MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80fbc22a86b0bdd1628897a522a16daa48af2e0ab58dafde86fd26f69526f9bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80fbc22a86b0bdd1628897a522a16daa48af2e0ab58dafde86fd26f69526f9bb
SHA3-384 hash: dc42c5bd60f6055fdd87d3e62480a4a6ba584c62f26a1446d945319dc52a1ce669c9e05200a89a1dea050c6c8d7c7fee
SHA1 hash: f09cf92e8b3841c248f850e6ba0203a7aa808f02
MD5 hash: 5a47fc30fe783afbbed1b53d7295e59f
humanhash: sixteen-nineteen-mike-harry
File name:P.O 428223.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:484'864 bytes
First seen:2020-05-12 08:34:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:QmNIHzGep8fvDWpbcbp/oZ4E8aQPBw7mpW:RIZULcbApwvDQPa75
Threatray 10'746 similar samples on MalwareBazaar
TLSH 74A40161F6A8EB93C2EE55FF88A0610543B5B0E164D1F7D93CD258E932D8BC24542E8F
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: api.vvillowood.com
Sending IP: 89.46.79.252
From: Sayed Moustafa <anna@vvillowood.com>
Subject: RE: Enquiry from Dubai,U.A.E, please check.
Attachment: P.O 4800483 PDF.rar (contains "P.O 428223.exe")

AgentTesla SMTP exfil server:
smtp.aerotacctvn.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-12 02:34:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
24 of 30 (80.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qd54ekugwc65cyuis6ssfilnvjek6lqkwwg27xug7utpnfjg7g5q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00a3fd22323a15f2d5b6f99683c2fb5e2736c96ad179a8d1be1a8943c811e011
AgentTesla
04f52aeb0c5923b55f2576643009018b6ac3c7fd3569340312f3bc3fd1eb1120
AgentTesla
182321120c1270861876820e9413137d6c32cd8af4e6aee6cef87ee5fa236b5b
AgentTesla
1eee887b16c1d789c1869219de2609fbc29ef3ee0c0625f2907c71e9ba701daf
AgentTesla
3cc27abf2f572f865686fcdff03c0ecc3b12c71bfa890d3c23a09e42766dad68
AgentTesla
5d2205a9b13efc7fc35da49a6944ba14a1d4eabea7384cd131159c30d8b6d931
AgentTesla
a17ef004c92a31609e352f1d1d70b3f052093b6a1801fa5793627db80f8c43c3
AgentTesla
a959a2834a98565e519eeadf6ecd71aea91ad04c2a38a73f17f2f60ee43f23ce
AgentTesla
be6f6f78c95cd6e75ce7bf0c643d3acdf6eaf68d5ed12d0bd6ff71f220c7165c
AgentTesla
dff01b9f8946ed3792fe4e32ae3f95834c892f16ca219dc99d78fd15064f82a2
AgentTesla
+ 10'736 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-lx5768c5d2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 32bdfa14b977f602fbabbefccd5224e2dbac937f84b0c677ae09509937855cff

AgentTesla

Executable exe 80fbc22a86b0bdd1628897a522a16daa48af2e0ab58dafde86fd26f69526f9bb

(this sample)

  
Dropped by
MD5 a154f571713ca4f70f38a2e8c596f60f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 32bdfa14b977f602fbabbefccd5224e2dbac937f84b0c677ae09509937855cff

Comments