MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b283242e8ae83c1b2136090df9d70d06e328ee7116186667ed766d87f468da93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b283242e8ae83c1b2136090df9d70d06e328ee7116186667ed766d87f468da93
SHA3-384 hash: 9800e58a6a2b91221815aa8f5e46dafe90131fe0c49ae3a499babfec1db1dfdd42cae018340584df0ed81f10ed269e2a
SHA1 hash: e1a868eadd54abbd47e8b49f3ce8655d9b2366e0
MD5 hash: 5451fc8d38e8d10ced2b847f3f5943f6
humanhash: low-early-hawaii-one
File name:Our New Order Mar 17 2020 at 2.77_PVV440_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'244'672 bytes
First seen:2020-08-18 10:04:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:vNciOchCFA3cqm8hlnr5dz3UcEocy8mJeTmyQQeOPQ3b6yuqt:vNcxyCFW9mGlr5hdcy8mJCSQeMQL
Threatray 10'312 similar samples on MalwareBazaar
TLSH A145E052639DAB1EC6FEA6F7F0B148069B70C71196CFE3965ECCA8702D937640CCA164
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: hosting4.kmtiendas.com
Sending IP: 37.152.93.84
From: Jana Azih <jana.azih@getinge.com>
Subject: RE: AW: Our New Order/Enquiry No.00127
Attachment: Our New Order Mar 17 2020 at 2.77_PVV440_PDF.img (contains "Our New Order Mar 17 2020 at 2.77_PVV440_PDF.exe")

AgentTesla SMTP exfil server:
mail.beljemi.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/47666/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Sending a UDP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b283242e8ae83c1b2136090df9d70d06e328ee7116186667ed766d87f468da93/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 10:06:07 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wkbsiluk5a6bwijwbeg7tvyna3rsr3trcymgmz7nozwyp5di3kjq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1ac4a08fcc4a51a5146f78e1b97269096b1149aa099d2ba72bf6d95144d67bdd
AgentTesla
1e3003997089d725802aea73f61a35f7a568c05b16251e2d93ea8a3f8973b1d3
AgentTesla
33bba4987ed156603ef0d3d38b149b2f3d0bed4d52adf5615a6d19013cb7a94e
AgentTesla
416f9746f079b7af4180264d06ce55b88b1547d9a9da8db352e06a13aa5cf4a1
AgentTesla
8be1266645d388fa35124c58831cbd83fdc9b6faac7ad44ddaf4b0f6b9d2fd09
AgentTesla
aee0659a73d3ce6eaaeafcfe545290f95e8e52c3f640fca9fcdb984a17ee27c0
AgentTesla
b860c68b8a4ca548c005de132b6b2870a43baab32df04c32588d70da1ae47b6e
AgentTesla
c297389eed9eef2c21048b2adb9c9112fc7a7f209e4a0c989bbccc4a56b5d211
AgentTesla
dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f
AgentTesla
e2ff7c5e749d36ebfcc2a9d5af487369e454ef301a859eb8fc11ebe15ea73e34
AgentTesla
+ 10'302 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer trojan spyware family:agenttesla
Link:
https://tria.ge/reports/200818-vbcg2t9x3s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img ded859828ecfec80972ec46290f70393c74c023b442b8e7f334d7aec9b47648a

AgentTesla

Executable exe b283242e8ae83c1b2136090df9d70d06e328ee7116186667ed766d87f468da93

(this sample)

  
Dropped by
MD5 95030c5c64e78c877af4b1660078bf29
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47666/
  
Dropped by
SHA256 ded859828ecfec80972ec46290f70393c74c023b442b8e7f334d7aec9b47648a

Comments