MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60da286e39c0c6dcee0d9daafbf5c6662b818c9a36b77d8ba5f4314e94d9baea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60da286e39c0c6dcee0d9daafbf5c6662b818c9a36b77d8ba5f4314e94d9baea
SHA3-384 hash: 10e72759660245b51502a8dea27bca0c5276f6654a142685c8a3e534dfcbfe0ff68b76ca7c48b6f971fb038124683851
SHA1 hash: 5c2dbacfdf69caf9b873fe0922c0315c7262fdcf
MD5 hash: 72a65789fc92b880de7f04f14f044b4f
humanhash: carbon-lion-snake-diet
File name:PO-78554.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:605'184 bytes
First seen:2020-06-11 05:48:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:5AhSU+YdbReHy7aippIA51lsnQ3LUDOx0XcZvfSv3Lml5T2Gl6eqiU4:K0ULReHRiXT5/snEYDEQMCQyG
Threatray 11'102 similar samples on MalwareBazaar
TLSH 48D4DF0476D57E4FC36E4DB744232810ABB0A9677E1BF3835CCB25DA252DF864A01B9B
Reporter abuse_ch
Tags:AgentTesla exe Yahoo


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: sonic303-1.consmr.mail.bf2.yahoo.com
Sending IP: 74.6.131.40
From: sales@icefire.in <sales@icefire.in>
Reply-To: sales@icefire.in <sales@icefire.in>
Subject: Request for Quotation
Attachment: PO-78554.arj (contains "PO-78554.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/8866/
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-11 05:50:11 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mdncq3rzyddnz3qntwvpx5ogmyvydde2g23x3c5f6qyu5fgzxlva._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03fc6fb46457641645117a9c29292069714568ff711647455c70769d7ab3485a
AgentTesla
083c70afde1be48426ebcf28eacfa0cd47f96130790b79f5a367ae6b00eab142
AgentTesla
0ed8342c19d8ff14d83588ca91cc6b5ab6bd811de15f05e5497d62ba25e56365
AgentTesla
235177d9fad8eb7644e4c8e8d98eab92a4b0389c55605793ba5e28abd6f9a6d4
AgentTesla
2a9ff7b8ca6a12f714779ecdcd2d86ccf9ad03da04de4a45aa8c3c97b7209c8f
AgentTesla
305eb08e59ef7e93a40e6eb8edf0c4a336ff54bfc07cac69d1744c949f53757e
AgentTesla
532b875f09991cdf7b57db59f0f7aa579d49b229d65ad1ace9f67bf6ffc7bca5
AgentTesla
950d32041bd422de6e75703707b17e94f27235d3632387f02d21160c71d2735e
AgentTesla
9b5b44ded4ede28d92834c4db286780a5628d02597a739ff3633f808d47f0939
AgentTesla
ec17348438d8e6c04f18e329968d37c5d1be05148a7b770e926b8ebeca75f06e
AgentTesla
+ 11'092 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-9w2r1e9dae/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

arj 36361e2aeeed27e55f1595d62949127ce69e7f1e8b67e84006021fe83fa93959

AgentTesla

Executable exe 60da286e39c0c6dcee0d9daafbf5c6662b818c9a36b77d8ba5f4314e94d9baea

(this sample)

  
Dropped by
MD5 b4cee88af7c1f5ac81ef75f76c3afb79
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 36361e2aeeed27e55f1595d62949127ce69e7f1e8b67e84006021fe83fa93959
Cape
Cape
https://www.capesandbox.com/analysis/8866/

Comments