MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66a8c938adab25455ae47bf87fb5f2f17954f5a7a65434171b0e9342fbd76770. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66a8c938adab25455ae47bf87fb5f2f17954f5a7a65434171b0e9342fbd76770
SHA3-384 hash: fea537e4f023a88e48674a9a68903e9ed097721cf4e6b3973dbef7e30b605f9f73041bbaeadd901a2a5973841b13d9c9
SHA1 hash: cdcd54b0c953917451b6a1525dc7d8736897b7e0
MD5 hash: f4251e6e19643eaf900ffae5cd409784
humanhash: happy-white-pennsylvania-zulu
File name:f4251e6e19643eaf900ffae5cd409784.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:397'312 bytes
First seen:2020-06-21 08:05:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:bZmrPsDwDmY6z4444S0luYC5LYkf03NEa53jFUPjUFoY4iC5Acjtd43d63FeTSkz:FmrPEwDmY6P4e4fjURc5AcxYuFeTtz
Threatray 10'690 similar samples on MalwareBazaar
TLSH BE84D00BDF9785BAC2AA6D73F471A51206FC62171633D12B1D88861D3D01ACBFED1B86
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.marketinfosales.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/12357/
Detection(s):
SecuriteInfo.com.Variant.Ursu.911014.22692.6486.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-21 08:07:04 UTC
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=m2umsofnvmsukwxepp4h7nps6f4vj5nhuzkdify3b2juf66xm5ya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1de6d8667da47acd79149ba091ed36cf9e6b40e469ac7e49299792c72e21e764
AgentTesla
6a31202250692a5fc5db29563f8b1f9cea0e2b77fe0261df224717644347858f
AgentTesla
6e3a137a621b11e16fb46aa747fae37564a0cd03e57873193fa5f772a5822628
AgentTesla
7fc9466732f48a13fba7f7169c3eb19bf021d6adc63957ee1c5d57910887782c
AgentTesla
97c3cf905c068daf00bbc9c10810ff4437d953c3263e962b0454d0babcfe5494
AgentTesla
a9f98038cac91d7d9f92301d7738f9187fdc1a879aa9db3373ce1fbe1bbd6eae
AgentTesla
d0f4e90da1cf7b70ef688b9bc4f10a460d747b792f46d91f139e8cd05481059f
AgentTesla
d1af73fc3a8feb9a8254eff6a4a94d1637593ade739fc42da2a4907029fa03e2
AgentTesla
f187aab18607c012460083a62bafb6e17e1b9e6003fc0196695dfd48ae2eb361
AgentTesla
f3635e26f70dfb1240a5f8c7b09ea634ee9e5b6692cb73829b0124c0b2505281
AgentTesla
+ 10'680 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/200624-qffage7t1e/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Drops startup file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/12357/

Comments