MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84fbfaff31bef0f0bdb851ab257a25e9b65e10ceaa1b7c93a0e3b9fbafcc8d41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	84fbfaff31bef0f0bdb851ab257a25e9b65e10ceaa1b7c93a0e3b9fbafcc8d41
SHA3-384 hash:	c4207db714c0775eec949571f9e6279d72e882ff9445d74fee440bbb95d4b3e5907144c2a9844dd5de6e2e7f9ff943d5
SHA1 hash:	f95157dfe8964f44d108cd2f1f1f19fea4a2da44
MD5 hash:	c78facb28580ecc5a518b8dabec5fc41
humanhash:	william-juliet-item-pennsylvania
File name:	sk4Ml.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'483'264 bytes
First seen:	2020-06-11 13:31:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep	24576:nAHnh+eWsN3skA4RV1Hom2KXMmHaq8R/dsjswysbvuoxaUBxd7E64u8FHSWfFhDq:ah+ZkldoPK8Yaq6UswytUJ7E64BFHSK6
Threatray	11'233 similar samples on MalwareBazaar
TLSH	D365CF0273D1C036FFAA92739B6AF6455ABD7D250123852F13982DB9BC701B2263D763
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/7796/

Detection(s):

Sanesecurity.Malware.27684.AidExe.UNOFFICIAL

Sanesecurity.Malware.27686.AidExe.UNOFFICIAL

Sanesecurity.Malware.27681.XorExe.UNOFFICIAL

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-06-11 10:02:47 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qt57v7zrx3ypbpnykgvsk6rf5g3f4egovinxze5a4o47xl6mrvaq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1304ed05b8f1d183feec8852f16c1f0ba3198388f437a339af62bd2974d8ebdb

AgentTesla

3af7267092a489852be03a8e4d7af1be12d01a34122808c59a5aca1780926e2d

AgentTesla

6fc9d76b06c202aeec60a5a4e5574cd7a1fe1c12c0df84e9bc65be508923ae7b

AgentTesla

a7db22ac79e30d4838c31b0dd7ce2a4029471a16a495a9165f3c817596d63cea

AgentTesla

aa6d8be8d60644a20db18bf3210852bd1ae907229744d03e0ee96b4fba4dd162

AgentTesla

ce62db6659d55100dccca756c2782c49aff09f36c9b08439ff357df77a2020a5

AgentTesla

e127a69284fb0dfa24cf49db889e6666e8efd039173a5b6f70b1ded73d66f041

AgentTesla

e4d7c1e05b2a55ebc758e7f66c3828b66eaf586d9ab648a189cf294a9fb45eb3

AgentTesla

e97035f218839d1fcf82d2cc2ce90eee75db34943692ac7172c131252297acfa

AgentTesla

+ 11'223 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201109-7276f938vx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Drops startup file

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/7796/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample