MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8af6ccdf9c60f235ed2d82cb83bde963542797f038d130fc5662d9b0254e1939. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	8af6ccdf9c60f235ed2d82cb83bde963542797f038d130fc5662d9b0254e1939
SHA3-384 hash:	d7223a71eaf9de9f1b4fa1370fcc80d03481e00481a57dea43fffb7dbb644798b1744b7180ac04257e837d3c8b779926
SHA1 hash:	e64fdb68964c3b914c3e4bb3c023d39e3de0b5f9
MD5 hash:	e99641d5f808433191492e9976904def
humanhash:	glucose-eleven-delaware-black
File name:	e99641d5f808433191492e9976904def.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	351'744 bytes
First seen:	2020-06-22 17:23:59 UTC
Last seen:	2020-06-23 16:44:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:nouX2eQvuCnMoIUVCr/zdRGqGIKJtv2iLzlv+9QTUmUK28xMyvt3:9fhCMoIqCfTGqGtrvZA2UmU38xjt
Threatray	10'633 similar samples on MalwareBazaar
TLSH	1874CF9D62348325E52A0ABE8C3464AA72B562C3DEC3EB07425D3C4C97731DD19DBC6E
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
mail.softechpharma.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/12703/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WEZ.13626.UNOFFICIAL

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8af6ccdf9c60f235ed2d82cb83bde963542797f038d130fc5662d9b0254e1939/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-06-22 16:11:51 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rl3mzx44mdzdl3jnqlfyhppjmnkcpf7qhditb7cwmlm3ajkode4q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

09944e1f48bf7f92a9302b2fb104e20ede5d5a897dd2107f795175e0cfa405e0

AgentTesla

0d07c8344ef01c56baf0fbb085a23d8ebce502082ae9461bfd60fd38ea10f829

AgentTesla

131347c9601fe7bc4e4cf621abbc69686360d1210bf0045d663d97adf5fbef6f

AgentTesla

263573ece93d13d69ed99ea6be5715ca5b15e1877ed09a274ca9cf55f4d16a22

AgentTesla

7fc9466732f48a13fba7f7169c3eb19bf021d6adc63957ee1c5d57910887782c

AgentTesla

9bb06976e7079506985dfe94112ca75d51e77f7d37b093bd8e269c8aeda07d1f

AgentTesla

ae74623e356130501507540ec165aa3ca088a7cb27bae50769998b6cb6538f0b

AgentTesla

cadf2a43d7f85a109aed5177e99951fba7031621fa470af37a58f283b0edc886

AgentTesla

f81ffe76cfa1447a52ab6613c83933a5040b49221bb16c5a86ba416b3026240b

AgentTesla

+ 10'623 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/200624-jfvcjrva8j/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Drops startup file

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/12703/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample