MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e337cef021313425e1bb071d32482f61722d1980e8bb0d2deac6c2cd1f7bce55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e337cef021313425e1bb071d32482f61722d1980e8bb0d2deac6c2cd1f7bce55
SHA3-384 hash: c1f503a0c1786ec29c8aacd888eb685bd5df3ece120056a1b0f7920caf9ba9260639b8f1194e8006d02135ff3dac6dda
SHA1 hash: 9b4698d48d4a097329ee41038a8eaa98a1f66b9e
MD5 hash: 6ad1eafc2d5fb2e0610154bbdfed5999
humanhash: venus-lactose-quebec-tennis
File name:520065-DOC0000557423-06092020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:489'472 bytes
First seen:2020-06-09 06:07:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:EYypvJv68+6eyqYN2ttdCJKKWw15HCek8CjQR5yCV:EYOBv68+6q02Xd1mWGQWMCV
Threatray 10'628 similar samples on MalwareBazaar
TLSH 25A4E0413394E626C9BC96B5D69A0634C3E594C37F21EA45195723D6ABE3F80BF00ECE
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: pmg.alpfavill.hu
Sending IP: 217.112.135.207
From: Mustafa Ozilhan <mustafaozilhan02@gmail.com>
Subject: yükleme belgeleri
Attachment: 520065-DOC0000557423-06092020.7z (contains "520065-DOC0000557423-06092020.exe")

AgentTesla FTP exfil server:
ftp.tde.ro:21

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WGF.559.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-06-09 06:09:05 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4m3454bbge2clyn3a4otesbpmfzc2gma5c5q2lpky3bm2h33zzkq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
059813164c50fcec84c7ff9102154104f870603b59c1226d07d2ae2790c8f4cd
AgentTesla
6299f3e36dc84d0d1aa0b460cfe353d8460f8aae5b13aa75aab9d8ea2efc1a7a
AgentTesla
64a0f19845c2724ec1e75467da1f1cab42ef3a78914171af40a0c4c8f798a9fd
AgentTesla
740937dc2e4ce55ffde8c557976b25715c76db9ee3d7dd0e8f866983575c8621
AgentTesla
8c3156c901bae62d20fce1aa07a4c0e0252ac6ab6443877396a37f83441f2b65
AgentTesla
9336f77019f21d2e8e512509c4c246925c6b3cf96d03ac45f080bbc330055d7b
AgentTesla
d2827b9a0edb006fbb6ade9f63d0948515ace0f6199a5a59725b8279eed54f25
AgentTesla
e772c14876f251ad71aa44567a90859fef8979860f44c77981d537fca37e7400
AgentTesla
f1542701299aa44f2329dde6c86e571ebd11566aec5700ae5dd48c283d7ef6ac
AgentTesla
f98d355a4771e886220488b0bffa005af9769480cde5aad275d4166c2f9b2e48
AgentTesla
+ 10'618 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-n6flek9tes/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
ServiceHost packer
rezer0
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 9dd39f6cf93f7f30ec20b2dd86da0d88eab9cc1ed7636ca47c51a1b1078d8474

AgentTesla

Executable exe e337cef021313425e1bb071d32482f61722d1980e8bb0d2deac6c2cd1f7bce55

(this sample)

  
Dropped by
MD5 1473931fa0f8d858e245a87526e7caf1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9dd39f6cf93f7f30ec20b2dd86da0d88eab9cc1ed7636ca47c51a1b1078d8474

Comments