MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa8c8d0ec55c08d2adb88281098498992f2c415464626548c882cf7b59c54ed7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa8c8d0ec55c08d2adb88281098498992f2c415464626548c882cf7b59c54ed7
SHA3-384 hash: ae58b1755b621e4366b81965998d8bad9049b095d891ef5dbfc34ad38f9227b392303984912f0b020b069ced0ac8588b
SHA1 hash: 24226a8f1e90f6a961f6070d5d4a9402594778fc
MD5 hash: f47f1289bff50064e85c46dc454b7359
humanhash: undress-nevada-eleven-xray
File name:Transfer Forms.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:417'280 bytes
First seen:2020-07-13 11:26:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:oFROc4386e6Zoers9EzPB4+WO9ZZ6PfLj7f78hddd9g3tGwS+qyLH:MR08Koasup9ZZ6PfnL78db9V
Threatray 10'714 similar samples on MalwareBazaar
TLSH CD94E152B28989A6FC3A16B16C4BD710C2A5AD69D995732D32D6B70E4CF3303006BE5F
Reporter abuse_ch
Tags:AgentTesla Endurance scr


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: 162-144-100-85.unifiedlayer.com
Sending IP: 162.144.38.36
From: PAY-U <enquiry@oxy99.in>
Reply-To: PAY-U <account@payu.com>
Subject: INCORRECT BANK DETAILS FOR PAYMENT
Attachment: Transfer Forms.img (contains "Transfer Forms.scr")

AgentTesla SMTP exfil server:
mail.northwestpowdercoating.co.uk:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/25235/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.44601.28947.7173.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/aa8c8d0ec55c08d2adb88281098498992f2c415464626548c882cf7b59c54ed7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-13 08:58:19 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vkgi2dwflqenflnyqkaqtbeytexsyqkumrrgksgiqlhxwwofj3lq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0dbbf2cbc107003ef3ed572699f04d0de6c00c65a6aece3098f7a473acd0f834
AgentTesla
23b93bf59a03f210eb7b4f0054944dc1b0e09a8ac1fac00c5c4b30dc4b3263e5
AgentTesla
392faa37063ee6a619a3091d1d7a27b8c0d86d35a7f1594720822f8a94ce9d1b
AgentTesla
8470a2e93ae48abb1b987d9927277eb7a3bde99fe0d048274f839cc25aa3aa95
AgentTesla
a328e8d5a2b4df219aad313546991fcd37a995373320a84d32ee33f8a5cf867d
AgentTesla
a718e6c2ed2f55f15dd9da00dace39eff7a8c277418e2dbf5a3cd17ee1ab5c48
AgentTesla
c62d74e427c8f171115756dc18267a987b29b7d289e34daca91027bc87a5c6c9
AgentTesla
d5434b833a6b29c1f83aee2a0c8c5584467e495e452f7e6e676235b7e4870033
AgentTesla
d8bc45dfe42dc6266ac8e05d9e00206c3c4997dd2c287bb5ef1d4bb8862b8d02
AgentTesla
f8489030f3c79639a56320cdd06179b2f3cf280824cd80d8b3c333c8aabd3d9f
AgentTesla
+ 10'704 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla
Link:
https://tria.ge/reports/200713-fcy42anmga/
Behaviour
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 83caf62dfc3da965def6339a57b98c0fccbf0b72af3411a787e729c5ee949be2

AgentTesla

Executable exe aa8c8d0ec55c08d2adb88281098498992f2c415464626548c882cf7b59c54ed7

(this sample)

  
Dropped by
MD5 6b43bb0535814aa9278eaca882a76c55
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/25235/
  
Dropped by
SHA256 83caf62dfc3da965def6339a57b98c0fccbf0b72af3411a787e729c5ee949be2

Comments