla
10566a81427f90f1a6eb8b01545c41efe5d7d42602bdc6c6762930ad8f304d88
AgentTesla
2d087f692712048cacf9fd659710e3c0d4916827fdbfc1a8a5b2a50ac4218920
AgentTesla
2dc17476d3fd11bd7a844bf4e4f5b96b0784ce7d3376b8b8b02d408a4edbd772
AgentTesla
637b72e82538b767707282db37c0f960aa60c72e3c44c76ecaf232a9c105bf41
AgentTesla
6a147caafb9ba563492e7974b271d469c95300eabb699dc797ba896587aafe1b
AgentTesla
7dfe5d9e3e099285a3bc63497d1ee47ac99b7012f23beb730d73557b40afa26c
AgentTesla
7f955530859680734f6742fa13e78e4b34418424279ccd7a22e1f701b286d4f5
AgentTesla
cea7a7d16ee12b688cccbb9dd85e7afccfff1329ca8c74ae0b7f815372252604
AgentTesla
f3f038f7ea7aba5ce5e184d91ef33b9b365f3133088f21af6cf6b1e06c2b7520
AgentTesla
+ 10'864 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-4pq1fkpy86/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 02a3fe2cb435f12ac2662c2767b06faed1802f9fba0d593da806f6696b99e080

AgentTesla

Executable exe 5afb8b1e08dee442332deaabd3fb126ffd9d4b34056aa33e121f24776086695a

(this sample)

  
Dropped by
MD5 763697d550b9356058c73279dfc1fe66
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 02a3fe2cb435f12ac2662c2767b06faed1802f9fba0d593da806f6696b99e080

Comments