MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b98f6ad80f1ab3459c9e3626b1113eba28dcc4d07f696daee1050a884900fd80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b98f6ad80f1ab3459c9e3626b1113eba28dcc4d07f696daee1050a884900fd80
SHA3-384 hash: c17753ce0eeb088c4e8b0c0da66a1ba620517bb44437eb20901b865f8533422c6fd64956017a064c2dfa9ce81a29397f
SHA1 hash: 8308ba5438e0bc53792327447e46b3667b4c7020
MD5 hash: 08baa507bc7277a2e840003a36fb32a7
humanhash: island-early-double-gee
File name:S2020000003209.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'777'664 bytes
First seen:2020-05-07 06:48:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:itb20pkaCqT5TBWgNQ7aCW1TCv4b4iiaYYp4wrZOGa1YGfPwr9hrCGy16o746A:vVg5tQ7aCw54j7Yp4qaOy8DrCGye5
Threatray 9'629 similar samples on MalwareBazaar
TLSH DB85F12373DDC360C7B25273BA56B701AE7B782506B1F96B2F94097DE920122521EB73
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: jjb.cn
Sending IP: 156.96.58.98
From: sales5@jjb.cn <sales5@jjb.cn>
Subject: 索取样品报价
Attachment: S2020000003209.r00 (contains "S2020000003209.exe")

AgentTesla SMTP exfil server:
mail.hakanmobilya.com.tr:587

AgentTesla SMTP exfil email address:
tulayo@hakanmobilya.com.tr

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27684.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 03:08:13 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xghwvwapdkzulhe6gytlcej6xiunzrgqp5uw3lxbaufiqsia7waa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1218e2c22539ce5761b41898a9ad562eeb54c27e4f786ea0374c25e2a28e7d03
AgentTesla
1be97fde78848d5f414a09d31b63a422e30404d787a5467edede763c73e0bbbd
AgentTesla
61e578e8dddb3755665f4b56d075417c41585ae95eb7f61cfa5942bf06a9a8e6
AgentTesla
8efa5e8db185fb62c1a2156d79988c47d240abf1099e10cefc16a2d3956cb49c
AgentTesla
9508069c61947ddd06780f37877dc3880c74707e58e05503ffe3d22b23297fcf
AgentTesla
b8cedaeefb46ff748af412d63d33b2d508966d4e33fd88efc592072b64017f5c
AgentTesla
bc54652c9d21400491931b5276d788d60857f782af994de788d7506913fcf0ee
AgentTesla
c102aeafa1ba9f31a8433b1c3b14f8e555eaf7d2dd5af0cd63403ff0160134f1
AgentTesla
e9fc4844ee50f9e59616bd7238bfae3de6b8b194abf635e787e5a44d8658fe42
AgentTesla
f3896a11c5b839b300d4c39c9b80476f5187be7444b0c6a30f82a6f13374de07
AgentTesla
+ 9'619 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-6rns88vevj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
ServiceHost packer
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 0b1639aba8b802ffce62b362e90dd49a051795808ad9954e23c3cc770eda4069

AgentTesla

Executable exe b98f6ad80f1ab3459c9e3626b1113eba28dcc4d07f696daee1050a884900fd80

(this sample)

  
Dropped by
MD5 804f5b51e5a9372105251a8b99846c78
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0b1639aba8b802ffce62b362e90dd49a051795808ad9954e23c3cc770eda4069

Comments