MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4506aeac49d083167a92bd38d4776d296750d44cd86befa03532fb2befc863c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4506aeac49d083167a92bd38d4776d296750d44cd86befa03532fb2befc863c
SHA3-384 hash: cff50abfe40ccc6b5d64da1bc3982a282843b177d3f3ba728b73c5ce3db797f273b80f4a275c4c05184535855047e884
SHA1 hash: d324b6ece5fc65d33a2b3428bc6b9a3c058e65e2
MD5 hash: de0107a50ccbb63541a633cf517b2d2b
humanhash: indigo-hamper-orange-double
File name:de0107a50ccbb63541a633cf517b2d2b.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:287'744 bytes
First seen:2020-06-03 08:44:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:uun+9Ngkgljd3NhV/g4RExmYMXuu8PK5892:aekstNhdW0Ey
Threatray 10'813 similar samples on MalwareBazaar
TLSH 475419686B88B902FA3D5D3389D116701BF190874E12DB0F6FC45EEC6E537CA2D4A396
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
server257.web-hosting.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
62
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 02:19:18 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2rigv2wetuedcz5jfpjy2r3w2klhkdkezwdl56qdkmx3fpx4qy6a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0352d55cf10867420b433bcd9adfdb0e39afe2484db5c57946bb86297a39ecbd
AgentTesla
2f94a22459281f588230523a1ec32e45ef392d1e202a3e70f0606f66a44ea982
AgentTesla
54a3195e1eb2acf84a5d65549f7497c30e161c48fc5de9754d99bdd57d1ef4c9
AgentTesla
6fadee8038751819aef12bc1abc18e17efbc53a8cdfb977dc5cde08e5d0c1552
AgentTesla
931669cd2085bbab158b1a883203b39e7e1198c1b35db935e0205871607aea01
AgentTesla
bcfe28b074cc1d9b0fb7896ee3eb4d28c240bee33cb76578f0f9f1ef90ab92e6
AgentTesla
d3dc0fad4580b2c3d0f5bfe27fd99d66b20f2a2c65c219218f9e6628a9df5d2b
AgentTesla
dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f
AgentTesla
ddd4cacc7365872cd4b9d06f4a2de4f131191dae071ed5430ed0399014f1aac2
AgentTesla
df97a31515a7737f062cd6c43a4931f18518b157f33935c9720476d83fb5ab0f
AgentTesla
+ 10'803 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-2bcmdm7s2s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe d4506aeac49d083167a92bd38d4776d296750d44cd86befa03532fb2befc863c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/375594/
  
Delivery method
Distributed via web download

Comments