MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d736600bb69d2649cb7d8e7df884063266fb9d0ae97e284b038c80563e7df645. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d736600bb69d2649cb7d8e7df884063266fb9d0ae97e284b038c80563e7df645
SHA3-384 hash: 4fd5a9415d062b608bef48cce5789c0c43d426d331d4da9852130822fda17ab4ee5c33b20d514d9fbb4b33926695e6c4
SHA1 hash: 962bca3f6acdb1d88274b4c61cfb1a987758c3a3
MD5 hash: 9a118f214b5c3906a5a88d325fc36d8b
humanhash: solar-august-zebra-oven
File name:DOC#662020094753525737.EXE
Download: download sample
Signature AgentTesla
Create hunting rule
File size:4'237'312 bytes
First seen:2020-06-09 09:10:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:8uDzzHXZ2mgRHy96cBwySVVRNe8GZqBz89PMDTG0:8qzHXIxHo6cBwymVRUqBz89
Threatray 10'641 similar samples on MalwareBazaar
TLSH 2916F01B690CA472DF3C073E448509D162F05D4A29C9F20F27B96E7CDA3E2A61E1FA5D
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/7280/
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-09 09:12:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=243gac5wtutets35rz67rbaggjtpxhik5f7cqsydrsafmpt56zcq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07cad509cf5a4ee6406a4229fe21bfaf23101816b2328402f86bc3b9e8c47d44
AgentTesla
5bf9c6dd99a8c7ee59efcf09ff2b4ee5b5f51aab9ad91cd2aa0fca4b0ae975ba
AgentTesla
a70fef725d796b5adb74d12567424fe976af6539cc49d7c0fb9cfbf5812edb03
AgentTesla
b4e4955cd0abdc5df6d5e1db5d58f3b0f1de491540371e919941f6dc9741f23e
AgentTesla
b8968bfb9319f3bffbc742c99a60acf9dcc47c24eaf92ce5d5c8233807093df8
AgentTesla
cea8cae444dd5dadf01c31def4681b170907b97e0cfb468a9ff317ce7ae736a3
AgentTesla
e1edaeafb526cd694a3f293cf47ad4bdb832cc0c6d697a1f386d0f9b63dcd152
AgentTesla
e42fe9ce657b9eedca1497cbcecfb3a6b7ed453ff5dde6c4cc3f06cdf7b59b00
AgentTesla
efe9be78a8da440c576162c8bd5498972ec6134b4276c05acb6a3b060a4013bb
AgentTesla
f3635e26f70dfb1240a5f8c7b09ea634ee9e5b6692cb73829b0124c0b2505281
AgentTesla
+ 10'631 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla agilenet keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-yjk5tqtxmj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
ServiceHost packer
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 6ab5c2541f790f8278d26aedce513de03a016d7539bc5309567d5752b9a65d86

AgentTesla

Executable exe d736600bb69d2649cb7d8e7df884063266fb9d0ae97e284b038c80563e7df645

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 6ab5c2541f790f8278d26aedce513de03a016d7539bc5309567d5752b9a65d86
Cape
Cape
https://www.capesandbox.com/analysis/7280/

Comments