MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bca4bb062bec354c21f07300bca545b706478e056b3bb71f3ce41fdb589a26a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bca4bb062bec354c21f07300bca545b706478e056b3bb71f3ce41fdb589a26a5
SHA3-384 hash: 31563796a5ee183cbb4993f094c423c328749b43a0715d275c62db03d971fd21b92b40cb1e18cb3decc94fefb9f3e73c
SHA1 hash: 7381028bf94c8c48dbe841c4553d36746c496162
MD5 hash: abce7325b47fd0d3cda8201fad1e3f78
humanhash: bulldog-floor-delta-high
File name:PO-677763783-sn-997588983y3.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:523'264 bytes
First seen:2020-06-15 12:53:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:gyx7Yy4sMAyslpKWYWfmTTRhjmlJVWlba4c8z3:tx7Yy4/7lzWfmTTDE2a4Vz
Threatray 11'049 similar samples on MalwareBazaar
TLSH 4FB4CF7432AF9D1DDE290FB64A13110056BC9E7A6A32F2871DC535EA13BAB940D10BDB
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: taghtiran.srv.narganit.com
Sending IP: 91.98.96.133
From: Lee Seo <L.seo@krones.com>
Reply-To: Lee Seo <nurdan.ozirneks@gmail.com>
Subject: Quotation From our customers
Attachment: PO-677763783-sn-997588983y3.7z (contains "PO-677763783-sn-997588983y3.exe")

AgentTesla FTP exfil server:
ftp.aydangroup.com.my:21

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10424/
Gathering data
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-15 12:55:06 UTC
AV detection:
32 of 48 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xsslwbrl5q2uyipqomalzjkfw4depdqfnm53ohz44qp5wwe2e2sq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0b521dd6608e57b420003f19c7bf4ad7ddfc2fef8d3c9e88bc615fab697a5380
AgentTesla
15b2aa8ef11f5e70dff7e0b3bdbbce2f58de5a623a6af850685b9038c256358a
AgentTesla
1bd16b971407f4aeb31f7eb8392b2299b22cc8e1778a8c770e7ac4c0150681e8
AgentTesla
24b87098401a034e2a2af843c71124b8ac72b4503d26fb725099130a97ede32c
AgentTesla
8acbf14306b787f2e29dd9e13e57da8cea6609a3ba9aa86e126243e690a4bf63
AgentTesla
8c71aca391fbd24fb5400cbc0cea7bfc424dfac861cbfebbac25393e8b21bbf4
AgentTesla
8f98784c107af1ace1c7437d885de9d5e7c253389c53a10ebb8a8d1b3c49477d
AgentTesla
9847654714ecb412b6af1f270d2ede9b8683580e5280def0131b6bc27a9f27e6
AgentTesla
b36bbb0eb9a01f864b737da49dc227f0db18ac8ae3fcac18d829b2c773d62f8b
AgentTesla
c947c1c6634e3385b6e8c95ca80510c6191c7bad1b50d243b41410ac0d4df044
AgentTesla
+ 11'039 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-5a6e6t42js/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 3f220e74ec5bae5bae8a33abd70e38e41f29f2f221434842317f1c9a4ec8f149

AgentTesla

Executable exe bca4bb062bec354c21f07300bca545b706478e056b3bb71f3ce41fdb589a26a5

(this sample)

  
Dropped by
MD5 90e312b9341eac1620ce011d0fd6c0bd
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3f220e74ec5bae5bae8a33abd70e38e41f29f2f221434842317f1c9a4ec8f149
Cape
Cape
https://www.capesandbox.com/analysis/10424/

Comments