MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae9ea028d892118f67f92b5ff6a3a06185e0328a15f844d2209218677154876f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae9ea028d892118f67f92b5ff6a3a06185e0328a15f844d2209218677154876f
SHA3-384 hash: 79f455c6a7d20988c1e38ec48d7ec6886807f0dc8ad5d886fb7822d54ddba59eca2ae0401d98bf7b3c85379cd4720463
SHA1 hash: acdb30b10d3a54c3e431ecfd08b0d8a1653ec776
MD5 hash: 8a4712f8fd715e41a2845a6fa53c6809
humanhash: juliet-low-oranges-ack
File name:INVOICE PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:463'872 bytes
First seen:2020-07-06 08:52:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:cueqvKo1EqfwFJtuTC5NnmFxw1tOlRDuF+XPn3Vk:cZYGqYpmC5NmFxsOrfP3
Threatray 10'638 similar samples on MalwareBazaar
TLSH E1A4E1B702877EEAE73D0EB4D25422400DE91D6B9B70C845BEC831C913B9B64DA78E71
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: chisa-novelties.com
Sending IP: 103.99.1.174
From: yummy<yummy@chisa-novelties.com>
Subject: invoice
Attachment: INVOICE PDF.zip (contains "INVOICE PDF.exe")

AgentTesla SMTP exfil server:
mail.dianaglobalmandiri.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/21402/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %temp% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ae9ea028d892118f67f92b5ff6a3a06185e0328a15f844d2209218677154876f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-06 08:54:08 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v2pkakgysiiy6z7zfnp7ni5amgc6amukcx4ejurasimgo4kuq5xq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03035f39055dc379e10a3f7a79092877c022272c9fb14116c44bd9d3ed637655
AgentTesla
0f554bb19749e97d63525c4d964041e8d6fc149cb0aec5c4560cccf09babc39c
AgentTesla
1dc42296af9ef7fa6fb9f894947b9547b964ff2926894bb2b52a09283b7a4b60
AgentTesla
3753be46dda5f897bfbe00944241e5b7b11d77bd0e0a919ca3a751354faf6319
AgentTesla
39c437d661ebd2816fb9228a00524a526abbfea18a3b17aba9a4abbfd7691045
AgentTesla
71146568c5f7e1bc849a6f73bf08ba68c14e73fcaf049da083879f15a2cecc44
AgentTesla
7850417d2c934eda23e7c968df7b7ef4d76c85328092b10826c3a8652388dba7
AgentTesla
be1eac607eca859161e6a64dd8b749753cfece02021d70fb7c68f46921699350
AgentTesla
da9f9ad44fc0d8c99aae693acbfb999e50fd82aa095cfbfb73fdcc92a7118079
AgentTesla
de638d68163fe7f49b3371adbe9456b2c2ed2ef5182324e768dc42793591c7de
AgentTesla
+ 10'628 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200706-k3cd87debs/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies registry key
Suspicious use of SetThreadContext
Adds Run entry to start application
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Drops file in Drivers directory
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 98d005d093d4c7d1374b62b4c17d226d1959453f8d165a513e0751250ae0da82

AgentTesla

Executable exe ae9ea028d892118f67f92b5ff6a3a06185e0328a15f844d2209218677154876f

(this sample)

  
Dropped by
MD5 0e470e885114c22bef19bdd9749e1a46
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/21402/
  
Dropped by
SHA256 98d005d093d4c7d1374b62b4c17d226d1959453f8d165a513e0751250ae0da82

Comments