MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8df93ec87b8e939221fa7ef06a7b7caa881a9d31c11b432f389e41ffdf500c88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	8df93ec87b8e939221fa7ef06a7b7caa881a9d31c11b432f389e41ffdf500c88
SHA3-384 hash:	e21ee4b132b61a8873c7c588098ad356d01ba75739cc68678b44b16f1c5e13fc921346ba8ee6fd238264f003caacdb43
SHA1 hash:	d19828c57c121a741d4aeb2190dc0f75de4ff347
MD5 hash:	87b78428537778060b330faf05cfc574
humanhash:	lamp-montana-mexico-beer
File name:	87b78428537778060b330faf05cfc574.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	671'744 bytes
First seen:	2020-06-29 07:18:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:1TaQtZl9TGuJ0tXkFDpEwtkYe2Iq6gSOCEpFggtrMby3udBiw1cyK+T:YQtxh6KDbXgMdyK
Threatray	10'770 similar samples on MalwareBazaar
TLSH	5EE4E83B7E85F509D13C593280EB1A5163B1A5C32B23C70F7ECA97A86E0139B3E56359
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla FTP exfil server:
ftp.bmdonline.ro:21

AgentTesla FTP user name:
webshots@bmdonline.ro

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/15519/

Detection(s):

Win.Malware.AgentTesla-7660762-0

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/8df93ec87b8e939221fa7ef06a7b7caa881a9d31c11b432f389e41ffdf500c88/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2020-06-29 07:19:05 UTC

AV detection:

24 of 31 (77.42%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rx4t5sd3r2jzeip2p3ygu634vkebvhjryenuglzytza77x2qbsea._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1f40106224e9c8a5fb2934f9669e1481508df50cf4cdd0df2dcbd281df911d2c

AgentTesla

6cb59c403d44f189cc1fc19ade756c48496f7e1c2a1c981a86ae4ed78546174f

AgentTesla

97877280bba9500fb1cb5d466a66337ff281c278339b089bcb661bbb342adcf1

AgentTesla

a576e8f3b6908a56d86f470f8399a7f2d73d784f4534637a083feb395fc14319

AgentTesla

a8ec57a26ec4c0a4dbd0cdce3e4a1bea7d77433160f0a48737e0df9e203da492

AgentTesla

ab73714788b9dc00470ea8ab91b4e6965546b9768cd3a897e4ca042e3303b126

AgentTesla

b6475693b118bad18f4d1f7fa61e55b3e3cedc68ac6a6c07891a6a4e329f949d

AgentTesla

cc6d907cd248ce25a61d6d7b998e8a7ec6e5ee7e5eb63334365601efb9ee2c8d

AgentTesla

f4f5d415994b9bfd0b7e0d6b9e4515b919692a7ba8e92d98511f8353cd2beb04

AgentTesla

+ 10'760 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

persistence spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200629-23fq9vzhyj/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Modifies service

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/15519/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample