MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82d3edc9ad7ba25feca5ef08641b0f030d92faa5dec17f3148e062b727a0240c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82d3edc9ad7ba25feca5ef08641b0f030d92faa5dec17f3148e062b727a0240c
SHA3-384 hash: a53eca76e925c38f8bbffe6236e6b29bf6ad63e0f42e277a9d126707882309a4fc31c95fd3073e8f231553b2b4daa0d7
SHA1 hash: c8258ff8ff5e94d3026a50cd56f399aa6a388043
MD5 hash: cb2758f854fcd3e6d4eff297aba1079e
humanhash: hot-texas-monkey-spring
File name:RFQ-PR# PR1787523 (BA).doc.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:466'944 bytes
First seen:2020-05-04 21:16:35 UTC
Last seen:2020-05-05 17:48:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:aP7B99hL/FuWAxea8mXuhK/ekHfSFz8hpPQbyq:y7BhLfAxea8mXuh7kaFz8hl5q
Threatray 10'561 similar samples on MalwareBazaar
TLSH 68A4E0282BB8C917CBFF82B5BC44504457B4D3E2AD81F785DAD17278CC4BB86698624F
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: toorsteel.com
Sending IP: 103.145.253.151
From: Toorsteel <toorsteel@toorsteel.com>
Subject: RFQ for PR# PR1787523 (BA)
Attachment: RFQ-PR PR1787523 BA.doc.zip (contains "RFQ-PR# PR1787523 (BA).doc.exe")

AgentTesla SMTP exfil server:
mail.toorsteel.com:587

Intelligence

File Origin
# of uploads :
6
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject3.39524.9273.13695.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-04 23:33:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qlj63snnporf73ff54egigypamgzf6vf33ax6mki4brloj5aeqga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0598b4ce2460676755245bad49490a9c94ae85a074c2242adfa65c52b0ad3796
AgentTesla
201aab86deb0b609b895f6934d5a87b56384cdf01dbfce5e5bb2e970f91bb919
AgentTesla
219760dead477932b0a969b38ecc8d7ee41b2da4de72f32700f905cd705c340f
AgentTesla
895225b53f54d122a60d52a692acfe09a4fb64fbc2bea01746d2ec3f12e3a564
AgentTesla
a563a898ce1c8dcac374ef8a468e39a185ca3b010f1a41b60731a7beac23f846
AgentTesla
a744e64bd387c4f4ef681744a8fd7d8ab024e3f6650302f24163fe506e92cccf
AgentTesla
bacaaa40e0f3b6cba3fc498dfbd6f2d198a767453cd8513acdbafa9fefaeed2a
AgentTesla
d3ccfc7eefe685bc703f2975cde7560c851f7e28f8fac127baf54b24ede4ca91
AgentTesla
da95177191327894415885bd683840bbe593fefbe4ea00a4b054c264a3e5e88d
AgentTesla
e2d6119bb484c9e5f5a7107b4687553416208badbb881df4328bec5146d08509
AgentTesla
+ 10'551 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-3cheym4ala/
Behaviour
Creates scheduled task(s)
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
AgentTesla Payload
rezer0
AgentTesla
Modifies Windows Defender Real-time Protection settings
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 1bba4fcbe371eef6f5fc8d580ae2880805d2f6cd11877c46b18179f68c5122fb

AgentTesla

Executable exe 82d3edc9ad7ba25feca5ef08641b0f030d92faa5dec17f3148e062b727a0240c

(this sample)

  
Dropped by
MD5 90d8f2b754b6210c051b1f8b1f6515dd
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1bba4fcbe371eef6f5fc8d580ae2880805d2f6cd11877c46b18179f68c5122fb

Comments