MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0b283bef04917f527c9d2ccc9f4f9c20a9a91651adb2d2ee250901d66ff53f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0b283bef04917f527c9d2ccc9f4f9c20a9a91651adb2d2ee250901d66ff53f0
SHA3-384 hash: feeb5f0d0337dd60267f72e1c3a5abd85d4e12dd84036dccb44fe776d574be78877c179e02c7671def8465bcbc244f83
SHA1 hash: f37eb58901f71184020ebc09ad27fb5172e22038
MD5 hash: fa88a3e7c35ac9d106362b18a0b940cd
humanhash: berlin-winner-oranges-angel
File name:fa88a3e7c35ac9d106362b18a0b940cd.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:410'624 bytes
First seen:2020-06-01 07:55:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:IKWe+b0OWKlE3zL12GnAJbElBINtlAQtAEeRwG3:IPbjnE3IGAm3+AiAEeyQ
Threatray 10'777 similar samples on MalwareBazaar
TLSH CE94124C612D9A2FCA2D99BA6068140417F9B9772163F3CFED7362F0178B7C45A40E9B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.labombilladeoro.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-06-01 07:26:19 UTC
AV detection:
22 of 31 (70.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yczihpxqjel7kj6j2lgmt5hzyifjvelfdlns2lxckcib2zx7kpya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
154e3d61c42499996c63db646175ed1b3252c598d7e79e7e03763f99ebb23294
AgentTesla
37c825ae11473b79ef176cd9bb749201860e47d02ec7b239e4e65db3a2d9ade7
AgentTesla
540de6270b575214ac3223fb38a9978e5a8cfc9781b5918af8ac1e91f23fac03
AgentTesla
75b22a0fa50ba829ea6a30ab9bb769209bb30eddda709aa0e8d04eedb7156ee4
AgentTesla
83b1d755208da6440d8d5879378f6db6449ed5e33c18302b47a477ec85082dbd
AgentTesla
a93955691d6362b1ee938642800ed9397cdfd4152e1e2ea68c9cd0559f6aa575
AgentTesla
b32582d965c3013be019bba8cb16e651c11b5a59876d3c62403569a0127782b8
AgentTesla
dd106cd0751eee604ab0bf2e0a5b89fd86a872aaf2b707161cd753d316652ffc
AgentTesla
e38df9c0ed07f3226d5a6d5325317c0598011a125f21dc7890e92f661dfd675f
AgentTesla
e9616b8f6ff38ae4e4cd15c6bbc5b27e6aa667015f926f746c9faed504e2e817
AgentTesla
+ 10'767 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-43sf7a5x8n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe c0b283bef04917f527c9d2ccc9f4f9c20a9a91651adb2d2ee250901d66ff53f0

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments