MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 618d791a22f2a8bcd4eb2fd672f47b443cb4c732ae1cb63e201d07a96f3343df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 618d791a22f2a8bcd4eb2fd672f47b443cb4c732ae1cb63e201d07a96f3343df
SHA3-384 hash: 0adfafc37c8c03d99d9e58638add93e04854751e9a523612ccdde6ec6ecc23c68f96492840471c0f378092ccbfebf4c5
SHA1 hash: 276213aa8b7b2fd7270f14d741453ef1185713bb
MD5 hash: 90562bf55d1a141673069638df7755be
humanhash: football-magazine-five-georgia
File name:purchase order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:433'664 bytes
First seen:2020-05-13 06:08:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:10GqVrKSu+vSOnYCALIoB7taY5jIMFhvn:KG2rKS1fAnB7takIMFdn
Threatray 10'718 similar samples on MalwareBazaar
TLSH C09412BE2B9E16AFEF6B13B8605544CC03F245987F84E3CC4DD297E986973C08212997
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: gquimico.com
Sending IP: 103.145.254.227
From: Diego Fernando>diego.castano@gquimico.com
Subject: Re:new purchase order
Attachment: purchase order.rar (contains "purchase order.exe")

AgentTesla SMTP exfil server:
1st-ship.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.45983.2026.14288.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 03:08:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
28 of 31 (90.32%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mggxsgrc6kulzvhlf7lhf5d3iq6ljrzsvyolmpradud2s3ztippq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
26d84a58245ef7c47ef69c0b8a1d378ad6c8a3d8d154d2358ed0b16230082420
AgentTesla
4f81b89148442875962b35680334d7fc7b5827ad3764891fa990552fe77ea28d
AgentTesla
56b6d84da3da3801cb073bd798fa233d40ab867308f1ce634f65597c413838e2
AgentTesla
79707deb89afd6a88eaf63af7065b7e30d0508126cf6c8664d01a924dd60e4a5
AgentTesla
91236da59c95dd764f85a84297238f215ef0cd3d0fbc37f2a2f15d2f302e2dfd
AgentTesla
93d5e54bc0eedf04d893416ef597e0c833c7d7870f9f793fdd7e5f1b23382273
AgentTesla
974edc62c329ce314f5c8c745cd145779db4c5a5d46188def7351cf11be83eec
AgentTesla
c706f368dbef31f72b1014d16a23f3f69abdbad6f62571e6325930c549afda2c
AgentTesla
e70a32319ddb990bd412b11fc12e09e00105104fbd576e5e0f9c40445f910ae4
AgentTesla
f518f0a8e6238b33a99b3c030da878a1230d278dff2cac740c2a6c089b7801b3
AgentTesla
+ 10'708 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-zc4m4p4bmn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 00ef422933249773a03dd798f5eee9ad33f7b0ec6920d1221ae30f2dc0ade05b

AgentTesla

Executable exe 618d791a22f2a8bcd4eb2fd672f47b443cb4c732ae1cb63e201d07a96f3343df

(this sample)

  
Dropped by
MD5 b02394dec19f01b513072a0bc1ad5a68
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 00ef422933249773a03dd798f5eee9ad33f7b0ec6920d1221ae30f2dc0ade05b

Comments