MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8b648e44f2ab26fa568183e5139a8cdfe5fd7b6b1e174184324fb3056c9ce8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8b648e44f2ab26fa568183e5139a8cdfe5fd7b6b1e174184324fb3056c9ce8e
SHA3-384 hash: 68e790b0b373a2a8b09153e2983a517de69d0b4b622a163a8cabd79e8d25f56ee2120ae7e33d08205460b161a1984e0f
SHA1 hash: 1848f48522f250fe35d2ce0ee77087920a22ad6c
MD5 hash: c38d49bb12881d106244f20994b37f08
humanhash: bravo-undress-yankee-kitten
File name:Agreement.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:315'392 bytes
First seen:2020-05-12 09:41:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fca6871dbe8ea33b4f2332029983bde2 (3 x AgentTesla)
ssdeep 6144:RZ9ClTvqTnz9Jb1MEuGYNl5JFBYZoKE2yjjLp8F6942M9hpNyxq:Rakn57nYNl7L8RqiF842e
Threatray 256 similar samples on MalwareBazaar
TLSH 8A6402236AF01B72D15A86721E6787A4C66EED310950CE031FD53F1CBBBAD418A6731B
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: clear.gilbertshortsale.net
Sending IP: 193.143.1.26
From: Ali Kassabieh (DHL AE) <Ali.Kassabieh@dhl.com>
Subject: DHL Proposal
Attachment: DHL Documents.z (contains "Agreement.exe")

AgentTesla SMTP exfil server:
mail.kteadubai.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Hosts.47568.21208.5280.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-12 07:10:50 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xc3erzcpfkzg7jlida7fconizx7f7v5wwhqxigcdet5tavwjz2ha._file
Verdict:
malicious
Similar samples:
009408ca7bf5c48fc1140cbe594f1461defd77206be643e1f9bd548986ad636c
AgentTesla
25d7c4fad856957a1a4b2a146221ca5620675edf33eeecb596a2610bb719a45e
AgentTesla
26a66cf0d4dd345800c6695287e2c2d54a70f98892edffcd27c2f9475ac9ca82
AgentTesla
31e0d8d290cef40450e8afb88a58749155645f4f702bdec51a81290d0230de09
AgentTesla
39599008089755aa7cccb534b2c94ccb537f266018bb67ae3ed4b9f51c0a40b9
AgentTesla
39c531db99d46a4b3906a41e6e1afdb2523106c795b11eecaf75bc3a1fbff57b
AgentTesla
43eb644d0682f9bc85745c538015ba9ad19b10116792b5e5aa5da33b6c3af797
AgentTesla
63f6b1b60bad01e24355ba56b1ffee392c87858a40ecd14d76e51ebe7c3333d1
AgentTesla
e25b667d727278544032a0553b0ce93d6634f27be4c5abb8b7f103337bc683e2
AgentTesla
e78e7d17890f956f99183f8524d03f871bce6e82cc1794937d680c4510bb4be9
AgentTesla
+ 246 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-yyf2r3p732/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
ServiceHost packer
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 0879e3df000ba3c68fe594767610aa373c7c19053eae0bac04076a76ce8aac38

AgentTesla

Executable exe b8b648e44f2ab26fa568183e5139a8cdfe5fd7b6b1e174184324fb3056c9ce8e

(this sample)

  
Dropped by
MD5 8aac9e0a1f733794f64dfd4bb7252732
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0879e3df000ba3c68fe594767610aa373c7c19053eae0bac04076a76ce8aac38

Comments