MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a19573af6e0050d407b1dbd3bfb2966484d81e6cb6bf99059db0802d0bd2d5c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	a19573af6e0050d407b1dbd3bfb2966484d81e6cb6bf99059db0802d0bd2d5c2
SHA3-384 hash:	ad83b9b9b8b214bd12c36d7bec6b79f8dd94268fe4fa291185854c7c92a0ea00de04230b2775763e8482b76c3c0113b3
SHA1 hash:	dbd8808d5f17bb0709014d4c3d79a64339815b4f
MD5 hash:	8ddf8894105209206407a0656852fff1
humanhash:	alanine-failed-robin-foxtrot
File name:	scan copy-80808_pdf.gz.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	847'872 bytes
First seen:	2020-07-10 13:44:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2050fc6fe8629092d6969251a507616c (10 x AgentTesla, 3 x AZORult, 3 x MassLogger)
ssdeep	12288:SZg4xCln237ztIdDN0P7Z5c0z+uP4nyirARkNQ2Ad4i5zIT47YVS0NprBkVC9:SiyCa7qmd5pLQyir/N+fIsMYUprBWO
Threatray	11'110 similar samples on MalwareBazaar
TLSH	D305AF22F6D14837D0B21A7C8D1F6368792ABE512E3C99467BF00D7C9F3A6513939287
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/24424/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Trojan.Delf.FareIt.Gen.7.2197.30182.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Launching a process

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Enabling autorun with Startup directory

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/a19573af6e0050d407b1dbd3bfb2966484d81e6cb6bf99059db0802d0bd2d5c2/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-10 07:45:16 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ugkxhl3oabinib5r3pj37muwmscnqhtmw27zsbm5wcac2c6s2xba._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

1fe9e9760604fed048445b3c79c91d30a9b1cf75a2a689c48181724a91df38e3

AgentTesla

3e12b0587d24f1f28bfc04ac59f0479bd458d042e5ec0602276ca8044c5b77ce

AgentTesla

552a6dfb3ccf93b4ce557243d0aa56129c5d9bc031cf5f81cd20f1a701422a2b

AgentTesla

775f508ce9aa128d16970e85f0b02f8f200c50dde94a1e345621069dd7042330

AgentTesla

816c35acce2b50030e1f9d6e3782be171fd677d77da7c165693e1bdd2dac958d

AgentTesla

8a7bb1898f3f00615aaabfb2e731670588ff0be3b0ab11889e27a1d9f36d3315

AgentTesla

c0a630b8ae36aae7e508308718a4eda6b144f385be7927a8677ececb04e18ee7

AgentTesla

c5b7a21aec63cb037d441c6e850b500567b1937c21e4f842fbf73930a6ec62a4

AgentTesla

d62fb8c1085745bba5628a442571a54b7225f4496ad27f572798739195ebedc3

AgentTesla

+ 11'100 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger trojan stealer spyware family:agenttesla persistence

Link:

https://tria.ge/reports/200710-rnv4hshgd6/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetThreadContext

Adds Run entry to start application

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Drops startup file

Reads user/profile data of local email clients

UPX packed file

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/24424/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample