MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9eb40a27f7187fbbf507c49d780a6965df5fde1f21927a4f6b3085df5147e170. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9eb40a27f7187fbbf507c49d780a6965df5fde1f21927a4f6b3085df5147e170
SHA3-384 hash: d659059f742c37d9d0c272be87718af8a36347fa8afb4ef9a361b059b1ce3af0906c72e5b2afd03ddd74a413a4b9d28f
SHA1 hash: d6f88c855bf298fd423f84567fa8d81cbcb099d3
MD5 hash: 2f3a26a622828cb227f49c921eebad38
humanhash: connecticut-stream-sink-massachusetts
File name:2f3a26a622828cb227f49c921eebad38.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:471'552 bytes
First seen:2020-05-22 07:04:56 UTC
Last seen:2020-05-22 08:02:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:QbqB/Nb34HeD7wjcBZMrSoVbz+eLyt7pnP0:npVIHe7ZMrTbTOpM
Threatray 10'554 similar samples on MalwareBazaar
TLSH 55A4120457F86B17E57987FD71E0404123F9B12B26A3F7AE4DE264DA12733114A22EDB
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject3.40368.27796.4572.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 07:36:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 31 (70.97%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
38784e09ac572a99811a368a4cc4ba28f949b2ada8f0ce426de03a0bf7c2ee99
AgentTesla
4196e77b555b5320913fbff4f5a329130e1f5b935f37f18e9deaa7b83f0b5108
AgentTesla
65e49a29cdfa1f1f91d5a59354ce7920a03b4aaddc0e26a3b002985d57388ea8
AgentTesla
793666eca93a68eaa6cbb34eac888c354c61cc5d92e5f8d99466020a430308b2
AgentTesla
89bd696df7073c78ebc27a60c79728b782ca27d1d82abc8b0d5aafea1d1d61d3
AgentTesla
96382f5a4c395562a3d763a7f61e09486af57987d43e5cd231063993bb6952ac
AgentTesla
978d51366e13c76915194bf67170b7431115e1962eddee9debeb3f8c89d77a88
AgentTesla
9aacf7241d4ac98976ece20663fe83d6b5f13bfe98b597ae02ed5d39614b9c16
AgentTesla
e06afa0c894ebda14b627718de1c45ac92bc1037a26592f4df7751c918bb1bc4
AgentTesla
fdf384c1cbcfbcd1bbb814f9d80ddcc4d2b3c786fda29c3a48ef7cde8f08d78f
AgentTesla
+ 10'544 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-jw9pse4xhx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 9eb40a27f7187fbbf507c49d780a6965df5fde1f21927a4f6b3085df5147e170

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments