MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9afb1269ba69bd18c0e77c2061cbbbec9ef53143d2e39079ef729f9da2eb000b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9afb1269ba69bd18c0e77c2061cbbbec9ef53143d2e39079ef729f9da2eb000b
SHA3-384 hash: ec42edb0404d9e16c7a905f99a042d8d180142f13580197aeed80e5d70e6bdf69ccf5d653ea60089d9549ce22115be29
SHA1 hash: 302aec80d7a368c1887f22f33c151d827798d82f
MD5 hash: 4ac699c93b9942e025616162e0147c29
humanhash: juliet-massachusetts-september-texas
File name:Data Specification.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:452'608 bytes
First seen:2020-05-20 07:44:40 UTC
Last seen:2020-05-20 09:02:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:B238ihA+arJgCxNE2oC+LrYgFUA+JSO5f7DGZMUhHz6f6z:mhAtrPXoVvFUXJJR7
Threatray 10'643 similar samples on MalwareBazaar
TLSH 37A47B7CB16032DFCABBC1399AD41D1AA660643B53179D0E64D743DD9A0CA83FAD01BE
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: cloudhost-109205.us-west-1.nxcli.net
Sending IP: 173.249.144.251
From: Gökhan BARMANPEK <gbarmanpek@kipascimento.com.tr>
Subject: RFQ Avant Project
Attachment: Data Specification.iso (contains "Data Specification.exe")

AgentTesla SMTP exfil server:
mail.flood-protection.org:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VZI.6692.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-05-20 08:42:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tl5re2n2ng6rrqhhpqqgds535sppkmkd2lrza6ppokpz3ixlaafq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3eb30f7fa77eeed5c687b9514c1ef0e9cca4778a514e30a2a0c07949945407f4
AgentTesla
481fe9b310d02dfed2c5d650e64b63bab9021d9c8ece0b90f9a0d474ce6d64e8
AgentTesla
4a07677e90615a17c1d659f823433fc283387255551aa314c70d1906dc9a12e5
AgentTesla
ac979891a231a3af79a31a52663f77fe151bbbddee9b13750ea02e82f6aefd40
AgentTesla
bcc9c0d2162cec6b418ab08905642c181d2c24b95a4a387242f73cd5d4410bb2
AgentTesla
c964296558dc6cf1a3e305f48af7ea8b6736ef61f01425dbfabc6fd32cd4eb87
AgentTesla
d364a64f878c7a01c622cfb107ebe9776a9defadfce6875fc37b703e695dfa50
AgentTesla
e7e7041b16466bd06811dc949564fdc2cabed3c4f7e8957581f0a4b53808ab0f
AgentTesla
e8917cab54dca8c56976f8fa973521d58d0fc5abc196906a2aaee1e31c8b007c
AgentTesla
f349c4c241a5ce1565b3d584dc1158fbc4e9766d99becca69c5d4d848de0fefa
AgentTesla
+ 10'633 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-qkd16lfwpx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Malware family:
AgentTesla.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9afb1269ba69/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip fe155a2f79eb0a91c02433b13776d9d2a4a05c7e31c1291e67d5fd2138b98681

AgentTesla

Executable exe 9afb1269ba69bd18c0e77c2061cbbbec9ef53143d2e39079ef729f9da2eb000b

(this sample)

  
Dropped by
MD5 97b0750bd3111cc3ce0a6c3ffa970746
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 fe155a2f79eb0a91c02433b13776d9d2a4a05c7e31c1291e67d5fd2138b98681

Comments