MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d86d0905e0be4fe91c68a6a80e48d40fe3d73c7527ce6e090068d38b34e534fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	d86d0905e0be4fe91c68a6a80e48d40fe3d73c7527ce6e090068d38b34e534fd
SHA3-384 hash:	1a95aa90d832e8d159545241c5e070f185412a3be26f0570cc09ecff4dee906d51ddf0259ebc6e8dc3d6b0553b94b297
SHA1 hash:	43bb9abedb94c55b202430fbed46ec67174b4cd1
MD5 hash:	a08021dc1649508d49b581497af67870
humanhash:	failed-uniform-whiskey-cola
File name:	regasm.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	505'856 bytes
First seen:	2020-06-23 16:43:55 UTC
Last seen:	2020-06-23 17:44:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288://wa/p4hA90/5tRSmeDDughVroZZvdO3z:AC0A903RSmTdO3z
Threatray	10'577 similar samples on MalwareBazaar
TLSH	40B4CF1803AEDE0FD79D7BB6D6A4601793EAC10B5502FF8F4E44C5B63B0A36569013AE
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Agenttesla

Link:

https://www.capesandbox.com/analysis/13235/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WEZ.20953.UNOFFICIAL

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d86d0905e0be4fe91c68a6a80e48d40fe3d73c7527ce6e090068d38b34e534fd/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-06-23 16:43:34 UTC

File Type:

PE (.Net Exe)

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3bwqsbpaxzh6shdiu2ua4sgub7r5opdve7hg4ciandjywnhfgt6q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

49cc46a5a33404f3ba40f11a8e583ff17bc097e48502ac459e00ef082fbab670

AgentTesla

58b5fa72369a5fb9d5c501dce6e29752cda05620f938cf1f2c429d257f21ee78

AgentTesla

672c7a3bf89e71e2bc6caf76fa62790df8841f15a4f8b1052c75fa7038d4ffb3

AgentTesla

6cc1d7e85efbdab8e42d0c28dea93ec21e12737b64fdaebe2177918b052b2a37

AgentTesla

d18bcd6d166abe550a2633e07b2225dfaa97a7428eb1d3449b3d6b6db74e348a

AgentTesla

e5b41ad0f4038600aea9353a27e74c75ff7e6eb986b96cad04669fcbfa417fe7

AgentTesla

ee830de0a8a2f4f6059442cccd7214b04d9fcf4d937cf8a141a6a46f5049d797

AgentTesla

f293a15870946843225f6b392d7fc3c2c910c7a4c31fc199a2cfb2a2b4011ca6

AgentTesla

fa691cf8aa039755a4d992e24fdbe89c5ddcddb18821bc920bc20c0450f9f8d3

AgentTesla

+ 10'567 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/200624-m2cmj7desj/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Drops startup file

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/13235/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample