MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c583d55d2f7f5ca522bae9e5c239eb7a2c2566f67b61a33718567d2aa1e44f5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c583d55d2f7f5ca522bae9e5c239eb7a2c2566f67b61a33718567d2aa1e44f5c
SHA3-384 hash: 61dca7fd2c05085132653466b6a9d86e72ebe6ce87a261c41dab295af3890c142385a974087a1b2254f9e0a25067a299
SHA1 hash: 55f6ee35d15178f28bd3f96d2a5acdd5c5790734
MD5 hash: 4d97ef0bd4f4805e6d889f572c8a1add
humanhash: island-zebra-blossom-freddie
File name:TT slip.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'765'376 bytes
First seen:2020-05-04 21:46:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 49152:0Vg5tQ7awW76edxYZ9yjMvMi8WYoQRrre5:+g56wNDjo6rr
Threatray 10'883 similar samples on MalwareBazaar
TLSH 8285F11273DD8364C3725273BA65BB01BEBF782506A4F86B2FD8093DE920161525EB73
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: chita.mrservers.net
Sending IP: 136.243.102.96
From: Sarvina Anyuh <gtomy@dorspecnet.com>
Subject: PAYMENT UPDATE 04/05/2020
Attachment: TT slip.r01 (contains "TT slip.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/2791/
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27684.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-05-04 12:59:00 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ywb5kxjpp5okkiv25hs4eoplpiwckzxwpnq2gnyykz6svipej5oa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
022f620a938c681b650702fb406c53f7267e5678028a9ad1461f4852405f7a6b
AgentTesla
03eacd008568d29ca8c5a4b9735f7fb6d2b2e5b7a1726f7ed316380e7b9f3e5c
AgentTesla
37f58916e43943d8dc35a2a931a7a6bfdb0a82ae3dd2f2579adefd6187a2c745
AgentTesla
4a4fe9ccfc1fcd85080b7ba8c53325466e06bb5a0b5fc29a05a87c5515504b0a
AgentTesla
556127877af376d03768c2a474c93ac17b9a5657c22b75752937e2bc3b6a318a
AgentTesla
8fdc81efa6fd138b9f7dd2e95e957c5ffd1e1d31ed2d588b531433f4915f8ed2
AgentTesla
93df210f7bb07b5e3749e81a876881f8fef44dcb4b10ece991d8d6a0100a0ab7
AgentTesla
baca2679d58701e79d47980d844a4556240d4bba87d19617d01c6458c35b9b72
AgentTesla
dc04a38c539698b506b72798383910e16989b21b78c4b0f0b32dcaa804294404
AgentTesla
ee50478f6e4664e658f9a90e6f93f5e0c750ed5ae217c30233ed42e24b21b890
AgentTesla
+ 10'873 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-gewjnn6szs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r01 5d1041ad9b8929f3f84cf7883e5e2df57575f2eafeddb4bd813d960a9e3e32d8

AgentTesla

Executable exe c583d55d2f7f5ca522bae9e5c239eb7a2c2566f67b61a33718567d2aa1e44f5c

(this sample)

  
Dropped by
MD5 99896e2d4ab752f08797f8f0f20367fa
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5d1041ad9b8929f3f84cf7883e5e2df57575f2eafeddb4bd813d960a9e3e32d8
Cape
Cape
https://www.capesandbox.com/analysis/2791/
Cape
Cape
https://www.capesandbox.com/analysis/2790/

Comments