MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a877edd01cd23c7ab7846c5f8e8820accb33965764770341300354f346a8e7b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a877edd01cd23c7ab7846c5f8e8820accb33965764770341300354f346a8e7b5
SHA3-384 hash: 03ec8a67912d8de2016af569eed26fa9d7a14c137ef607bf128d61c77beca5b35217bded3714e31335926f48678f320d
SHA1 hash: c5693b0b11bb2f695fcfbdbd076728dc5bee4eeb
MD5 hash: 961d270d95a23bc2c78960d62754e633
humanhash: jig-mike-item-cola
File name:961d270d95a23bc2c78960d62754e633.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:308'736 bytes
First seen:2020-05-28 06:51:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:HQlBVcATm8dlABtRXdtOjRNTJnXzCQ49vZ7iLbEb:HQJlABtRbKOZ7
Threatray 10'746 similar samples on MalwareBazaar
TLSH 5964397DAB88B902F13D1D7291E2522056F1D4834E12C34F6EC46AFDFB517C92E4A3A6
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
server257.web-hosting.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Autorun
Create hunting rule
Status:
Malicious
First seen:
2020-05-28 06:04:17 UTC
File Type:
PE (.Net Exe)
AV detection:
28 of 31 (90.32%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
058edd37e76814c72e3b158791ec7ce2313550521bd522dba07d6c21903aee7b
AgentTesla
29dbd904452edf79122808dfb4810fcf8d089b8e298f68d48497c4b82ebcb1b1
AgentTesla
38a112ac5ecf5d11e3e4f70fe462ec424bd0aa8c67495ac6744b0bbb8082f5ba
AgentTesla
4aba472bffc408315c06d8d015ac5241175d6ccfea8c3c04065ba64eccd94cfb
AgentTesla
5230cda14200f44ae86150bf46d875dacdac03db38a60c254451e5aaf0d1dbe5
AgentTesla
7f739c5eac76d496c71d9a0b24abe3d9990adb95321a1145eff1f3e68e3c4745
AgentTesla
aae624caec254144105749a9b12bde61f77415ce28c9f28cc2bfebf0fcbff1f9
AgentTesla
adb35f04f0e72fdbde5d24f2a590e71fd4424ef5e1ea354ed546eb1c17a1b6d5
AgentTesla
b326e71388c8abfb8e0e74aa913863af33e3299ad79fa42dd2d3e4c44e63da2a
AgentTesla
dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f
AgentTesla
+ 10'736 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-prn2ewxdle/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe a877edd01cd23c7ab7846c5f8e8820accb33965764770341300354f346a8e7b5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/342107/
  
Delivery method
Distributed via web download

Comments