MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aaf458d72c1ec9e6a99d8b10d58f54b6ae6695277e69a768152d8b35ac0bd65f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aaf458d72c1ec9e6a99d8b10d58f54b6ae6695277e69a768152d8b35ac0bd65f
SHA3-384 hash: ac9bb04f6488a5dfbf15833db455b4ffee147f74f46c5c8bc247f26df826d607624f437945bcec60b8eab7e2653247e5
SHA1 hash: e5f3e4b8b6b2c36bcf1c0fd77ab00bdca23a37bd
MD5 hash: 9231828983654551695507f6ecded311
humanhash: social-blossom-ohio-oscar
File name:200513250475 - SGD 31_621.00.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:550'912 bytes
First seen:2020-05-15 17:35:57 UTC
Last seen:2020-05-15 18:33:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:GyehbX/9PHUDdxcQuhJzms8k1yNpuVphgPzIQmeULe7MyLxAhcev5fAADPA2R3RA:GycZPAEQuk2ivTb7lAhzxAAJ1Q
Threatray 10'633 similar samples on MalwareBazaar
TLSH 44C4BF151884956CD3A977B68F23DA3653E0AC1F5F0BC55B14E4BD873DFB2C28A03A92
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VXU.6536.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-15 17:35:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vl2frvzmd3e6nkm5rminld2uw2xgnfjhpzu2o2avfwftllal2zpq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
016bf81b8cdc4fcc9ac04042ac139e89d3ad2484dc76f42085582ce957efe536
AgentTesla
1ed02e3d62ab52224d7e809c743cc7f69b840a9bae0454cd9f88a788d02fc44f
AgentTesla
6bdd8e261ca0797db3da63df3f15f121adac13e96ab268d18b44ea769242559d
AgentTesla
7d50f85be9ba623c39990f888b9d1d43ac5fa8c317529a3256f4c79d48a626c7
AgentTesla
90a3f9c16212982044dbc219b787e1ac251f48dd011a202a8c125dc049c3036a
AgentTesla
9ac8d9211067d6a7481de6c319a8b1539e60d6b63b4cf8588167fea878b5bbf7
AgentTesla
bca6c7e57581bc8bb91c9a9aa1f7d7d36aa35c630b37cdc4bedbd68df74e6186
AgentTesla
df696f5fa3df8ce1eaca951cad491770b1d7aeb6e6326a360bcdb266f6d31620
AgentTesla
e53b85600f2e1d2c612854eb25aa5ebb3cf93a966aef11b22e186f65cb097506
AgentTesla
ea2e7ec387cf91e0ad3d44c01b25adc702061e93b66d21f8b3dd1eab812045f9
AgentTesla
+ 10'623 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-4pk3v697gs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
ServiceHost packer
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments