MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c85ff24372320b72baa0652814e4288eeb120f94c98e50f59a90a706bf720b1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c85ff24372320b72baa0652814e4288eeb120f94c98e50f59a90a706bf720b1a
SHA3-384 hash: a42a8bf7f9d70c86ad5dda293e48c56b1bb55eb8cea4afa5514db46b2c44bc3ca6e27300d8f1423e55a4a662ce804b5a
SHA1 hash: 67a59bbc22c9a37c8bc2f5ed31a88bb366456c82
MD5 hash: 4fa90c9ca02cf3595e509b97d8f9e182
humanhash: carbon-alabama-magnesium-lemon
File name:file.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:676'864 bytes
First seen:2020-05-29 05:25:17 UTC
Last seen:2020-05-29 05:45:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:bGS7Kh6VEt64JWNO+sBqiPhMbrgEJz7Ow:qS+6NMxBlpMXgOOw
Threatray 10'806 similar samples on MalwareBazaar
TLSH 22E47C393A45A804D13E067A50E9569066B5A9C33F02C71F3ACAA36CAF017FF7F4529D
Reporter abuse_ch
Tags:AgentTesla exe geo KOR


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: newspamfilter1.mailnara.co.kr
Sending IP: 121.189.61.170
From: Heoung Sik Choi <sohong@pields.com>
Reply-To: yeon87690@naver.com
Subject: 요청드립니다
Attachment: file.gz (contains "file.exe")

AgentTesla SMTP exfil server:
mail.tremdyclub.net:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.12501.30935.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-05-29 05:36:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
21 of 48 (43.75%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
0254f414295e7637c690312621a7b21586d531bdfe058abd870c29587890b72e
AgentTesla
1de6d8667da47acd79149ba091ed36cf9e6b40e469ac7e49299792c72e21e764
AgentTesla
2016d6f87e3b60c0de717a66ca5483bd94fb2729bd8d66c1c8828e7f2cff3704
AgentTesla
4410537e13a01896bab12528953776427755829a7e483890aaafd04a12fc23ab
AgentTesla
5bc296dfe287bdb6984000b8af4d8647fdcb42b22b521264e7ea14a74ac05975
AgentTesla
757f7141daf24169ff3694cdf0247b7ce0b71c66a970837a71149a69b5b6d371
AgentTesla
8941d1279e3899cd7342a1f7f1b6da470544a2685e1cdd320be9fc194bea36a9
AgentTesla
97c3cf905c068daf00bbc9c10810ff4437d953c3263e962b0454d0babcfe5494
AgentTesla
9abbf24b322068da5ac2e1581827d788d787eb8b31685863b1aa048f01ca5190
AgentTesla
af0e59dcbfdc7a8b1a13748ab6e392d165e6b91f0a1ac946b3ea7dc3cbb4fac5
AgentTesla
+ 10'796 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla agilenet keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-1e3gnhystj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 5de66f9995b3205df66da098ddde8e1ff2ca806aa20c2861dc1340df7703db79

AgentTesla

Executable exe c85ff24372320b72baa0652814e4288eeb120f94c98e50f59a90a706bf720b1a

(this sample)

  
Dropped by
MD5 9d33200e0464aa291aec8c1af9b87d67
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5de66f9995b3205df66da098ddde8e1ff2ca806aa20c2861dc1340df7703db79

Comments