MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b826981f8021d62f3c3d2126a6a5f5b1f6c1591ee875a509985d595568c096a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b826981f8021d62f3c3d2126a6a5f5b1f6c1591ee875a509985d595568c096a4
SHA3-384 hash: 998b8f81caff40d40aaf324c6b643a2ef0251e98cdd4520e6bbc9d76386bd4fcbbdde580bf546f9c79aa8adc44cbe3ff
SHA1 hash: a863dd8d980f5ac1a5ad2e635c3cd0adeb09a1ed
MD5 hash: f8b652aa1ff5219c4e6d8b47a966fe0c
humanhash: failed-failed-failed-georgia
File name:18052020 Order.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:538'112 bytes
First seen:2020-05-21 09:24:08 UTC
Last seen:2020-05-21 09:51:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:HuNcd0O4v2nW2YD9LgntA85R0/FfLLrrWu/43w1w1MJ+OzU:HuNCb4ve+9Lg/4NLLnD7weJ+EU
Threatray 10'707 similar samples on MalwareBazaar
TLSH CAB41251B7F89B11E9A88FF40931A094637B7627A436CB5D1F6424CF6833B41E681FA3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.ekosplet.si
Sending IP: 86.61.65.192
From: David Chan <dayuan@dayuanmachinery.com>
Subject: Re:RE:REQUEST FOR QUOTE; RFQ #
Attachment: 18052020 Order.pdf.ace (contains "18052020 Order.pdf.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.49161.6219.30506.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-21 05:38:09 UTC
AV detection:
19 of 31 (61.29%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xatjqh4aehlc6pb5eetknjpvwh3mcwi65b22kcmylvmvk2gas2sa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
094f6a9977aca85ca844fdab18035108dda8907b5c7b90416653a573e4e127b7
AgentTesla
3cad8abfd66f6df4932c89a68f71e666568d74cb9260b05984294d1675e2d838
AgentTesla
4664b88274ef7c903d7eb7c18ab51ba8109640210334f648d696afcecf935ddd
AgentTesla
6c731b9e623222de40d78c857573d713bafce156a4b42dd445a840fddfe585be
AgentTesla
708819369d030c9ac2cca2a078e695318a8b8289ff78e50a44684761d63173e5
AgentTesla
7ef79b0251ad78e90b1cd1e95fcdd8566ac3629d6a921a3aca8383edc8893f82
AgentTesla
beaa5c13b3a73673a51f0cf8a2c24ef5ec65c3bbe0007520d4af6c37a8d43aca
AgentTesla
d8d45bcdf17fe5bdf30789b7af5e92d7c28a70ba64f3bd7e09f100ef1ce30281
AgentTesla
e0e75410c585dcaeab1ac774bf62f0ccc55ec32e009fdf75a8f089438e5b65e7
AgentTesla
e8a769ba38c1f1a8c2969c99a3d8b314655096456e9c9dba47170b3666fcdc88
AgentTesla
+ 10'697 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-sed1t67wva/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

ace 816fe5493e4a3d28a2caa0516de3385ea2beb4d69485ef24659f52225123dc50

AgentTesla

Executable exe b826981f8021d62f3c3d2126a6a5f5b1f6c1591ee875a509985d595568c096a4

(this sample)

  
Dropped by
MD5 87719c38b81cd45b9c7740561c0f4b59
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 816fe5493e4a3d28a2caa0516de3385ea2beb4d69485ef24659f52225123dc50

Comments