MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c559cd7a8333257a6e64a672d4f0feaecb3805c68498e170766428231bd40aea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	c559cd7a8333257a6e64a672d4f0feaecb3805c68498e170766428231bd40aea
SHA3-384 hash:	6297e06f1b0da5be701afe0c580fda7acbee78a89b022a5970e3333ebb2cc851c348dd9fbeb84904521ebccd65a5b8dc
SHA1 hash:	075facc8a63b254326f0c7b945c7b40f0bf09f63
MD5 hash:	c128c6c7eb2dfb9296dd922e927f94bf
humanhash:	shade-oxygen-rugby-early
File name:	c559cd7a8333257a6e64a672d4f0feaecb3805c68498e170766428231bd40aea
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	804'864 bytes
First seen:	2020-07-08 10:10:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6b3c153e2c072d4ba0f1fdaaa4778d3b (1 x AgentTesla)
ssdeep	12288:HxK33heNnvkxmaaeLawFMFnu93H7taIqwE/CGLydZ4c:4nhUv6JaAj37tbqwEKG64
Threatray	11'661 similar samples on MalwareBazaar
TLSH	7705BF16F2D04833D16B263D8C0B96756836FD412E289A462BF5DF3C9F386413936EE6
Reporter	JAMESWT_WT
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/23042/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Win32.Herz.B.18879.21615.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Reading critical registry keys

Launching a service

Creating a file

Stealing user critical data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c559cd7a8333257a6e64a672d4f0feaecb3805c68498e170766428231bd40aea/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-08 10:12:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yvm426udgmsxu3teuzznj4h6v3ftqbogqsmoc4dwmqucgg6ublva._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

34de2d8223254d922454a9c4753613882e2bc5f55a706690715270f9f052b16e

AgentTesla

359202073aae173560c88009c27966e8f6a4bb3b05c48811f35dcf27b13ff0a0

AgentTesla

6829d0fda2947fe416b54669b3bfa03020e2b191f412292f5b6a53abb638bcfd

AgentTesla

79298aefcdaa74aeb60984fade623a91a84f0ab7fb5f3df342b86a5bb5efacf8

AgentTesla

7c4ec41185be3d57adbaa0bfcd8b517aa2cabbf40320e2de0dd1b4ad73aaab36

AgentTesla

9ac6f36e933607b09a00eb16eb67acee68fdb8ee460f556101d742dee7b7c6cc

AgentTesla

c45cbf7de196d50a6eb860e3d8dbfdf8f3699c3e62df58f63bd1c6c176c9ead1

AgentTesla

e0e2b9ccdeafb58afceb0e90a9365112b5cb9446054e06b18e9ef51841e6f36c

AgentTesla

e3574b9f84ca8cf778a664b60c2d6fde9049c51a384f5fbe49003fe806afd966

AgentTesla

+ 11'651 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200708-vcssqcb7as/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

UPX packed file

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/23042/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample