MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aff3a5fa9bbbeaa48631511bfcf0a0cd9b4873cb2087acdc6e7a05fe3bfaaa2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aff3a5fa9bbbeaa48631511bfcf0a0cd9b4873cb2087acdc6e7a05fe3bfaaa2a
SHA3-384 hash: f9b35ec1716b65e754d5c939540c4c5f1f836ff597035fc94b0b049a497b029259eb18356e313ccc1ad2946cd72411d1
SHA1 hash: 0efc6d930532b3e6c9fe18f8ea05dfc73c3426e2
MD5 hash: 059c5260e942f077b7a123580cc6815c
humanhash: july-nineteen-romeo-pennsylvania
File name:Repeat Order 2020.PDF File.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:628'224 bytes
First seen:2020-07-01 09:25:48 UTC
Last seen:2020-07-01 10:01:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:kR2I9GBTgVOffSOQC+VuI3Y+ss6cakb09pl4dfb420gS13/aZPI:kEBsLGcuIizSbml4dfb4RgSZ+g
Threatray 10'649 similar samples on MalwareBazaar
TLSH 39D4E10983908FAAD3BD7639D632A0254B70CB83E9C7F707284CB8D592837D52957376
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server03.imanila.ph
Sending IP: 203.167.7.88
From: sales@handyware.net.ph
Subject: Re: 2020 Repeat Order
Attachment: Repeat Order 2020.PDF File.rar (contains "Repeat Order 2020.PDF File.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18147/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WOX.16697.UNOFFICIAL
Create hunting rule

Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/aff3a5fa9bbbeaa48631511bfcf0a0cd9b4873cb2087acdc6e7a05fe3bfaaa2a/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-07-01 09:27:07 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v7z2l6u3xpvkjbrrken7z4fazwnuq46lecd2zxdopic74o72viva._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0557646805d712ca2f91d47d8cb95a292b611886903e6824f3948182228ef750
AgentTesla
0de5bcc23dcfed9f7b902e5be03c518692b168180a1fc5d239c5bf01ea9be122
AgentTesla
65603c7a88beb93205d2012ca8d63dba310fc0f7f91fc81300734ee3b2eb3f10
AgentTesla
75830575168e1d024a8d0c86764cb9b88eea3c79f0c4a24fb39d4e94fd2c42d7
AgentTesla
9760fda6400807116c51ab239dbe2d60492eb1a49f3d31284b70e756ceb860b3
AgentTesla
d18bcd6d166abe550a2633e07b2225dfaa97a7428eb1d3449b3d6b6db74e348a
AgentTesla
dcbd6522b7ba8bfb856038cf4dcb24782cab61a9e3ce15bbf9afcdff9c6c4f4a
AgentTesla
dd668abafa9cbdf937e710f2e2e7f6228ca99c7a226b507d43f887c03dff8509
AgentTesla
f1225483f2b3b7294d48d7caded3576b3105e203a65179c308b100e45002ee91
AgentTesla
f1fddc0cfd9632772ba10b059d83a1bb34b01a81766e61804bc39ca3898c5211
AgentTesla
+ 10'639 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200701-9daqfyxkzx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

e447a314a2763664d50aac3501ebad3f

AgentTesla

Executable exe aff3a5fa9bbbeaa48631511bfcf0a0cd9b4873cb2087acdc6e7a05fe3bfaaa2a

(this sample)

  
Dropped by
MD5 e447a314a2763664d50aac3501ebad3f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/18147/

Comments