MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5fc1c186bd2f864a83e308d0ace39f6efdeeaa76ac5eb56ae75dad3e9b0c96c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5fc1c186bd2f864a83e308d0ace39f6efdeeaa76ac5eb56ae75dad3e9b0c96c
SHA3-384 hash: 7e3d600735a6aace8fc112611a8b66deb36568d687b8efd5c1aa471f3b82539d2a5658eb1f99f789ce4b9f3bf828b271
SHA1 hash: 213a55e817c29f93ecc20e6a64524e4ce4bc8c32
MD5 hash: 47cc69c3d60c7e7100f8e73802beddfe
humanhash: leopard-cardinal-jupiter-cup
File name:payment005.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:395'776 bytes
First seen:2020-06-15 05:36:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:ofIWmR5L275quWb0A20zBfnbDiB9yB65SkLZfcgZZXp6561zdE+4bv:owVR2Ylb1209fnbGKM5STEZXpeMza+Y
Threatray 10'691 similar samples on MalwareBazaar
TLSH 838402197BAD2221C6BC553E89F25284037BD17A1B32F72E2A8C346C1F677D39543726
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: cloud-linux-04.chaiyohosting.com
Sending IP: 202.43.45.150
From: reserv@krabiresort.net
Subject: Re:Payment
Attachment: Payment-copy-PDF.iso (contains "payment005.exe")

AgentTesla SMTP exfil server:
mail.brahmandtour.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10244/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34016426.19424.29719.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-15 05:38:07 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ux6bygdl2l4gjkb6gcgqvtrz63x552vhnlc6wvvooxnnh2nqzfwa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
084be7d5522c7679dc17d1aecc5e9bf4e23a1326b4632afd656a72f74a5e9e5a
AgentTesla
1b5523701605c4129803c0161e955d96ec30d18370d8783dae4a257220d0e695
AgentTesla
359c6dd6d5b5d3b1a0c3aa744d1df91f083efebeaf554b251d1607775d2dba55
AgentTesla
40e0bca62b48fe04fc0fa37d223d901a3970b0930590f08c11fa6023469bd231
AgentTesla
56ea587e8a75b7ea9d6844f9a4780afe3f108a1672bd451bfc1a3e70c0d0f5d7
AgentTesla
943f66e0edd800518b754d1fa1887b1efdc6cef0ea1a53d9a1a4fc5c54e40112
AgentTesla
968a7bf9593f8635bc6383f73cc1743b4fa776442ec7265adc138f248531bfbf
AgentTesla
aec020a6546f4efe2d5766ae7e7da2816c11badee1879d37de7845538b03035b
AgentTesla
de0bc48e2efc61427a301db89cf4c3497e235cc0ef388db3a26ba94ac734de69
AgentTesla
de17285437a4c1de71dae13eda552553af99577fdb088e7715aaf877a0cb1b13
AgentTesla
+ 10'681 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-cd9d7sfkmj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 2c220545587431f947d4cdac97c743606a220193778c2615bfef81074c2afcbe

AgentTesla

Executable exe a5fc1c186bd2f864a83e308d0ace39f6efdeeaa76ac5eb56ae75dad3e9b0c96c

(this sample)

  
Dropped by
MD5 4122f522a024be4f9b16fcc7efc492af
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2c220545587431f947d4cdac97c743606a220193778c2615bfef81074c2afcbe
Cape
Cape
https://www.capesandbox.com/analysis/10244/

Comments