MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d767d07e2787dafa3fd856f754596a3f1bf6819116552844898b94304f92e1eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	d767d07e2787dafa3fd856f754596a3f1bf6819116552844898b94304f92e1eb
SHA3-384 hash:	b30f53ed730f99d14281ed7b9eb4f96a201c5f0fa98e2984034d6982293e5c0dbf2ba16a8ba263589e62474489f2af17
SHA1 hash:	e10f99cd252057dce9b62abb23214df46ff29f1c
MD5 hash:	7d90782090de3cf7b6219e69e9b017b6
humanhash:	north-california-spring-kilo
File name:	SecuriteInfo.com.Fareit-FVG7D90782090DE.3644
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	652'288 bytes
First seen:	2020-06-22 09:41:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:Pq2aoroS0y5l53oYFL9f0jD75O15qYzVgr+0MwtxcX3IZOHakqq57Z:PcoBjzu7Egr7Eh/
Threatray	10'666 similar samples on MalwareBazaar
TLSH	E2D42A3A7A857915D23C4A7290EA554162B1F2433E02CB1F7DCAE76CBF027CB3B46295
Reporter	SecuriteInfoCom
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/12543/

Detection(s):

SecuriteInfo.com.Fareit-FVG7D90782090DE.3644.UNOFFICIAL

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/d767d07e2787dafa3fd856f754596a3f1bf6819116552844898b94304f92e1eb/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-06-22 07:06:51 UTC

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=25t5a7rhq7npup6yk33viwlkh4n7namrczksqrejrokdat4s4hvq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

5bce10125f245dab9ac4ef1c0dece6313b43512e721f70f7c4846ebb23b1cdbf

AgentTesla

5ce4d4f2a15924f200619b7140bd99faad88758c0d0f0cfb4eb9d166fe2f41e3

AgentTesla

6a9aed50d116430db97c672e5b6083da7f6b3d0221cd9bc35de7ee4dfd54e6f0

AgentTesla

8a0dfa424d15f228b79cf8e773937af51dbf53251168b44afa554fd62db25f85

AgentTesla

8f2a715a89dde2c6853044e121824b188bee2125f5747d529a4f4463c4cc1ecd

AgentTesla

d9118edc29cfe1266f681cb40d433d9a7f7611e35b75b898550d54c1deb6ffdd

AgentTesla

dab4f3595b805cc1d2e40f0b625a553cfc6c95db176df4f0673c42f8f02e4cd7

AgentTesla

dc8afb659ee0ae568f793bd02e3368b9c8d9af5c3b82fae9ed0ddb8e3908aada

AgentTesla

fe89114100fb2af0270d35f95d65162b69f2e853d3d1be7eea1b4f6feffb0565

AgentTesla

+ 10'656 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware persistence keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200624-nr3tb4cnwa/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Adds Run entry to start application

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Executes dropped EXE

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/12543/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample