MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ed35bcb3d309f150224f3feb4261974ce96d19c908ba0467c2a2a1a397fba1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ed35bcb3d309f150224f3feb4261974ce96d19c908ba0467c2a2a1a397fba1e
SHA3-384 hash: b603ccca8e26faccec946e29ac0267be8a0f9207fbb8ca6fab2d18d82a4d8ed058bcadcacc8846dba7c8715d5faea251
SHA1 hash: 61b38d4e58fe94946d10f95fa284a2f779b9090c
MD5 hash: a64a53402752c6480f343d6b9637e2d3
humanhash: florida-steak-uranus-mars
File name:Paymentadvce.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'276'352 bytes
First seen:2020-06-12 12:41:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 49152:Ah+ZkldoPK8YaJWsQRxtM1vdEQep1aQKrgqrn:h2cPK8m5DXaQMgu
Threatray 11'241 similar samples on MalwareBazaar
TLSH 5FB5F00273D1D036FFAB92739B6AB64556BD7D250033852F13982DB9BD701B2223E663
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: speed.ibxwebsolutions.com
Sending IP: 5.189.181.83
From: nursery@najamalsahraa.com
Subject: Re Payment Advice
Attachment: Payment.tar (contains "Paymentadvce.exe")

AgentTesla SMTP exfil server:
mail.binitoo.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10064/
Detection(s):
SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Infostealer.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-06-12 12:43:06 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r3jvxsz5gcprkare6p7lijqzothjnum4scf2art4fivbuol7xipa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
208a8cfdd915e43d58459d4e082efbbf58c649933c09c18c52bc95d34f9725ce
AgentTesla
33eff9415626bfe8ec4229ef6a6b248e0e6b7b1115c84a78724dd9b58336bb28
AgentTesla
342c79ff62a16ad618c837f19efa7362a7f06403b5eb405ca667048d90344945
AgentTesla
64f61dd41ec3a411e647f6371b8500666db3c96cc57a8cb0c16d47cceaf12aa9
AgentTesla
8a37427f4a23e3152a7e6122ce7593e1ebd1049b3cfc5a9ec78567e13c785eba
AgentTesla
aad3b8a87d1932384a6d1c2869b9138ce79d78b3bfc2cd61324e1a833f5f967a
AgentTesla
aae45a77eeaca2d69630e035293e25a47f81d5b7612bace059d1678154485b85
AgentTesla
ad3ed5a2a7fdaf7778464c1f3bd3de13972d04e7123522cb906ea18112e359ba
AgentTesla
bd3ef09c71d86ecabe006cf29542bcdb3d176a000e88d6b58680055e28910dc9
AgentTesla
f834e2059da963db70d88af267f09807a69fb3edfaefc344e5ab542911835be3
AgentTesla
+ 11'231 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-beawmhdr6x/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

tar 3cbae37aee8d79ec63c4708cf9013ed9b31bccde1d7b901f393d2219fef2fce1

AgentTesla

Executable exe 8ed35bcb3d309f150224f3feb4261974ce96d19c908ba0467c2a2a1a397fba1e

(this sample)

  
Dropped by
MD5 2502f2f845fab7e2f7901a0d1004a9d9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3cbae37aee8d79ec63c4708cf9013ed9b31bccde1d7b901f393d2219fef2fce1
Cape
Cape
https://www.capesandbox.com/analysis/10064/

Comments