MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b08f164f0363528f8928f01133da533a2868e12b95177df09b2f11e78510e02d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b08f164f0363528f8928f01133da533a2868e12b95177df09b2f11e78510e02d
SHA3-384 hash: b747ef0e80f7c1ba9c1425751711bf73bde16bf8ab9b4820092ee3cf7cc0c369894ad59441d0e7b268d1f7fb4fd73d43
SHA1 hash: 9af0a3622f58f4b50c9159cead2f672ec4707ece
MD5 hash: 1d025c80f31210ed9530941eae6633da
humanhash: tennessee-saturn-maryland-bravo
File name:hvala na predra unu.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'098'636 bytes
First seen:2020-05-22 09:28:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 49152:Ow80cTsjkWatak+ueeGWDoIjrwlYw8OnGOg0sz:z8sjk4wGWDbjrKaf
Threatray 792 similar samples on MalwareBazaar
TLSH 4CA5F12273DED371C776A133BA69BB042EBB38618A30F85B1F840D7DBD50162552D6A3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: cink.avalon.hr
Sending IP: 185.58.73.21
From: majanovic@ptt.rs
Subject: Ri: Ri Hvala
Attachment: hvala na predra unu.zip (contains "hvala na predra unu.exe")

AgentTesla SMTP exfil server:
mail.kapackserv.com:26

AgentTesla SMTP exfil email address:
uzorchukwu@kapackserv.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Ramnit-1849
Create hunting rule

Win.Trojan.Ramnit-1847
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Stealer.19347.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Virus.Ramnit
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 09:39:53 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
45 of 48 (93.75%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0470f08d56065fb5c78585dcc719c097276d9831beaa6d92c5e4b9460b8fe22f
AgentTesla
0bbe99d89a3e5e1b3ef7a9a9c6763ef85fb21a280fed3b913102e71d2368bbb6
AgentTesla
182b0c57f42b1dce3fd1f38350494d60c8e5bf94bb0aa11bd8136c358b404e9d
AgentTesla
ac5ebb2296437f981009943674e53071e6154c70b2ba473f816a3fec9a42d172
AgentTesla
aea00ce89a5c0cc7c73381533180c5968ce79341516a262ae938a31acd7cadd2
AgentTesla
cfd13da57bb620ec32a6ad174d4d4cac2c715af8e7aaa57931574152f5fffdd9
AgentTesla
d67c32bf724fef79bda2e34d5c1d677a813c83d40f4a914601696ecadfee9919
AgentTesla
d8c07fc0cc1addc3f25623ac872703d2c10ae5e8fadc7370e13b4162e063a376
AgentTesla
eee4d211bbffe896f0de21854cb5adac6e10c85016986efd260b45c7022d7521
AgentTesla
f8cf294263a5456fabf8b475376392198c9462f7035714d77f0e31ab437332a7
AgentTesla
+ 782 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-831bjj194a/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 570d4ac0ca764601b37e77aea4b5bf8138bdbaa24f46255fa68b09d4dc62869c

AgentTesla

Executable exe b08f164f0363528f8928f01133da533a2868e12b95177df09b2f11e78510e02d

(this sample)

  
Dropped by
MD5 9ee8d82627de869ed99650c6946ff0c5
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 570d4ac0ca764601b37e77aea4b5bf8138bdbaa24f46255fa68b09d4dc62869c

Comments