MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dffe7fe7b287e18288291cd5060a9f8a87c92e91bbed5a41a28f7c3914db73d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dffe7fe7b287e18288291cd5060a9f8a87c92e91bbed5a41a28f7c3914db73d4
SHA3-384 hash: c29065f0905fb3931ba7c40dc8f663b475eb745fb45c489645a9938207b22c70b03800daae4f494070fd749f0c3ce023
SHA1 hash: 4e8bbdfb9a99f939548ab8bdbda63d7c88ac1f7c
MD5 hash: ed774675d6983dfe1611f058637b22d6
humanhash: violet-kilo-romeo-ack
File name:PO 48290.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:434'688 bytes
First seen:2020-06-29 04:51:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:/gxDwHC/VX66vL6k+4HsXH7wCU2Wk8YFmY:/gxDwHC/cYLFsL94Y
Threatray 10'628 similar samples on MalwareBazaar
TLSH 6694E00077BC4FAAEABF03FA656545158BF269A66812E31D8DD230DF54B2F41CA41F23
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/15292/
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.ENGK.190.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dffe7fe7b287e18288291cd5060a9f8a87c92e91bbed5a41a28f7c3914db73d4/
Threat name:
Win32.Trojan.Skeeyah
Create hunting rule
Status:
Malicious
First seen:
2020-06-29 04:22:02 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=377h7z5sq7qyfcbjdtkqmcu7rkd4slurxpwvuqncr56dsfg3opka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
20fa03ed146d67328f48a4609fd5a1f2f584576dcb93450661d4b6e1f9c269da
AgentTesla
353e157d4f8e9729a3cce3c7824bed4b4812a3d1edc885bbb6c949288c1c07a2
AgentTesla
439cdf2c1eb3870a37188959dc1843be217dc00ae643d1f575c336f6b84dab4d
AgentTesla
465f9513ae4e41b60b3a6a86b5d5aaf9fcca598b8c7d77015e4495d5c54d91e6
AgentTesla
617d412ea96ae9c5d0934c714a811b839015e763c2731879dad2cb998336a3fb
AgentTesla
677cd89b052993db94346f82c1a00e3d022621ab71cd8101e41645d6f0a9933d
AgentTesla
738acd1b73b637e5aabce4ba985c985ba24917066adb94dd0773a7498649ad5d
AgentTesla
8d519346a57dd9f92414cf2fa7b5417055d458dd03d2a6b567309ce4bcde43ff
AgentTesla
aa9df4f8056100406310008515c2504dfe2a1aeea23991ad9b3737aa711c7589
AgentTesla
e4776f228c9e7ea3f67c614257cc08b679660feec06a1eaf6f0c9531ad8a5378
AgentTesla
+ 10'618 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla
Link:
https://tria.ge/reports/200629-66v6a7a7ls/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar b9b0d8a817f3ee9298fcdf13e1de201c0f0e415bb4a9667a244baba7386a72b3

AgentTesla

Executable exe dffe7fe7b287e18288291cd5060a9f8a87c92e91bbed5a41a28f7c3914db73d4

(this sample)

  
Dropped by
MD5 729317f3c86c5b00ef0f48e90eeb1380
  
Dropped by
SHA256 b9b0d8a817f3ee9298fcdf13e1de201c0f0e415bb4a9667a244baba7386a72b3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/15292/

Comments