MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1598babaf2279c6f6a884fa4b783d88c37c507f6cbaba89e859a8f197166bbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	b1598babaf2279c6f6a884fa4b783d88c37c507f6cbaba89e859a8f197166bbb
SHA3-384 hash:	a76394255603f1c2638c39efc52a574a6a6e6e999094699acfdab79096ac8e9e12c52b89a27654e3371b44dc591285f7
SHA1 hash:	884e968e88518a898059ae18e2036519a3d91869
MD5 hash:	d1e8dce6a721db237f5f4fe8479910be
humanhash:	wyoming-oranges-lake-river
File name:	Notificación de detalles bancarios.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	439'808 bytes
First seen:	2020-07-03 15:57:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:xuVUCpGhXd2/JJTQS0LKICWkSiCfSn9M:UVUCEBd2/PTQRWICUTO
Threatray	10'676 similar samples on MalwareBazaar
TLSH	2094120123A51B66D6BE8BF91A530A0043F0B542A5B2E37D8F9F79DF16B1F204A11F67
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
smtp.mail.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/18761/

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b1598babaf2279c6f6a884fa4b783d88c37c507f6cbaba89e859a8f197166bbb/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-07-03 15:59:04 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wfmyxk5pej44n5viqt5ew6b5rdbxyud7ns5lvcpilgupdfywno5q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

44703eacf8321a8fd05283f755a781a7cb17a55961159ab28d570c2196a79eb7

AgentTesla

580930d1a3f4ce1e942b21e4a6b400071952241e6f17bceee44c1fd5621f9190

AgentTesla

743cd5b161539860d7779adcc10b393ebb812c8c201b98c974b43ff1f404c34d

AgentTesla

a9cf92e1eeda276eae412eb2236216cadcb6342d6c4e638ea337349693f633b9

AgentTesla

bcfe28b074cc1d9b0fb7896ee3eb4d28c240bee33cb76578f0f9f1ef90ab92e6

AgentTesla

d2700790fa8bd50e3dc8fb99b0c3ce8f10fbdbf23445b38f20bf9e327f5d40ca

AgentTesla

f3b81fe8022344fd599e5e45187f2a0f6100bb3b4135fcfa99912112bf129af7

AgentTesla

f5a3632e4dc565def5e2a0e015931fd3bca1c19e1045044429bbe3912422e32b

AgentTesla

f8166c3c857a7a3ba99515cf6ae242a78050fba7608e24a88e2559e0063a187a

AgentTesla

+ 10'666 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla persistence

Link:

https://tria.ge/reports/200703-yegnnzjgra/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Maps connected drives based on registry

Adds Run entry to start application

Reads user/profile data of web browsers

Checks BIOS information in registry

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/18761/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample