MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e30821af035b182de6dc8b54d9506383cd5a5713c4448faa4c842763371063b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e30821af035b182de6dc8b54d9506383cd5a5713c4448faa4c842763371063b2
SHA3-384 hash: d45025f2e54b1d0c54acccac82c4f4d9ff35c0d8459c8bac4e913496815594feb394a9d04a0aa4d6c438d78c6c3979a1
SHA1 hash: 1c7d827a31928013cb73f0ca531049a51526ab8f
MD5 hash: 87829329eaf078dafa93997da2e7254f
humanhash: arizona-mirror-lamp-lion
File name:87829329eaf078dafa93997da2e7254f.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:776'704 bytes
First seen:2020-06-26 11:57:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:MKxw2aojboejq9A3W2Ct42L8+yqSQkddLIKLtfNDT+JjJsPygVRX7ZKyQ4f8:MFojGaWDL8VN17DQJerR1KyQ4U
Threatray 10'675 similar samples on MalwareBazaar
TLSH 4CF45B2EB581790EC63D493244965DE053F1E2432B02CB1F79DAA7AC6E067CF7F09299
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/14898/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.349.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e30821af035b182de6dc8b54d9506383cd5a5713c4448faa4c842763371063b2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-23 23:09:02 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4mecdlydlmmc3zw4rnknsuddqpgvuvytyrci7ksmqqtwgnyqmoza._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b47b1d455c8523eb73b69934c91f2082277e5ba705e066fceaf927b81e4c060
AgentTesla
3027dc21e325fddbc9e6cd21b0491f3270190f219776de4971e510c4490d3c25
AgentTesla
573535f4daf60e724e68c766dfa8ac52bb96b33d4bbe307e36730725dd0f40b0
AgentTesla
686bf5243c5d71d36ce6c9b870cad9316aa1218154614fdcd091d7bb8573ca2c
AgentTesla
884ec2901e7bacdf6f6a84383997a8e4fd297d18009545751cef558ae726472b
AgentTesla
a6d44377671c37e4ef84efae15b17efbcdd03a8b5af2704e74f75126f333196f
AgentTesla
a9297e27075d755670954bcffb05bc3dd60fde115a342c93a6e76ac9ff6b9494
AgentTesla
de54a16c8d1a17a0eb2b797cb1fd7604ff1607e53cfab3b05f1fc9c28f1f83b0
AgentTesla
ea1e920b88c5129a91704c6075aa29e5e0f86240f64ad742497eefdbde4ea207
AgentTesla
f963457d5a9d27cbce5df7a6ce4fb9dd288e23ef473bd90cdb3059d454949d5a
AgentTesla
+ 10'665 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200626-l5fkanz1b6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/14898/

Comments