MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9841eb92f550105bc744c34152086e2c6624e08b2a99c24c9084bdc7add30508. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9841eb92f550105bc744c34152086e2c6624e08b2a99c24c9084bdc7add30508
SHA3-384 hash: 2d82152cf71259c26b1f81087190686f1f38a1ef4178873116ad767c2b521fb434a18fa804d39ee0114a59849c9d8e32
SHA1 hash: 11c67d861800504577f330360fe9df93ee8c3be3
MD5 hash: a59290c3d45f3061d21c7501ae69972b
humanhash: foxtrot-bluebird-berlin-butter
File name:a59290c3d45f3061d21c7501ae69972b.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:395'776 bytes
First seen:2020-06-01 08:27:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:1S7UJUPtnmrnZVN2hLI9Tdh+tVrR56oO0uNz:15a+ZVC0Tdh+Pqow
Threatray 11'302 similar samples on MalwareBazaar
TLSH B6841208788C552FEA8C6DFCA0D514005BFAAC676323F7CF8D9164B58D973A69E006B7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.qoiti.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-06-01 19:00:01 UTC
AV detection:
30 of 48 (62.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tba6xexvkaifxr2eynavecdofrtcjyelfkm4eteqqs64plotauea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
22525129004fbb8dbbc180fd0898cc33801cc75a9d6fc1072020ae12b4c2de88
AgentTesla
2f4964e14972eafa98f1fc8ad81f8dc2eeb45a00ef420cf59db34faba1592ac4
AgentTesla
63b4e4beaf7cb64789e465392b51d438b73184676d7ab496112a53e8651d41e8
AgentTesla
75b22a0fa50ba829ea6a30ab9bb769209bb30eddda709aa0e8d04eedb7156ee4
AgentTesla
99e3fe0d987e5351288ec41b56373bcf5a7094ea41af08b998e801a6ec1ed092
AgentTesla
9fb5e1d1b16b1a20d4994176d4579a90dd2e0a87b0bb6cac123e9894278f61ee
AgentTesla
a3f8c63b9925504706f889dc1bc944a5485144007b80b042cf53accda4f650c1
AgentTesla
aad10ae8b03a3f2997e124184b6256b88c69a61bfdd905b06ffa90204efeeaad
AgentTesla
cff3d5fedc8fdab09a7b27524a02503b53f4f7378ab0a09219701d3b9c3e68f4
AgentTesla
f0006754d451556014c91039915ea9505f348f80538e536d30b75c5ef252d73d
AgentTesla
+ 11'292 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-azlvtgffs6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 9841eb92f550105bc744c34152086e2c6624e08b2a99c24c9084bdc7add30508

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments