MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65de2eaefa2cb6b31b1b6feee9eb0437a8d1c1cea531ffee2c092a8ba399d609. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65de2eaefa2cb6b31b1b6feee9eb0437a8d1c1cea531ffee2c092a8ba399d609
SHA3-384 hash: aa33ca998e836c4999d41a6cbbfc53c2ae7ed9cc82b4317af9206c1b85a6c3790b12ee6f91e21a0c7b840737be63fbca
SHA1 hash: 90075594fd68319c5cf68ae4f771d57a6d2c6dce
MD5 hash: a4d052ff04b5446788ccad878c3e04fa
humanhash: uranus-pizza-whiskey-idaho
File name:Order Non-woven Mask.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:441'344 bytes
First seen:2020-05-06 09:42:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Ssjb78ZakkOASLYwhlvuNEaL0n/H/5/0Y:8kO2+lvuyaL0n/x/0
Threatray 4'549 similar samples on MalwareBazaar
TLSH 29940299321071DFC897D9BA4EB85DB09B90A07E931F8207746361AE9E4DA4BCF504F3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: qproxy5-pub.mail.unifiedlayer.com
Sending IP: 69.89.21.30
From: CVS Murthy <cvsmurthy@junopharm.com>
Subject: CHK-6678 - Non woven 3ply, SKF01 - Non woven 3ply, JC-201 - Non woven\x0a 3ply
Attachment: Order Non-woven Mask.rar (contains "Order Non-woven Mask.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.EJYY.16467.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-06 10:36:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mxpc5lx2fs3lggy3n7xot2yeg6undqoouuy773rmbevixi4z2yeq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
150bca9ea5a4c5835f0e665b2db300d12a741b3a452c74678be7d0ee8236668f
AgentTesla
16a372b8bf67ed98f8065274e22b1c36ad0b0a6fbd8a8a4a4afb0e9b07665612
AgentTesla
278ba1dcf6b5b983d24db59c55c9caf1326f3b6a3916eca6b7ef244f07ac15be
AgentTesla
293f8c9b635a869a00e4f0d275c8a3e8f358242e4813e443282cbc5ceb8f099d
AgentTesla
5136cc442f7ff2a99cb5c3c64c0419d23a3aba57f7389af3a758615eb8b6d26b
AgentTesla
c941762865ec73812c88477b07a173118890f17a3ea165ae81c8b21e5efecf59
AgentTesla
d23a2faa1b62069c4eaa368bc759d82f88b4b527d50648ea8953580f3f01fd15
AgentTesla
d6966bdc03399a2691eeba985de79e0a35558b9a40d7e10ea149e06c0508c108
AgentTesla
da598cdcc8c0be3634bafe7bfb3ca0137e1ae0f785fcbe679f63a79fde4c3131
AgentTesla
e12e8d3c045eaf7bcf729f25e39ed21114088534fef748acb3c8e0d2423b45bc
AgentTesla
+ 4'539 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-avvmf3gafj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar ffac0eb02d1a42b96cc64948150353ec1dadc56572943f736cbfecb4f706282f

AgentTesla

Executable exe 65de2eaefa2cb6b31b1b6feee9eb0437a8d1c1cea531ffee2c092a8ba399d609

(this sample)

  
Dropped by
MD5 af277671e67eb2cdc9213b535413ed73
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ffac0eb02d1a42b96cc64948150353ec1dadc56572943f736cbfecb4f706282f

Comments