MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c10317550848e63f5fae67e32b98ae4d098d67b9281dc33488b2d5392e2d8709. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c10317550848e63f5fae67e32b98ae4d098d67b9281dc33488b2d5392e2d8709
SHA3-384 hash: 01e432f0bfabcaba6d60c09de6f31cb43266edd86e692140b9531929241c8e7a92b90d7c988ee1cad2ccc0f6aac26919
SHA1 hash: 4266c2772e90d5906ea742ac94147810fe31744b
MD5 hash: 04868fde8f9bddf167f832afb3c1bf91
humanhash: bluebird-charlie-neptune-hawaii
File name:PURCHASE ORDER.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:539'136 bytes
First seen:2020-06-08 18:01:33 UTC
Last seen:2020-06-08 20:02:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:5zC9naXTvI61ZRizHqw8ZxWpFRwhC4wDChhqYp2751hbQKvtdMqhz:BXTvI6/eqwwWp4hC4JuB7X
Threatray 10'667 similar samples on MalwareBazaar
TLSH 54B4CFDC726072EFC85BD472DA982C68FB6075BB531B4217A02725AED94C887CF185F2
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7152/
Detection(s):
Win.Trojan.Agent-8011135-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 18:01:08 UTC
File Type:
PE (.Net Exe)
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yebroviijdtd6x5om7rsxgfojuey2z5zfao4gneiwlktslrnq4eq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
010feb64e7a22298dfd888fe944cda96d151a37d9d73b47b59104997bf9b07bd
AgentTesla
0f349ec4181393b40ae278aaaa2a14defaa8c0333bc68c86a551422f52fbfdf6
AgentTesla
28661e85795aec8e469e9000abc8e50f5ed65150e778f0547a837400fdecb468
AgentTesla
4cd234eb292c25936d72ccd7b844bd2ab2f351de46edd2aefbccc6f68d99eb38
AgentTesla
53e801de99fd2e86a91a912108b196c3f9567f6c7394fac6050861cd3b8777e2
AgentTesla
5e110b46db054e7b3b2e12592791e89e76d8baf65c215c1a577ec2016c3c81e5
AgentTesla
7d105f34496392ec3bf89496e22d5036ab944dc0430065c5a3b813dfe2406742
AgentTesla
7d16317ca81889aab8d6d82440ab0fb2375d4ef7747f2b1d77936fd79141ba77
AgentTesla
8a2eff7baa0378f516d1819028b5198f1bd9de55e0ee1b9377e0b1045cc1f1e1
AgentTesla
de51c601d1757953b944489454503ebdb6e95d39e19e5fb13838741e46533dd6
AgentTesla
+ 10'657 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-ezcq7zxy2s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/7152/

Comments