MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9118edc29cfe1266f681cb40d433d9a7f7611e35b75b898550d54c1deb6ffdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9118edc29cfe1266f681cb40d433d9a7f7611e35b75b898550d54c1deb6ffdd
SHA3-384 hash: 9fc338e5d9762c0d5e57abd216b6580d0643ca3eb88560c7982a9e8bb4a5bb11da46928723f3648136a4a32ff64dcf94
SHA1 hash: 48496ba89f4a0c17fa3b130ba9c9d80543d014d9
MD5 hash: 8426e607e073cd35092afcbcb8310c37
humanhash: robin-fish-william-may
File name:Evergreen Order 24-06-20.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:684'032 bytes
First seen:2020-06-24 06:55:24 UTC
Last seen:2020-06-24 07:40:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:8SLeDi+K2aojbo1L+yCuKLykhqtcQBUoKQ6YyuSXEsu1lT7H92008:8V+ojgi2UojlSUsu7s0V
Threatray 10'846 similar samples on MalwareBazaar
TLSH A1E45C2A3680780ED53E097244A959D063B2A5873B03CB0F7DDBA7AC6F067CB7F45295
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mcegress-14-lw-16.correio.biz
Sending IP: 191.252.14.16
From: smtpfox-xiydb@rochamodapraia.com.br
Subject: Fwd: Evergreen Order 23/06/2020
Attachment: Evergreen Order 24-06-20.rar (contains "Evergreen Order 24-06-20.exe")

AgentTesla SMTP exfil server:
smtp.sknei.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/13517/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.51031.29995.29772.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9118edc29cfe1266f681cb40d433d9a7f7611e35b75b898550d54c1deb6ffdd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-24 04:45:57 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3eiy5xbjz7qsm33ids2a2qz5tj7xmepdln23rgcvbvkmdxvw77oq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08c1f9f0755e45b664ec5cd4e5e44b895e204cd89c91fc59e5a218af5abc5779
AgentTesla
56e463f760bf1035c13ba35fb49656e77c149f7f2d82b2d403d7191bbf7eda71
AgentTesla
6b0f2c8d4a8c8883be658db9868b33db30eb73755e4688279c29599eb25c6099
AgentTesla
755757fe45ca7ec3347803cad3da8e3d964c330f4649e014b22d6851c7acc5ef
AgentTesla
b82d04c79bfd870dd7024db85a5c3c60827776af6bfd6b73306ceebf72150ba4
AgentTesla
b9c9bdcb2bab456d6aeb2b1515dc364251ac811e1ed73f9fe3ef4eeccabf3693
AgentTesla
c8014126255b80593651f5fe1e69e069147866498dbb78129f775d76a0fa8682
AgentTesla
e33c1413f0f83ef05340ddbc0522ea7f313f4b7a4044e922e3f8e2ebe2af5a1e
AgentTesla
f4f5d415994b9bfd0b7e0d6b9e4515b919692a7ba8e92d98511f8353cd2beb04
AgentTesla
f963457d5a9d27cbce5df7a6ce4fb9dd288e23ef473bd90cdb3059d454949d5a
AgentTesla
+ 10'836 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200624-wpwgzqfr4x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Loads dropped DLL
Executes dropped EXE
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 2042223b3ddce31a0a188a5eb8ba8e26832602b164cfac1beb006c19bfcb605c

AgentTesla

Executable exe d9118edc29cfe1266f681cb40d433d9a7f7611e35b75b898550d54c1deb6ffdd

(this sample)

  
Dropped by
MD5 fec2ef4fbe50f587844c7e7b3f9e95a4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/13517/
  
Dropped by
SHA256 2042223b3ddce31a0a188a5eb8ba8e26832602b164cfac1beb006c19bfcb605c

Comments