MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e149a102d8d46f836240231143538c91f2d4bf6f4dc37fbd3cc20d0813ddcdb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	e149a102d8d46f836240231143538c91f2d4bf6f4dc37fbd3cc20d0813ddcdb8
SHA3-384 hash:	62d6a33f24f4a71c750ad60896c8c5b64b95d649a7dbe1b1184b92ac61bef2b13c264ad32d105591a4aff0955474b9a6
SHA1 hash:	989ebf5b8719cfc24f01168f21f4d1183bc476ad
MD5 hash:	aa6b21d6aba228278fbd1241622fcf58
humanhash:	venus-butter-robert-equal
File name:	02_extracted.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'456'128 bytes
First seen:	2020-06-22 18:41:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep	24576:aAHnh+eWsN3skA4RV1Hom2KXMmHa6nxhj/b1hz0CQ4u/QbgpVI5:th+ZkldoPK8Ya6x5phYtksA
Threatray	11'111 similar samples on MalwareBazaar
TLSH	E265CF0273D2C032FFAB92739B6AF24556BD79254123852F13982DB9BD701B2163E763
Reporter	Racco42
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/12720/

Detection(s):

Sanesecurity.Malware.27686.AidExe.UNOFFICIAL

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/e149a102d8d46f836240231143538c91f2d4bf6f4dc37fbd3cc20d0813ddcdb8/

Threat name:

Win32.Trojan.Ymacco

Status:

Malicious

First seen:

2020-06-22 18:43:05 UTC

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4fe2cawy2rxygysaemiugu4mshznjp3pjxbx7pj4yigqqe65zw4a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

165f51e7991c74251f223156e7b02d9048c7679eed85f09d163171376857e18e

AgentTesla

1ca6d3246b59dbf5e36a28035595f2b886a9c26cbc4329c6ad5e77cbc272af08

AgentTesla

3945669106668a82fcc127f418ea0b028c8d73057b4b1715bb296627901023b0

AgentTesla

4afdd7386b6ad197804804056bc5fbd985844ab55d8068d25a0199f0551c84cb

AgentTesla

531d21a6bf81931c1d3de888e4d32666ac5c1541412c02eb0996b7c103f2f126

AgentTesla

61a1e5d143ee0c8d5929ac7386b60fa13baf8e43745f644aebc970e267b6f67a

AgentTesla

6fc9d76b06c202aeec60a5a4e5574cd7a1fe1c12c0df84e9bc65be508923ae7b

AgentTesla

9a2467d92dd6c5e322439643e05041f151b6bf6e9c8c410f96fe6ab969ea8882

AgentTesla

ce172721c1da61b4401d9b00414c050c72d33835962489ee6b59ddd4bc42ed37

AgentTesla

+ 11'101 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware persistence keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200624-dy1hak6vse/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Modifies service

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Drops startup file

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/12720/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample