MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a596fdfb8997f081dd7674b248d02518f1052fe4b1c384a050f6a82b65816311. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	a596fdfb8997f081dd7674b248d02518f1052fe4b1c384a050f6a82b65816311
SHA3-384 hash:	f443852235ad13569f577727cdf22208fb18519946384f49358b9a2981053d4155c7500a7e830283e2f06d8d73ca0acc
SHA1 hash:	643756d113aee3eb277f41b2c8d8990b16e726e6
MD5 hash:	648d11208985f3b9139fbbb9fa780222
humanhash:	harry-six-jersey-princess
File name:	datasheet.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'792'408 bytes
First seen:	2020-08-04 13:34:42 UTC
Last seen:	2020-08-04 15:22:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:MHLTAHknUcqX2mJ5vRQAOOF+1cdNRO9+84N+tGNqV11lfA2hgEtjqpcfB:OXAEXqXdvRQAnvxOUlOGNqb1lfhg85
Threatray	10'900 similar samples on MalwareBazaar
TLSH	B085CF3836839804D53E093694A5E2E873B0F9867B15CA0E39CA1F6D7E5379B7F07522
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: kalpataru.com
Sending IP: 209.58.149.66
From: Samrat Bhoir <samrat.bhoir@kalpataru.com>
Subject: S04052 – SRU Paradip Refinery/RFQ for Manual Valve/001
Attachment: datasheet.zip (contains "datasheet.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/38734/

Detection(s):

SecuriteInfo.com.Trojan.MulDrop13.35840.24790.5108.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/409508

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Installs a global keyboard hook

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/a596fdfb8997f081dd7674b248d02518f1052fe4b1c384a050f6a82b65816311/

Threat name:

ByteCode-MSIL.Infostealer.Fareit

Status:

Malicious

First seen:

2020-08-04 13:36:10 UTC

AV detection:

29 of 46 (63.04%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uwlp364js7yidxlwoszerubfddyqkl7ewhbyjicq62ucwzmbmmiq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

10b2155331d3b0c7934808e52084c3911f82ece51f39836e3ef0e8db39ee9904

AgentTesla

11f9f60f3980a42f06858e5e684b8dedb4b134e9bb357a1043ded9a96353744b

AgentTesla

5a1ff51485fd7f49e413093ab5c705265a6d5ec108c1ce955fbe99da3d29aa33

AgentTesla

6824c4afb5e56e0c2b3e0b89a4acde70bcc2bd792334a6600225e623162ae621

AgentTesla

73227e5663576f946ecdd31082bd8ccbd65cb8332f3ccff9807d43c2481276aa

AgentTesla

87dfe4ff436d339cb76d24a85574742d33682b1a38d2c08cc85781b14cb8890e

AgentTesla

90ffadcff25b2faecd4cccabac3af9f5329aea12e3330aa408545408bd482fce

AgentTesla

94fcc8c7fd53c5463c0d33d1f74b5c7c8c0ae95ef097477958acb9df1ae5a15e

AgentTesla

c3196a4d4498a77b2e27353a3cd61ce5494bdce1f29f5643e8fece30aba5a20e

AgentTesla

+ 10'890 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer family:agenttesla

Link:

https://tria.ge/reports/200804-f59ag25xvj/

Behaviour

Agenttesla family

AgentTesla Payload

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.88

Link:

https://yomi.yoroi.company/submissions/a596fdfb8997f081dd7674b248d02518f1052fe4b1c384a050f6a82b65816311

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar