MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4acf9d1c576b9463cad3c69b280750a03530a12c3f020cdffdafffc2c2be808. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4acf9d1c576b9463cad3c69b280750a03530a12c3f020cdffdafffc2c2be808
SHA3-384 hash: ced07090133aa67c136ac0c9117a2c21011aaedd2780db1b1dcbd3b3734cd2a2b3ea2e685d2ff3d1bfd210dcc5fbc2f0
SHA1 hash: 4e34d30df45bb9720e93486429d375b7ada3cc13
MD5 hash: 1972c4227a9da6e8adb2df4f5952306f
humanhash: juliet-michigan-music-september
File name:RFQ #20208643578.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'548'288 bytes
First seen:2020-05-13 16:46:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:ktb20pkaCqT5TBWgNQ7aM9Rj8UGY+EtvyDBzKULoN3ZxLc6A:NVg5tQ7aMTNGpEtCNK/ry5
Threatray 9'572 similar samples on MalwareBazaar
TLSH B765DF12239D8264C3BA51737A15B7416E7BF82507A1F4F72F94CA3CA9601E10E3E66F
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.sgbcg.com
Sending IP: 113.11.251.241
From: Meyer Wang <parwezasha@gmail.com>
Subject: RFQ
Attachment: RFQ 20208643578.zip (contains "RFQ #20208643578.exe")

AgentTesla SMTP exfil server:
protectorfiresafety.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 17:27:00 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uswptuofo24umpfnhru3fadvbibvgcqsypycbtp73l77ylbl5aea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06bdfeb06913135fc27119ebf2c896d2ff3d30e05a1cbd53ad1d0f632a4fba46
AgentTesla
1fdeff12a76654fa755bc975b5727280884ee49ce3881411b1769bbdc75688cf
AgentTesla
3b5dc8a1abf2105b4275098e8e11a58b5dcc4c5025f5c808f0facb6fdd3cd2f2
AgentTesla
514d4ca192ce33a6c40938c91388dcb1b8eecfde5e030319ecb4e4a309f2347b
AgentTesla
6bb44095be3bc2a75600fae1f3ddfb1602e4c00a55c7c153db899ca662059313
AgentTesla
76549c9c9acbff7d3132d651432efbc45aafc2d12c70816d439b4d06a93febe5
AgentTesla
76a9e5adfaa09f62bf8ec4902614b0224938a1ba93ec5af755629ff684b51278
AgentTesla
7f88570972b45202587d9ef6f5d8e7c447519c8add58523f162a5fdce479648c
AgentTesla
f48fadaef41e4ea454e0325f4f7bdfce964431c54ec8f623c1e34140d4f4dc78
AgentTesla
fa84525a3f72a0cbed41a990523a28aa5edf705016713ffd2da78c56e309dbe1
AgentTesla
+ 9'562 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-vlb2ascahx/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip eacad6cccfb63ebbd0a4acd665add61cf16b75755e5133ef2726a11c99aa8270

AgentTesla

Executable exe a4acf9d1c576b9463cad3c69b280750a03530a12c3f020cdffdafffc2c2be808

(this sample)

  
Dropped by
MD5 1fa045413da10f83c7a4118817931f61
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 eacad6cccfb63ebbd0a4acd665add61cf16b75755e5133ef2726a11c99aa8270

Comments