MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd121330fd6e7404cb15130de59e85a3cdeee12d7b45c73482f7d7536c36f585. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd121330fd6e7404cb15130de59e85a3cdeee12d7b45c73482f7d7536c36f585
SHA3-384 hash: 6e1237999d849d2dc175a1a9bfd0936c994dd28ba4d993f55d60f73a79d6be70f53bd3c6c34ba26ce8cb1fa98cd5ab81
SHA1 hash: 850c10fdf55a263ef4a5addecad66bb41e7c4d50
MD5 hash: f77cfc74632a57ef2062f511688ef9fa
humanhash: avocado-nitrogen-carpet-tennessee
File name:Quotation_AxFlow_0943565624453003.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:535'040 bytes
First seen:2020-05-26 10:04:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:TPN9pJKKrFFILo3ZyWcjku+PvLjh2Zfym7EcU4RWuh:TV9pVZWL6ZyTjkFPv/48
Threatray 10'553 similar samples on MalwareBazaar
TLSH CCB4CE9C3650B5EFC857C976DA982C60EA61747B430BD303A45322AD9A0E7ABCF115F3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: dasos-ones.pw
Sending IP: 206.125.44.194
From: Biscotti Tsoungari <custserv@fluoroseal.com>
Reply-To: mcclain@furaffinity.com
Subject: REQUEST PO-012580 (New Vendor Requirements)
Attachment: Quotation_AxFlow_0943565624453003.rar (contains "Quotation_AxFlow_0943565624453003.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WBA.10293.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 10:37:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05217e21bc796bd6ba381874fff4a1f756b9d6616fa423c66730d2119b9cb11a
AgentTesla
0b6facde8cb3a8168a5c8df1ce8ba9e203514ded957d2d9df085ed63a133e3b0
AgentTesla
0c630248507337f2835d5ff76bcadd48aca15cc50c4b334eabea3a93bac8a6cb
AgentTesla
155065582ffa38e73b116c0d434fbcc4a5a3a1c860e018d0b921301be4187edc
AgentTesla
3adda6c23f01cecac1ce8a51c8dcdab4129088a4e4abcf8f66d8a09b7fe5c84a
AgentTesla
aab6d3a004dab00fc73f89b005b7d0e01314473dcfe6ff4acb6fe84c9b139cfb
AgentTesla
b5633218ddae3b49aec89824e1032e4826fb8504d39b64b3dbe1b2ff59d38f56
AgentTesla
dab4f3595b805cc1d2e40f0b625a553cfc6c95db176df4f0673c42f8f02e4cd7
AgentTesla
f242ad8f253e4e481529cffa7b3d697683649ba31b8c8500f2d24d2bf591e553
AgentTesla
fdcdf089f15ba0a610e2d6f0c758fffb27835bec9884126f1054764112eb1dc1
AgentTesla
+ 10'543 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-9a71t4x1rn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar da844bec5f596ee5242e2d94cb78821a8ee588e5eee0f0d59abe112e3e5db50a

AgentTesla

Executable exe dd121330fd6e7404cb15130de59e85a3cdeee12d7b45c73482f7d7536c36f585

(this sample)

  
Dropped by
MD5 db550c64683aa904bae57ad128198339
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 da844bec5f596ee5242e2d94cb78821a8ee588e5eee0f0d59abe112e3e5db50a

Comments