MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e4a0e9ca5fc3d99fa1910cd19bd8db39c79ba01320341e5c9ce30ecff9ecdd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	9e4a0e9ca5fc3d99fa1910cd19bd8db39c79ba01320341e5c9ce30ecff9ecdd3
SHA3-384 hash:	8c5cf1135b06a778d0dfb2c7cacf8320080aa792703a035c50a36bc360a79940421abb46ca8c4e232f6f239ed8ea0449
SHA1 hash:	c736083b2ad0e8b342da8dd18da3f0f65ee2aff8
MD5 hash:	e44da520fb1bd768b2ecb9de8d4f9af0
humanhash:	robin-one-snake-one
File name:	payment slip.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	925'184 bytes
First seen:	2020-06-02 11:56:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:VPW9mtiNH9R2CbFDDxtx/YyO3u01w4eV3bR5M/xAdDUnKoAmQ7:VQNmCbFnj9YyOek7q7
Threatray	640 similar samples on MalwareBazaar
TLSH	0A15728E2222D1DFC455C6B8E8243FF85D14CDBD13469382A2B635EB6B7F77A2640136
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: park-mx.above.com
Sending IP: 103.224.212.34
From: brave@projectinquiry.pw
Subject: Payment Confirmation
Attachment: payment slip.zip (contains "payment slip.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin

# of uploads :

1

# of downloads :

68

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Genkryptik

Status:

Malicious

First seen:

2020-06-01 21:36:50 UTC

AV detection:

33 of 48 (68.75%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tzfa5hff7q6zt6qzcdgrtpmnwoohtoqbgibudzojzyyoz746zxjq._file

Verdict:

unknown

Similar samples:

0382884e9d5a700d9e0b587cafd5eb5849b5cf65396de1af8210e20042194bca

0c630248507337f2835d5ff76bcadd48aca15cc50c4b334eabea3a93bac8a6cb

2d087f692712048cacf9fd659710e3c0d4916827fdbfc1a8a5b2a50ac4218920

2dc17476d3fd11bd7a844bf4e4f5b96b0784ce7d3376b8b8b02d408a4edbd772

3bf4ccc4c163b1a1e8881a5c2d659e897c519eb6941a9faf1dc4a8b48cae7a2a

4d3e8c6d43fcdf1f060986547c0d0af4a27c4ebe9377b374c6981f27d317d5cf

5afb8b1e08dee442332deaabd3fb126ffd9d4b34056aa33e121f24776086695a

7db3bfd1a6a9895676b8425c82139280900bc0747c744ded4cada495a861790b

d96e23b30fa45b644b90d50eae8d474b12d6f2c7100684a8c8ad99abdb92168b

e713a9bac94efc2de71fbcdca91c221b8f895aa48a216ec8a656a879e5a8bd83

+ 630 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla coreentity keylogger persistence rezer0 spyware stealer trojan

Link:

https://tria.ge/reports/201109-zfcep78bm2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

rezer0

AgentTesla

CoreEntity .NET Packer

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip c6d3f058ae3d3d3609586acdd1fc51d20071dbd048975ca9959fb3d0ec7b7870

exe 9e4a0e9ca5fc3d99fa1910cd19bd8db39c79ba01320341e5c9ce30ecff9ecdd3

(this sample)

Dropped by

MD5 f6f1c9e6cacd63700093fb62b0246961

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 c6d3f058ae3d3d3609586acdd1fc51d20071dbd048975ca9959fb3d0ec7b7870

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample