MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7832b802927a0d0c8a6500dfcd73512794fcf8b26fd6c8d61de254c48b2ef29e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7832b802927a0d0c8a6500dfcd73512794fcf8b26fd6c8d61de254c48b2ef29e
SHA3-384 hash: 4965460853d770e4587247129eef785d0cc2bd1b6c4de8634de33e33a047f5f18ff1c2ba4786f2eff35c3aff519b935e
SHA1 hash: 2e0d3881e59ca3fada6b450c0cfdb9cecd3a0588
MD5 hash: 172a5d601dfb3f89f081301dc9ce0ab8
humanhash: bluebird-wisconsin-maryland-oranges
File name:tTD9N.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:866'304 bytes
First seen:2020-05-14 14:18:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:iAHnh+eWsN3skA4RV1Hom2KXMmHaVDrF5:lh+ZkldoPK8YaVDj
Threatray 11'118 similar samples on MalwareBazaar
TLSH 13058B0273D1C036FFABA2739B6AF24556BC79254133852F13981DB9BD701B2263E663
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Grp
Create hunting rule
Status:
Malicious
First seen:
2020-05-14 14:18:15 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pazlqauspigqzctfadp4242re6kpz6fsn7lmrvq54jkmjczo6kpa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d067ec61abc3cb032027093834e84d7d4f7b0601024b152adb26481b420d683
AgentTesla
1d08ccd9e353e6684b90cef223afd58b740d0b391381c03636b56da17f44e6b9
AgentTesla
3945669106668a82fcc127f418ea0b028c8d73057b4b1715bb296627901023b0
AgentTesla
4297b0f564c12f9b864cb9c48b6b408ca13349dcc557c3243fe398d4921a8a8b
AgentTesla
551b22090262c7afc91b582469fd348fb365ea1ac39cf8ce75b55f069feddfc0
AgentTesla
5a7a9cb17f7c3d46e18a60c4201edbb8e93fe20723b34a9967a0fb67d2bf7896
AgentTesla
5dd114148f9cf40a9d80c1631cc582a4f19ee62d5f64c1b33e28a6ac5c5b0d53
AgentTesla
aafabbc33c3dcab75195c0a68e244c0b65043fd2fb966e8e66c46f76a1fca7dd
AgentTesla
ac6e23eef94b16aa7d6c2bdc35fa311bdf54019b2215d04b4e94384c4716ae84
AgentTesla
ce172721c1da61b4401d9b00414c050c72d33835962489ee6b59ddd4bc42ed37
AgentTesla
+ 11'108 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-bcj1tnxnme/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Blacklisted process makes network request
Malware Config
Dropper Extraction:
httP://paste.ee/r/EWxn1
httPs://paste.ee/r/FLQmg
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments