MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66a70b0fbd80aa28f3215b944260a8ce06a97d6e7f975cbd0100fba806b95016. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66a70b0fbd80aa28f3215b944260a8ce06a97d6e7f975cbd0100fba806b95016
SHA3-384 hash: 4196514465bef95d5372a7a6104a429466dd921f4fea81473badc9cce205e22b0987a95da74897c06e85569dc8a64b89
SHA1 hash: a3107ca93d12cbc6f411233aeb017e9391aac832
MD5 hash: 2f0bc79fec8651f0e45ecfbb229d0b7f
humanhash: lion-happy-quebec-papa
File name:PO_4091.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:491'520 bytes
First seen:2020-05-11 08:14:21 UTC
Last seen:2020-05-11 08:58:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:YVqfCIk3coaX0illgMfFk70jJ5IsT/EPALHF2bmumo:YVqfCIk3coaX0ilx/3IU1Ll2bmumo
Threatray 10'622 similar samples on MalwareBazaar
TLSH 9EA4CF54329D2B7AE0B56BF52AA49051E7B1316A34A7E7AE4CD214CB52F4F40C8B0F37
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: qualitech-solutions.cam
Sending IP: 111.90.140.145
From: Andere Scotch <andere.scotch@qualitech-solutions.cam>
Subject: RE: URGENT ORDER AND PACKING INSTRUCTIONS
Attachment: PO_4091 1.rar (contains "PO_4091.exe")

AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.45506.7262.5202.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 09:28:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=m2tqwd55qcvcr4zblokeeyfizydks7lop6lvzpibad52qbvzkala._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3f8fa141198f2bfabea8c9ed408e9912e00722671630b9776705b84656af8cee
AgentTesla
6cacde1306c8b9679db400be31f29a78ee62875f4047d3855b8ceb8dc4019eb1
AgentTesla
9fb0d4a6cb16d10fc8c584647a21530ec375abf85b5a48d7d7578ebe6dc36f27
AgentTesla
b557884e69cbfcae02528a9e04363d4c61e358f7f81a285a5ea758df8f02bb63
AgentTesla
b6a58bc3f41e4914190b15761baca60507bc4763dd6305c499c52f95ea042727
AgentTesla
bfa03a66eb0b9720abf3efe1e9a220daa682dcb69f6bb6febdbc56bb9624e77f
AgentTesla
ca8bee78548af15a74451cdf1b85cd25033cd76d340f974d98b315f2d4cc7110
AgentTesla
d666e5a91a57a39aa50642853734884f6110624d37f144aab68ead30bf74c802
AgentTesla
e1ff7c1f8ccf2e6d990d34158fe517a1ec41c9208d07888d571fa52d3d398c5b
AgentTesla
ea027d907975381eaff6b9b98a14f303ad9f9d74b454dd55b9bd3b24b3b5baa1
AgentTesla
+ 10'612 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-y68p7v4e7a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar b1802121638afdbe414c77db5f708e4d9fa1b7536782069c64ded7af245066ca

AgentTesla

Executable exe 66a70b0fbd80aa28f3215b944260a8ce06a97d6e7f975cbd0100fba806b95016

(this sample)

  
Dropped by
MD5 81f11b238fc3823903e5dd7120f4bb43
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b1802121638afdbe414c77db5f708e4d9fa1b7536782069c64ded7af245066ca

Comments