MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b94b01c935262008be1c17c1738470fe47b00fb70effbf18e0a6f9afcbfc1877. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	b94b01c935262008be1c17c1738470fe47b00fb70effbf18e0a6f9afcbfc1877
SHA3-384 hash:	f11cd9fb456ffddeaf35ad2b9fab852891c58e7a5423e0714b275b781620507a6a6a2e917fc61b808732730f3c0e7753
SHA1 hash:	5e9a11b4a0656f3bf0ce813b03f047f2f748a4cf
MD5 hash:	3d7561c1831a1ee53dcdea5d5eab3437
humanhash:	alabama-august-bluebird-fix
File name:	Order67469.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	530'432 bytes
First seen:	2020-07-10 05:12:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:IDU+Hg8Tk3nk0jskko0kkTmZj7U+Hg8Tk3nk0jskko0kkTmZjfvjDPLB7w5gKpRL:cUB57UB5TDPF0yKz2JmLSxuP
Threatray	10'884 similar samples on MalwareBazaar
TLSH	93B4CEFE32554757C429B079856AC63983316D17A040E24AABDDFF8B30F2FB3413669A
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/24166/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Moving of the original file

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/b94b01c935262008be1c17c1738470fe47b00fb70effbf18e0a6f9afcbfc1877/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-07-10 05:14:06 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xffqdsjveyqarpq4c7axhbdq7zd3ad5xb3736ghau3427s74db3q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3e7332310ea67e1982c17c325fde52c70c2155f73d2792b51e2484b86ec51e1e

AgentTesla

68f2555170447ba9d31f0feb42074fc3764543a705a08c938e93d2c6e574d83a

AgentTesla

7046b7932a10c62dfd330862369d68e1b235b27122187d55d619a4cf881bf2a7

AgentTesla

7341780b5a914f5cf26fee6fecfa59380432fe6da8ad4aeb5bc9e83836991b1a

AgentTesla

7abdc63d0ff763f8caa5ff80afbc8480f56566858304afa832c7123357ab6b54

AgentTesla

a4386679c10dfd7338f895f96529fe4c8188814db395cf6473786c9ae3c4c957

AgentTesla

b6e27dd859c2b932284d6a65629a1df3f262ba01b11c56281935dcf6beecdf8f

AgentTesla

e0946b05635011f81ce5534b1d49bec2dd2cb184af87c7ebea2f55d91e0a07cf

AgentTesla

ee5571110d6b005c3de5cbe9672640254c3129f2b523a357da6f163a1b827c47

AgentTesla

+ 10'874 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

persistence spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200710-amw3c325ts/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of SetThreadContext

Adds Run entry to start application

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Reads user/profile data of web browsers

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/24166/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample