MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1241bc4febe8d5eeb08b49056d73fed437a4e58b84c2e71933fa30625349012. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	e1241bc4febe8d5eeb08b49056d73fed437a4e58b84c2e71933fa30625349012
SHA3-384 hash:	1a3bf07600cf687bf310c2b41eb06337e34263daf720bd0199a0357c1d08b2e281705648467b391cffdb72471afe8864
SHA1 hash:	5fb2b75037ca30d1c22229d0b3a15544ac124e8d
MD5 hash:	b0829b322fa68301b4d1ddcfa11a60a3
humanhash:	michigan-mountain-mars-nevada
File name:	FedexAWBClearanceInformation_PDF.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	811'008 bytes
First seen:	2020-07-09 13:32:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:ypFBdf0u8d2aRL2nk/l3pNFClwg0pV3MQV0D3UVbgNItYgPUyyPHKX92WNw9T1FW:ypFBQl2kpVClTMO+3tKfgxNwVN82WJ
Threatray	11'067 similar samples on MalwareBazaar
TLSH	BB05393A3E81582ED93C057144A899D07BF1AD473A42C79F6AC6735C6E327CB3F46262
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.34142226.12016.12024.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Running batch commands

Launching a process

Creating a file in the %AppData% directory

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process by context flags manipulation

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/e1241bc4febe8d5eeb08b49056d73fed437a4e58b84c2e71933fa30625349012/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-07-09 03:10:54 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4esbxrh6x2gv52yiwsifnvz75vbxutsyxbgc44mth6rqmjjusaja._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2a0852d239e0a74b0e6cd44ea4dc66a1c226605902b534b5661985f363efebd8

AgentTesla

3ddfcc0ce0a57e7f3131d0ba603d6516f00c6cf94f67e79ab38a7e8f922f74bc

AgentTesla

3de5c485f705f1cdf6088142033fb366aafa369044f74cf5a01a8c3517daa831

AgentTesla

510b5fe7628cdd6f15e04907dca1cac201192853e26be4ee279b2d8f90c4e25c

AgentTesla

616ab10592901307ae43cc24dd1387523a9f4998a7cef709354f304beadfb299

AgentTesla

989e1d7e6431f5da4047ac9d16ee9433b6cdaa5214f7ff0a2bab652712018c1b

AgentTesla

9f80f311d2f6a2ccaa0d4aa42ce625b6317a1785a9bb52bde2fa68f68fc7f68f

AgentTesla

bcc4bf949a4bfac011f434497872c13014a35df22719404ce306d7efe905c259

AgentTesla

ccac5881ca9beeead13f5c7f05b289e9d3013a9eea7ce8a087dcb0aade9a60e2

AgentTesla

+ 11'057 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla persistence

Link:

https://tria.ge/reports/200709-d1tjkhjge6/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Modifies service

Adds Run entry to start application

Legitimate hosting services abused for malware hosting/C2

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Loads dropped DLL

Reads data files stored by FTP clients

Executes dropped EXE

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/23808/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample