MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5ff8e007fbe3057f592721fcc17dd89e35821085ebc0ac5093240faef1c4279. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5ff8e007fbe3057f592721fcc17dd89e35821085ebc0ac5093240faef1c4279
SHA3-384 hash: 7c661d34b64249483989c209ae67ce56dc3de2b4256bf5ad268723f167e222adadef36eacdcff55582a42ccb64b1f9b6
SHA1 hash: 192e88840e17b42ec73a8ec3e43e5a7aedca5715
MD5 hash: 30fed5e64b4dee6388fc2137a4f68981
humanhash: king-maryland-salami-floor
File name:sfhIXiYdedsCqCf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:536'064 bytes
First seen:2020-05-08 13:39:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:zEL+oJeS3uEOIs+f+3XAi6u3jG/4pRZX6KhytViE6zf4iwh5XToC:zw3uE1s+f+3BB3jBN
Threatray 10'576 similar samples on MalwareBazaar
TLSH 46B4BF9D365176EFC857C876CEA42C64EB1074BB530BD203A06725AE9A0DA9BCF141F3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla payload URL:
http://185.234.218.145/sfhIXiYdedsCqCf.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-08 14:35:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ux7y4ad7xyyfp5msoip4yf65rhrvqiiil26avrijgjapv3y4ij4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
065bc29beee579f4df10691c61b9d3bc38ac4c271da4eb2e1ccfce7a2e33dd93
AgentTesla
3cfa2cb8bb85c016d2947f42a22af6c29e11e87c6ecb77c3b7b41ea674212643
AgentTesla
574e8b859713dc8c690e0e1d2a0f6f9277a53582055170b59853b224c6d9434b
AgentTesla
6c731b9e623222de40d78c857573d713bafce156a4b42dd445a840fddfe585be
AgentTesla
745110c4c62b046770c913cb9c5760e4728047f6ccf08fcdac12f8c3f9ac0be1
AgentTesla
86d582a56bf66668d48c05b3511f17d2ec97c98d90bc4e656584d1ce09630233
AgentTesla
86ed0ebbd24ad4c94834ea45d9af009a08738c1341b95ca0d35a59ffdc726de7
AgentTesla
8d175348d054a71fec626c9ee281e8bd85747864997ade10986e94f94af24273
AgentTesla
ea2e7ec387cf91e0ad3d44c01b25adc702061e93b66d21f8b3dd1eab812045f9
AgentTesla
f3152e46c820e311db7698a4e07cdaad02e5c0b1b46545e4b40361504d9c7eaf
AgentTesla
+ 10'566 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-84dgehw2aa/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Excel file xlsm 8eedef23366481e699edf3fef709acdbffd1da46272274a2987d2d131077f5b1

AgentTesla

Executable exe a5ff8e007fbe3057f592721fcc17dd89e35821085ebc0ac5093240faef1c4279

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/360001/
  
Dropped by
MD5 eecc395faed6c8c7477347b808391250
  
Dropped by
SHA256 8eedef23366481e699edf3fef709acdbffd1da46272274a2987d2d131077f5b1
  
Delivery method
Distributed via web download

Comments