MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 974edc62c329ce314f5c8c745cd145779db4c5a5d46188def7351cf11be83eec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 974edc62c329ce314f5c8c745cd145779db4c5a5d46188def7351cf11be83eec
SHA3-384 hash: f87193b4c13661d9e976e42105ab0a09026063575fef91c204971ab56e301f68bbcfbf620f92f124b7f6163c24f09121
SHA1 hash: 29e13fd3f0ef1d1c7110f953e90a6d3452cead9f
MD5 hash: e1c07e47e51d352fc3b6f026e05a6745
humanhash: king-glucose-oxygen-autumn
File name:SHIPPING DOCUMENT & PL.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:439'808 bytes
First seen:2020-05-22 07:12:03 UTC
Last seen:2020-05-22 08:02:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:vP1vK+80o1MGGKNU3UGNBCPuj5taljT7:F0fuoUkGNBCGGl
Threatray 10'628 similar samples on MalwareBazaar
TLSH 7B94011557FC5737E23E4BFD94F0101107F525252663E75E4ED2B0EAAAB3320CAA29A3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: icefactor.ae
Sending IP: 103.145.254.227
From: Jozef Králik>jozef.kralik@icefactor.ae
Subject: SHIPPING DOCUMENT & PACKING LIST
Attachment: SHIPPING DOCUMENT PL.rar (contains "SHIPPING DOCUMENT & PL.exe")

AgentTesla SMTP exfil server:
1st-ship.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.48419.16042.14126.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 00:17:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
213bc1e79dd9fdc519dc1f286f1d0deae4ab6167aa69989d14c1f756fc6217dc
AgentTesla
36a03b97c28620a2da908370d7505c714e9863bf3c328152e1a4a69fc40a54e4
AgentTesla
4f81b89148442875962b35680334d7fc7b5827ad3764891fa990552fe77ea28d
AgentTesla
618d791a22f2a8bcd4eb2fd672f47b443cb4c732ae1cb63e201d07a96f3343df
AgentTesla
755757fe45ca7ec3347803cad3da8e3d964c330f4649e014b22d6851c7acc5ef
AgentTesla
75ddb1231411d9081444e739cbfd364249a18a5b7dd44a85d6363250f5d0a6f8
AgentTesla
8efa8505066ee4c366657eb07b866e7493dffd71a6c4626c811dd25e15b45828
AgentTesla
91236da59c95dd764f85a84297238f215ef0cd3d0fbc37f2a2f15d2f302e2dfd
AgentTesla
93d5e54bc0eedf04d893416ef597e0c833c7d7870f9f793fdd7e5f1b23382273
AgentTesla
f518f0a8e6238b33a99b3c030da878a1230d278dff2cac740c2a6c089b7801b3
AgentTesla
+ 10'618 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-wjk27f69ss/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar d3388177d20ad55e13cd99c7ae60b9ae642daaf319c6c89216c6f44b5f917d46

AgentTesla

Executable exe 974edc62c329ce314f5c8c745cd145779db4c5a5d46188def7351cf11be83eec

(this sample)

  
Dropped by
MD5 c6a2f583ba8a05e30c66e196df36a462
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d3388177d20ad55e13cd99c7ae60b9ae642daaf319c6c89216c6f44b5f917d46

Comments