MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9350e2b52b57a3f17169e6b46a888559dea995d2de8c61a4cdbcbb340d530dff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9350e2b52b57a3f17169e6b46a888559dea995d2de8c61a4cdbcbb340d530dff
SHA3-384 hash: 79a1e24ce98eb8242d80b90abfdb772554fcfd8917093505d6c04c991a48e3151e35466853a691695966834d3d0fa8f3
SHA1 hash: 511d9b22cd5a565d336e6ecf1b63740d3a2450aa
MD5 hash: 5d401208a61eb45a0a42ace4528329a7
humanhash: robert-lactose-oregon-gee
File name:PAYMENT SLIP.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'466'880 bytes
First seen:2020-05-26 11:08:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:stb20pkaCqT5TBWgNQ7a611ZqznhPpWXzsUAvDVA0qcokNV6A:VVg5tQ7a61Tw1sdAvDVA1s5
Threatray 10'894 similar samples on MalwareBazaar
TLSH 2365E01373DDC364C3B25273BA55BB01AEBF78250AA5F95B2FD8093DE820162521E673
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.andalanfluids.com
Sending IP: 180.235.150.93
From: Mohammad Hasan <mohammad.hasan@bearingcitysc.com>
Subject: Payment Slip - Payment remitted 28/04/2020
Attachment: PAYMENT SLIP.zip (contains "PAYMENT SLIP.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 12:57:28 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
16 of 31 (51.61%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0af91caf5bfd256133203be73629b6fc15dda3a6d11b007549babf7118763cfe
AgentTesla
10c418adf1fc625bede0ca0fdb71bafbba3570e99e96f44f362b82ac34b78626
AgentTesla
1b8967747fc03efc0867c491b18e3f3be0b35b9c068499ae3d35f6e860f6ec7d
AgentTesla
77761e8530f70e653145a4736b03cc88abe3be089fbc2fec3eb294f4dc952377
AgentTesla
7a37e28cbc3beb7a9b2bbcf47562715144dac784c1661ed0a545b2357def5b30
AgentTesla
8993c6ffa46e5d51e517982dca4e5bb6ba32ed168348c1d4004a41a581282a1f
AgentTesla
8efa5e8db185fb62c1a2156d79988c47d240abf1099e10cefc16a2d3956cb49c
AgentTesla
9dc77917857b09b06426f7637f10582c8564327f900a7a8f3b6c386ab3ef13a8
AgentTesla
ae29309cd07a69a999f452b2ae38f9b444e3ee7ea1b7fb3579578abe23bb5829
AgentTesla
f33e536c31c5aa7b5a463c4c9243b4369de785e06648ae076a8822f11797076f
AgentTesla
+ 10'884 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-hw9wmb5a9n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 6e570e257e1d6f826a8ed9ee4d46aa69e36fd6f0fddd57f432f993fdaf4fc237

AgentTesla

Executable exe 9350e2b52b57a3f17169e6b46a888559dea995d2de8c61a4cdbcbb340d530dff

(this sample)

  
Dropped by
MD5 8eab84ad3fb44465f006c9b78b3e847c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6e570e257e1d6f826a8ed9ee4d46aa69e36fd6f0fddd57f432f993fdaf4fc237

Comments