MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af0e59dcbfdc7a8b1a13748ab6e392d165e6b91f0a1ac946b3ea7dc3cbb4fac5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af0e59dcbfdc7a8b1a13748ab6e392d165e6b91f0a1ac946b3ea7dc3cbb4fac5
SHA3-384 hash: 703463efb019a6247960aeb315ffdfe7de80777f69620cb83be31ce167034f29cd743d84a800c8c5626dcbdbf7fab610
SHA1 hash: ad6b064285e555300d2d28addcf116c060d4edfc
MD5 hash: 5cbf6e400502a71422dab9371f5e7954
humanhash: queen-triple-robert-oregon
File name:HSBC TRANSFER PAYMENT SWIFT copy 03-06-2020 .pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:650'240 bytes
First seen:2020-06-03 10:26:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:E5u1M80sdqPav5xb3F41agKoPMKUK502Mi/4lGs:P1bIabpLgHDMi/4H
Threatray 10'664 similar samples on MalwareBazaar
TLSH E5D46C2A23B046E3FB74A4F69C6C6E14D275DDFF8980F88C5B5038A71669770E13246B
Reporter abuse_ch
Tags:AgentTesla exe HSBC


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: hsbc.com.ar
Sending IP: 103.141.136.136
From: Nahuel FORTI <nahuel.forti@hsbc.com.ar>
Subject: RE: PAYMENT TRANSFER STATEMENT
Attachment: HSBC TRANSFER PAYMENT SWIFT copy 03-06-2020 .pdf.zip (contains "HSBC TRANSFER PAYMENT SWIFT copy 03-06-2020 .pdf.exe")

AgentTesla SMTP exfil server:
mail.jaccontracting.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 11:03:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
21 of 31 (67.74%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v4hftxf73r5iwgqtosflny4s2fs6noi7binmsrvt5j64hs5u7lcq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0634e4d99acb33ab8ea8b8f48eed2ee32ba96bf3ba9781bfe59a17b2f57e9f59
AgentTesla
50233896ff515a5b1dd115f48cbff01aa9cf1d59e0af543740cc13c9a89c95b0
AgentTesla
587201350f1607e78ccfc8809dd7c8646ddd44ec4db8933b998043b9fba5bf72
AgentTesla
6f9cbaa045e20abe4f011a4893b48dfb8e39c2cf44d9588d5c88eb03cdb32c2b
AgentTesla
9dd769cb464834591e19709c8e98d97f84dbf86b3e8d35685e88373c1c73c549
AgentTesla
a014e0a743059e2028857df1f0440dc364c988f32100a5530a719f0339a0bf99
AgentTesla
d2a97ab97d0977567f4b2ee6ba659725fc82e9d4fbdf293b5f2bed5152d40af5
AgentTesla
dce1e0ba1804a1f7f1deefd167342fa83f1aa5a3d14ec8be14b6cb10b8beb831
AgentTesla
e0b817181540e409f276583418e63e0f73a7ab36a323b86b304cd21e3a91f788
AgentTesla
f218ca5df76d3fd3af680e0a732a71e441da31cdabfee7b9705afaa4c0037c12
AgentTesla
+ 10'654 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-fp8jl51qts/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 206c8e8180804ada56e6dd5ef01c31302a48a385c9365391471f0f9b20e2b950

AgentTesla

Executable exe af0e59dcbfdc7a8b1a13748ab6e392d165e6b91f0a1ac946b3ea7dc3cbb4fac5

(this sample)

  
Dropped by
MD5 e4bc7139b3c51d9657102b0efd81f0dc
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 206c8e8180804ada56e6dd5ef01c31302a48a385c9365391471f0f9b20e2b950

Comments