MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2f6070d226ea3e37126cf9a65bdc444d9fd0cf3ffe14cc2b0fa1169f5230924. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	a2f6070d226ea3e37126cf9a65bdc444d9fd0cf3ffe14cc2b0fa1169f5230924
SHA3-384 hash:	6a4400e2568e68b6159e575190818bad2bbb1f1476df9474fd8a593c82ec816f4f0c43b2aaef312aa74a18afb451b498
SHA1 hash:	9584a8e60555287e9c98e02c32a567d1ed265450
MD5 hash:	d9df463bcc95bdb30ec68992c6264ea4
humanhash:	gee-harry-football-sixteen
File name:	OBJEDNÃVKA #49384CF1900-pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	678'400 bytes
First seen:	2020-07-16 07:56:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:XbO2CS28qtmuFD7ms9B+WXCSkXf8Q6LRswjG301ac5T7n6aDZc8fGysS0:Xi2CSVq2s90SCn8TY3ZqpDZ0ys
Threatray	10'851 similar samples on MalwareBazaar
TLSH	2CE4393A3AC66406ED3E097544F896E063B0B5CB3E12CB0FA9C61B5C5E077DB7B46246
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: gyp.gr
Sending IP: 46.227.62.27
From: "Oleoestepa S.C.A" <direccion@oleoestepa.com>
Reply-To: "Oleoestepa S.C.A" <dustiutd12@hotmail.com>
Subject: ŽÁDOST O CENU
Attachment: OBJEDNÃ VKA 49384CF1900-pdf.7z (contains "OBJEDNÃVKA #49384CF1900-pdf.exe")

AgentTesla FTP exfil server:
ftp.samarasae.gr:21

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/26483/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process by context flags manipulation

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/389421

Signature

.NET source code contains very large array initializations

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/a2f6070d226ea3e37126cf9a65bdc444d9fd0cf3ffe14cc2b0fa1169f5230924/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-16 07:58:10 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ul3aodjcn2r6g4jgz6nglpoeitm72dht77quzqvq7iiwt5jdbesa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3d0a1e494ae5a0cbc4075f7cbdb2421e4840da06cf3ea998d588928c841e9713

AgentTesla

51feba16fe4544448af69bc8c311f138aeec6d3c92114aaa9d00c427bbe240d8

AgentTesla

56f2d6b9b207a2e0f5fc1a59d36376b4cde1ac6ac52e95a9c48c00c02e271516

AgentTesla

6783eae69893388f7895a9787ed3c8b429e730d45e8aa3cc1e60aa45f0664bc2

AgentTesla

6da9729b89ad6b0aff3f94e20754a9d46185fe0c9076aa950ddf8e4e720e5ef0

AgentTesla

a53aa039dd319d6f8f791f9bc8e1b3dcf253ec019900e30d9c0c15020750ee70

AgentTesla

bab9a6f06c198be12246666b1763fe38ef22795f44ee6aadb141adb5377cb1ec

AgentTesla

d37e75944e6beefb20b0a16901183c9c33bd99eda1050820e9430fde0891e509

AgentTesla

e52c7992ab1aa4ed8defe7e3cd4243f47d2c422cfb6ae78f1d360a763dbabb32

AgentTesla

+ 10'841 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200716-2elgtpdeh2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar