MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d125bee4f4cf2d445a9eca9c8a88e2fa7f3a05dd615e5567ab7a22a6aefbe56e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d125bee4f4cf2d445a9eca9c8a88e2fa7f3a05dd615e5567ab7a22a6aefbe56e
SHA3-384 hash: 48f7cf7adba385c3c00b86808a22f44dee0beea1784e6c642c555d7ef6e376fc46becc46e4ee2b01196329e45ba996e5
SHA1 hash: 3dc7df1b97f7fa6f0300aab6b5551219459b162a
MD5 hash: 69ce67f936596fa76b3f26f6b496ab37
humanhash: yankee-mexico-mockingbird-minnesota
File name:69ce67f936596fa76b3f26f6b496ab37.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:764'928 bytes
First seen:2020-06-15 12:31:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 54460d2eedb6a541ae3fa68cd3e66377 (10 x Loki, 8 x AgentTesla, 4 x NanoCore)
ssdeep 12288:+n5WrxQ9hwM0cqsdxGAukR6E2F6Be8nAOXDpyYyUpmRaJtc/yF3eFNQv9ye:IQrx8h9Osdgk72wJ/4Yy+5F302
Threatray 11'464 similar samples on MalwareBazaar
TLSH EFF4AF22E2D34437C1E736399F4B9674AC2BBB13291B6D466BE4CD0C9F386813967097
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.fipco-sa.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/10390/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Win32.GenKryptik.EMFN.12147.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-15 12:33:04 UTC
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2es35zhuz4wuiwu6zkoivchc7j7tubo5mfpfkz5lpirknlx34vxa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
1d5b79d3f8c7da6f1490f8443b974a1addf9b0a476f79aabdf64cc476ac61073
AgentTesla
3c3c2afe57269ba1438595d34dfd3db570514bcf7b404a3ae8a38f8481729da3
AgentTesla
4b1da5728b996ab79cb7b1a354473fdd36d9c3db938097183f6f4595ddab608f
AgentTesla
72601c184a73a3def992b0bf596508387d7aa5dce9188be7840c1c25a9cbe7ac
AgentTesla
8a663cfe242718a703a38680185fa4b6139f8b72190c5f240032bc09367e5a04
AgentTesla
9085ffe21d4f55f9aaa5c9e63618b0a599ed6f7c6ad6f054fbd06ecddd5321e8
AgentTesla
90c2b20b2f904dcaeea6ca1e3a4fff5d586c3f07a0f958b3fd25202ab3a35d2c
AgentTesla
ce0257b16f4bfe10b1e98e9f7c332ec4fd4766a093c5462a32394282c6a5120e
AgentTesla
d59050a250600d11ef74a166049807095bfee68ba3b58b01ab65f4527c55142c
AgentTesla
e23a268f1e3c63c4b2460a42e219a7237744ddaad6d9bf383977c85d9921843d
AgentTesla
+ 11'454 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-pyj25t3z3x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe d125bee4f4cf2d445a9eca9c8a88e2fa7f3a05dd615e5567ab7a22a6aefbe56e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/390042/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/10390/

Comments