MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab5f254a91426311df7fe85d3442b62c7b69dd1c6e444ef725ddcba5a06ac961. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab5f254a91426311df7fe85d3442b62c7b69dd1c6e444ef725ddcba5a06ac961
SHA3-384 hash: 2a3a827fcc2024e06a2480e41c395849dabdbbe58521592e42e2646503a54f924f3905e4370ad1c95fa1fb461a4c8677
SHA1 hash: 75de209d727492f675faec351f728c2b9d09b565
MD5 hash: dc5f5ae953f37c7f54a3d787fc2353ca
humanhash: edward-wolfram-equal-white
File name:overdue invoice.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'359'360 bytes
First seen:2020-07-14 22:35:32 UTC
Last seen:2020-07-15 02:15:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:1nvIDJIvvde9nJYPDJIvvde9nJYnIku3eILuslj9b9QXTOObc/0P7r9r/+pppppD:F2Iv0nJYdIv0nJYw7Fj9pQDuc1qv
Threatray 10'680 similar samples on MalwareBazaar
TLSH 34556B8151451278E518F2F9A622C4B6A601FC7DE0B0547E26FCBF13A6B5A73CC85FAC
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
3
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/25851/
Detection(s):
SecuriteInfo.com.LuheFihaA.27501.29098.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Unauthorized injection to a system process
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ab5f254a91426311df7fe85d3442b62c7b69dd1c6e444ef725ddcba5a06ac961/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-14 20:39:15 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vnpsksurijrrdx375botiqvwfr5wtxi4nzce55zf3xf2lidkzfqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04a9ddb426b6bc9febd1f0fdf436cde01976a37b8c99fbbabbd0076ac4a0be92
AgentTesla
25ef4eb5dbb6b39d8563f3874eaeb97f1637df07278bfbdad0161afceb4164e4
AgentTesla
2e26f3d20d246b10bfabfceb33cbfd707049377dc821e2cd4ef9f77ab599693d
AgentTesla
6fadee8038751819aef12bc1abc18e17efbc53a8cdfb977dc5cde08e5d0c1552
AgentTesla
8be1266645d388fa35124c58831cbd83fdc9b6faac7ad44ddaf4b0f6b9d2fd09
AgentTesla
973de14a37f6408161ec0ec249a50527d3cdf4bf7482a67134ac7b0c9e3b7a25
AgentTesla
ad7db1393e62d89dcb0039aa5ba64a897e88d3f6b76d146ccf419e952e57c317
AgentTesla
b07177183a0f5cce808293132d98364a64495885d4bf1bbe7e2cdc39418d723d
AgentTesla
d09722da6fd4b8eb8ba3ee4d8e8a7ffe2cd396c410fa074bcb9fd0b44e399cb9
AgentTesla
e00c10de42f280a8a4cdb98618940bb9d767bc455154790ece3c265af6eaefb4
AgentTesla
+ 10'670 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/200714-x18le1c55s/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip d4ff3eaece5fb078d5487aaec85048eae39c80b5857f5b5745d3a3128e02aa30

AgentTesla

Executable exe ab5f254a91426311df7fe85d3442b62c7b69dd1c6e444ef725ddcba5a06ac961

(this sample)

  
Dropped by
MD5 f4006124ad3cd3247c1f065e050b3517
  
Dropped by
SHA256 d4ff3eaece5fb078d5487aaec85048eae39c80b5857f5b5745d3a3128e02aa30
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/25851/

Comments