MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d309b596333bf8b744a87cd84388a745a10b64deaea395ed7f4d95ef63a84f5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d309b596333bf8b744a87cd84388a745a10b64deaea395ed7f4d95ef63a84f5b
SHA3-384 hash: 4e93146c6e3f118bc776bb98e602b3dff06d1214e3b78c895f9e82cf314c3d4544bff3f3cb4cd9f526375b2e57689f62
SHA1 hash: 51bad94e82c6f1539ed1822cee8b77a9030b061a
MD5 hash: cfacd0166936a741c3571c2187d01130
humanhash: sad-idaho-ink-nebraska
File name:Shipment details - IVC04 Kibbled - SO 805651.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:518'144 bytes
First seen:2020-05-26 07:57:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Gu3cd8isjZQxpgtDWtk/V4W+rEITlaVWbA0xZvEOzzwo+JnT6PneXHYaR:GuJD4utDn/V4WVWJxZ8
Threatray 10'745 similar samples on MalwareBazaar
TLSH E0B4CFAC365075EFC817C976DE981C60AA60B47B570BD303A45326ED9A0EA9BCF105F3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: starpole.com
Sending IP: 209.58.149.76
From: Amani Al Danaf <arnaud@starpole.com>
Subject: Shipment details - IVC04 Kibbled - SO 805651
Attachment: Shipment details - IVC04 Kibbled - SO 805651.pdf.iso (contains "Shipment details - IVC04 Kibbled - SO 805651.pdf.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.hc.22928.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 06:50:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02edda3edc65e304b70cd65a76ded7188ef03b402b16903f2d8f9fb55dd45e0e
AgentTesla
0ada2b667790a308814f474bb87a9a4eef9a2d10b14fc9716006a2133c2e54b5
AgentTesla
0d5449f84ac39b4aaa0b982b2a7880c77fdedbe6a22682c75216371e4a5b4980
AgentTesla
3b025fa14fdaeb405c00985f5b7a52f0f2a4b5851f338021b594af6881b3e8a7
AgentTesla
80a345dada3e47bc31a22c887b25df623f79407e25f86e04beb1711732dabbef
AgentTesla
a55012ee806885f057a2317d3bf72f3b7e43a77c1d1d75f142b73676ec52c6c4
AgentTesla
b1c6549b6f8357b0ca42b26fe2fa4e3cdfcf684b1d5446ca23500a9e3d7450be
AgentTesla
baaf2981e64ed0745b71f49dc599ece70213ac2f805d8d1a4f254f9bb3fcc5cc
AgentTesla
c962bb037efd22fbe3a0754054f411e8cf2f29a4e2dcb3aa5c0e15f8e4a77feb
AgentTesla
cfec0ab7a50fc4721607da3a019dfe9d8ff2bde1f771f26ffba9fbd42738f16b
AgentTesla
+ 10'735 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-kjyp1dnc4j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 84507dc1a167f6eece033f18630e1d0b8c5a80767f5e8f84368ccc60de96b396

AgentTesla

Executable exe d309b596333bf8b744a87cd84388a745a10b64deaea395ed7f4d95ef63a84f5b

(this sample)

  
Dropped by
MD5 24ee4dd4f3ec0a277b57391749a00649
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 84507dc1a167f6eece033f18630e1d0b8c5a80767f5e8f84368ccc60de96b396

Comments