MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d63ae672835f5fd689bf0a4c5bd1aaacba19379c6467fefdae6b9fc1518de9e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 3 File information Comments

SHA256 hash:	d63ae672835f5fd689bf0a4c5bd1aaacba19379c6467fefdae6b9fc1518de9e0
SHA3-384 hash:	4faf044bd3c5a4c19797118e3f9130a8b2e4c3e3eb3abaf41ce2106990cecdbf103fe02063aa035a8e1cfced96f785f4
SHA1 hash:	1ad9fe5311ba73a05e6e71ab451a2174bf5740a0
MD5 hash:	847360a3f7557c292401cfe142255199
humanhash:	crazy-yankee-arizona-foxtrot
File name:	SecuriteInfo.com.Trojan.Inject3.40368.17518.19914
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	537'088 bytes
First seen:	2020-05-22 10:52:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	6144:xxoNq57UeGxMNwsu6GxvaHe7oZ78s89+ihaC9Z7kFu3Cg+si2qz96JbImeamst9d:xxJUeCMNuV6798wC92FJrsi99o8aX7
Threatray	10'743 similar samples on MalwareBazaar
TLSH	08B4020222E81726D16E8FFE20D150101BF6AD3B2593F76F9ED174EA0E737508A61DA7
Reporter	SecuriteInfoCom
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Inject3.40368.17518.19914.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-22 09:59:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 31 (77.42%)

Threat level:

2/5

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2b715e7e0b8239ab65ad9680f3a2f5b582bd488dd2926b8b7dcd178bd3239049

AgentTesla

2e64d3413977341f15b821a6df86b64af192abbdb06499599f92be8e925082bd

AgentTesla

387b37b3f24aee2415ac723a697617c09eff5269e8657bd9c25194894336cb01

AgentTesla

672e3f987619a0968785b91fc3e8a824be6f331e9a49859519de5c143d354700

AgentTesla

73d7dd837e7edf4851cc56c04e02d9b8e54fbbb5097e83d8615f9cca51f0092f

AgentTesla

755757fe45ca7ec3347803cad3da8e3d964c330f4649e014b22d6851c7acc5ef

AgentTesla

75ddb1231411d9081444e739cbfd364249a18a5b7dd44a85d6363250f5d0a6f8

AgentTesla

8efa8505066ee4c366657eb07b866e7493dffd71a6c4626c811dd25e15b45828

AgentTesla

e4bdbc72938f14ea66de9620b653a03bcd0b4c6b3a3b6bd7335ef15872dfb7cd

AgentTesla

+ 10'733 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla coreentity keylogger persistence rezer0 spyware stealer trojan

Link:

https://tria.ge/reports/201109-ssa3knvlme/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Adds Run key to start application

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

rezer0

AgentTesla

CoreEntity .NET Packer

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample