MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a959a2834a98565e519eeadf6ecd71aea91ad04c2a38a73f17f2f60ee43f23ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a959a2834a98565e519eeadf6ecd71aea91ad04c2a38a73f17f2f60ee43f23ce
SHA3-384 hash: adb58033a0b81e9ae8ad3a3d5c8f9607b64e493b34059239016800a80f83b2f2572427e447da88c627f66c8e65f1d4d5
SHA1 hash: 62a90e661d5fff2b51f033f55c3091be6e35dc15
MD5 hash: b36c54de29acc6c0b0d916304c3a7405
humanhash: asparagus-massachusetts-orange-comet
File name:P.O 428223.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:488'960 bytes
First seen:2020-05-12 11:33:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:FxzgxPxhm9vxZGIorYMC3/I9DgmWUBKEz/sKA5la70jjf9PXBOMLEz1HREOek8wF:FEPxY9v7rmyt5k7mPBNcJTeiF
Threatray 10'627 similar samples on MalwareBazaar
TLSH 58A402A27298EB07D7AE41FF8880A34403F4B1967A91F7DA5DC291DD25D0BC24D92DCB
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: api.vvillowood.com
Sending IP: 89.46.79.252
From: Sayed Moustafa <anna@vvillowood.com>
Subject: RE: Enquiry from Dubai,U.A.E, please check.
Attachment: P.O 428223.iso (contains "P.O 428223.exe")

AgentTesla SMTP exfil server:
smtp.aerotacctvn.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.ArtemisB36C54DE29AC.17836.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-12 07:38:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vfm2fa2ktblf4um65lpw5tlrv2urvucmfi4kopyx6l3a5zb7epha._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
025dd1259e4f221e25144622733ef5de70d4f6fdfd9ec3e23558529f2ba80fea
AgentTesla
0cbeec037901550f7d50076bd0aef2937cafe6699a81c3859c47debd90fee98e
AgentTesla
0ff96346be4508292ddabc6d9b32fc697b710d5f826e9bb213f7c2f4492d2937
AgentTesla
131d016519d6ec1f5ce66362f5c4c917d4cdf0648242f20272b59a43764c53f0
AgentTesla
6920173eb3c5031387b852bd2dce1bdce04ed1199b914b72a009fe257d7e6766
AgentTesla
80fbc22a86b0bdd1628897a522a16daa48af2e0ab58dafde86fd26f69526f9bb
AgentTesla
95a428e8e715c2196655a1a0ff7842d1867d894c1acfc4f04ebf552537c57a4c
AgentTesla
a452cdb62ce6e25a0202e638112c3837fcd9fc7eb9b8d21b49fac3da79d2e27a
AgentTesla
d50395ef9eff3dbaf836d41028e7231cecd43d80880592f2668e0be8cab5b06d
AgentTesla
f134ea682b658d440872d3bee407f639781cc715e9427942bbf896db8822a112
AgentTesla
+ 10'617 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-1d6pnaajae/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

565604d2b9e843c110563edb5bf8301a

AgentTesla

Executable exe a959a2834a98565e519eeadf6ecd71aea91ad04c2a38a73f17f2f60ee43f23ce

(this sample)

  
Dropped by
MD5 565604d2b9e843c110563edb5bf8301a
  
Delivery method
Distributed via e-mail attachment

Comments