MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8f1979f8dc989237478cae3126d36f153b183b90e92d5ab3869bc4f1abf4281. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8f1979f8dc989237478cae3126d36f153b183b90e92d5ab3869bc4f1abf4281
SHA3-384 hash: 829324a1927c2480d46831b08b28349872e881aabcb471a253a97bb6603c92b1732df11882446da3d91a6456e1a7e12b
SHA1 hash: 450221c282858e8bc3b18b8c9a3bb4019f5597f9
MD5 hash: 59b79cb1fba255f3b003dad23b7f90a9
humanhash: three-nitrogen-edward-shade
File name:ARK LEE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:411'648 bytes
First seen:2020-07-09 12:28:37 UTC
Last seen:2020-07-09 12:37:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:lEoF7UduGNozQIoL6+FOa8RmwlZceyI/m:xRUnwQpLhFOUSZ5y
Threatray 10'616 similar samples on MalwareBazaar
TLSH DD94F040B2FC9E29C4BD57BCA6B4409013F9611BE523EB2E4EC1B8E11D777918A53B1B
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/23775/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c8f1979f8dc989237478cae3126d36f153b183b90e92d5ab3869bc4f1abf4281/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 12:26:31 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zdyzph4nzgesg5dyzlrre3jw6fj3da5zb2jnlkzyng6e6gv7ikaq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0dac9d7755c33d54aa60d106bb75a2f887cbce8660a7c88b78084b415ea241f2
AgentTesla
3080bf75b34e9b440154d8f35f7e8c5bd111995869118a093f81b56583f7c03b
AgentTesla
319d0b2de48964ad79622ab5177bb6cd05bae9fa537cc8da575498be4b7eda0b
AgentTesla
62433e4de86d61a56cfc3333382d8a43d666a4839415a88ceca53a0754e06636
AgentTesla
681eec22b304d975c119e8b5721abd7b4ee6586361b51dda2c93f5a4c426abe4
AgentTesla
73a97b147022c0f2f81ea263a4923b4cc63e6707b712be1eea87c2245cbe8c58
AgentTesla
73f4a9ed2cc796b0a7633ddb086b405ab88b5a626875e792c89fa178f18fd1ee
AgentTesla
9bcfc07b259ef80e8e639dce55ae194b5bfd74902d825de9cef183035c8ca2c1
AgentTesla
c2d6a58ae4cc93b225f512a127c751c63398d0fdb7f847b77c83cad6cb79e6bd
AgentTesla
fb457c1476f45e410e044c90f1d3c8d60088d2eed6982cc59cb60d1c96fcb05f
AgentTesla
+ 10'606 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/200709-c5zk9mphn6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 8600a5bf144a7ea079091e72073590520cb7e06afc8e4ddd47c16d4675a5b955

AgentTesla

Executable exe c8f1979f8dc989237478cae3126d36f153b183b90e92d5ab3869bc4f1abf4281

(this sample)

  
Dropped by
MD5 ed969fd60af6ba189ec6580dcce4a171
  
Dropped by
SHA256 8600a5bf144a7ea079091e72073590520cb7e06afc8e4ddd47c16d4675a5b955
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23775/

Comments