MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad98f33158ced7ab0acb3166f2d14ea2cf74c39276f478b3922bd0224a0f49f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad98f33158ced7ab0acb3166f2d14ea2cf74c39276f478b3922bd0224a0f49f6
SHA3-384 hash: 01558f14837b0d10512a8e848a0ca8f8c1631314a277ea1838c27eb7901953d412615ac7e301f77e4703a10f4f95e495
SHA1 hash: 9073399521790cab15ecf3c1e0b7bd444e8b9ddc
MD5 hash: 78477fb4c431df0cc3630551cbe7d522
humanhash: butter-happy-oklahoma-pluto
File name:78477fb4c431df0cc3630551cbe7d522.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:701'952 bytes
First seen:2020-06-01 07:20:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:rPnRurAiBVfQBXDTp4pMImJ8wM6RALeWtGzbLj+6xgveIhizwoz+axwE4vQHIIB:rPRurAiBVQXDSMImlLGG3erveJLIIB
Threatray 1'448 similar samples on MalwareBazaar
TLSH 8DE4E048B4B6D166C048EB343D51D23017A0AC266A30D96E9DD63EAF77F72E739402B7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.mail.ru:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-06-01 14:36:15 UTC
AV detection:
18 of 31 (58.06%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vwmpgmkyz3l2wcwlgftpfukoulhxjq4so32hrm4sfpicesqpjh3a._file
Verdict:
unknown
Similar samples:
0e79063958c1813f1809eed7653c0b682acf7270b234187374856c07f93c7b6b
AgentTesla
0f3fe234c700b316a460c05098c843efbb0965b672d0e7a6f58028669c37ccb9
AgentTesla
26c5098fbb4be4871383a901013288d16a6a2aad7d0952c28fd888e080aea394
AgentTesla
271d081750e61123ceda8a898533f5b636254030a65f14a71ecae2b8ea649443
AgentTesla
3be937bd3615e1178d145560c18a2dc17c6301de53bbf16b64aeedf1d6bf0d9a
AgentTesla
400ad786bf1e76812b70a3ab4ba345668fe07c176743f412f6ff5372238c2320
AgentTesla
63b4e4beaf7cb64789e465392b51d438b73184676d7ab496112a53e8651d41e8
AgentTesla
9841eb92f550105bc744c34152086e2c6624e08b2a99c24c9084bdc7add30508
AgentTesla
a3f8c63b9925504706f889dc1bc944a5485144007b80b042cf53accda4f650c1
AgentTesla
f4b3f3f1705bb5ab7ed5d0dc4bcbae09fd927a760aadbce66762d311450750b5
AgentTesla
+ 1'438 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-cnp8ad8hs2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ad98f33158ced7ab0acb3166f2d14ea2cf74c39276f478b3922bd0224a0f49f6

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments