MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82888e4c1b79c13b1030a983093f9c2452631f593ec65a3ec975964e1e3322e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82888e4c1b79c13b1030a983093f9c2452631f593ec65a3ec975964e1e3322e7
SHA3-384 hash: 9c5a6dc028bc68cae7d7ff0d85a1e92c30728e1cb694ec7b800b9a955e7bf094be6fececbc0a3c79b0453767cf9a1996
SHA1 hash: 14b232d3f6ba791794c1e8305b772ec87a83cc1c
MD5 hash: 54e734379848b0ae767df4b7fab76312
humanhash: friend-mars-venus-mirror
File name:147647227-54134-sdfnt-2.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:550'912 bytes
First seen:2020-05-07 12:33:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:OqjY3wYp1CyNtpk3W3Sv58nP5k5n7ys5TnKu87JHLHswPzp5jqJg2:OiYlp1hKASvM65n7rnFmHLHny
Threatray 10'636 similar samples on MalwareBazaar
TLSH 31C4F186365E32BEE45BD9724EC4ECB0D964B26B334B93765413014E8ACCE86CF15CB2
Reporter abuse_ch
Tags:AgentTesla ESP exe geo Santander


Avatar
abuse_ch
Malspam distributing AgentTesla:

Sending IP: 62.138.142.11
From: Factoring y Confirming - Grupo Santander <fycouit@gruposantander.com>
Subject: Confirming - Aviso de pago
Subject: Confirming - Aviso de pago
Attachment: 147647227-54134-sdfnt-2.pdf.gz (contains "147647227-54134-sdfnt-2.pdf.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 13:05:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qkei4ta3phatwebqvgbqsp44erjggh2zh3dfupwjowle4hrteltq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
02261d11f15d4b62340ceed9b3ab2e1520ed3206ba85331be8a775426969ba1d
AgentTesla
20667ee444d9dc8dc5135d0c4e29da6289572153ab6400534c1c6261d7503a64
AgentTesla
28e233a8cc47a8cf308a0f84d71d888c49a09bdbae6703b7f6a7f9cb7f184d04
AgentTesla
2dc17476d3fd11bd7a844bf4e4f5b96b0784ce7d3376b8b8b02d408a4edbd772
AgentTesla
3458232b533e946c63311cd8241c2a390868950d89c3f5e3aaac3f2413c9b82a
AgentTesla
92891933f5cd5e261f775149ca28b09ac1470b28a5d42d533ab5ed1712c18229
AgentTesla
9c41470416c33f1ac91bdf39d8bbec407e0214456f9d298e736cd62586345676
AgentTesla
a527ef285e43baaea32892e0a5cb56b7cbacad289e91aec9d31be07618f28e53
AgentTesla
b291ecc1c7cbd5549a0b9f400fe015af47fb6be96ec277e66c3795b9ff4dc95c
AgentTesla
e40a47b2463779b1d14af4a6611e560112de0ac5b926fe4fa5cbc36219e6ef7d
AgentTesla
+ 10'626 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-w4t443fa6j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 2614f5dda7606deece812f02a5e6affb6036d4883c065f7b1cbd35bc9164c54f

AgentTesla

Executable exe 82888e4c1b79c13b1030a983093f9c2452631f593ec65a3ec975964e1e3322e7

(this sample)

  
Dropped by
MD5 428a652e1336c85dbf662310a8a96e7c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2614f5dda7606deece812f02a5e6affb6036d4883c065f7b1cbd35bc9164c54f

Comments