MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1af0c54eca027eb8089a7a721c88de4cd6e522c5cf3f38919249d2513174d1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1af0c54eca027eb8089a7a721c88de4cd6e522c5cf3f38919249d2513174d1b
SHA3-384 hash: f7b3324c638ecd11fd62bc8e4416472317ccde51ab8184129c5b958611f2e001147e50d77c999d1822721540dd81d17c
SHA1 hash: 8949f621650d9866c25157acec988cb94be07b61
MD5 hash: 09814305d59892645caccd71693b2933
humanhash: oranges-michigan-arizona-sweet
File name:997108031350605 tt copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:552'960 bytes
First seen:2020-06-02 11:43:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:dZCwwSo/bzXql2pdmN7sxadCETWqJHgjfWny8NUoJBaXSaYXZ8BaAjrQ8:2wwpJpdmN7kK1JlN0
Threatray 10'705 similar samples on MalwareBazaar
TLSH F7C4AD9D722172EFC857D472DEA91C64EAA074BB931F4113902725EEDA0D89BCF241F2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mstdlrgw.mst-dealer.com
Sending IP: 203.146.21.245
From: Sonia Z Y Lahleh <dlr-a347@mst-dealer.com>
Subject: RE: swift copy
Attachment: 997108031350605 tt copy.gz (contains "997108031350605 tt copy.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Genkryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 13:25:00 UTC
AV detection:
16 of 31 (51.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2gxqyvhmuat6xaeju6tsdsen4tgw4urmltz7hcizesoskeyxjunq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0179500cd516e391d6e8c927436354894ea076fabd99dba7f512a0d9e176f630
AgentTesla
2e97f25fb7862dc94285040b54fc393e802256c0a587562b15524a5f195307c0
AgentTesla
523e47e96043b4e5ff372230e6fbdf6a56f6e8fcf95fcd94d4a976d95471e54c
AgentTesla
592f7910caf9e163da420457db1b8c33d938c56d03c8e2955c990e8d3395ac39
AgentTesla
59a1064718f625693e7b2a25911902db5ededa7758f8ecb2911ec36095ddb95a
AgentTesla
8d72f2ddf16f0708273e74f4390a2034bf6aabe9cf80fd2ab724d52037c98ccf
AgentTesla
b0c2c67fe0c2547585bce4c5b3f95349cd475c45bd4dbaccd84fe923ceb11165
AgentTesla
be1a45ae85bb530727a5e96d3dc19eeb0542991ddb5a747b93665b4599c70ea0
AgentTesla
c2844c31f6c4c01ed6f337d65c76a25af92c56a53fe693305214ce6aacf77036
AgentTesla
f616392e2b50f1bb78ebae1ee269cf113ae09555a7735ddd5d4dd42e8ec79e86
AgentTesla
+ 10'695 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-hegbf6qjw2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 6be641f4a218bd474d900798ab72690439a7a8b03a07ed6d5cef1368f272f4cc

AgentTesla

Executable exe d1af0c54eca027eb8089a7a721c88de4cd6e522c5cf3f38919249d2513174d1b

(this sample)

  
Dropped by
MD5 b011c991043b508ad0dbe7a99055f6ab
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6be641f4a218bd474d900798ab72690439a7a8b03a07ed6d5cef1368f272f4cc

Comments