MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4cfdad9d000b5d06751ff7d1b0d347e1aa1ce9e8ace7dac3148967879392cc4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4cfdad9d000b5d06751ff7d1b0d347e1aa1ce9e8ace7dac3148967879392cc4
SHA3-384 hash: d8cde2d46fea164e1d651f3871e9ab067654f3d9c0a1bcea80fb679a39f3266df688e620eb23468bb99f88bd9ee1e687
SHA1 hash: ac5fcb404398c776b21f93aa07a0fbfab1bec602
MD5 hash: b44369520e26b8f4b6116a85fb0e68cb
humanhash: nitrogen-uranus-low-enemy
File name:TXLzRtjmoMAQTOJvGNbzqTkNQqqnpqQQx.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:284'160 bytes
First seen:2020-07-21 12:24:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:HTCBae64Npt81nKi1VjNQdyed+zKLj/J0FF2UiukrV:zze1NptavNQdyed+zO/2FFZ
Threatray 10'825 similar samples on MalwareBazaar
TLSH D6543A9C2B94BD02F23D1D3685DA163413B1D4878B12D30F6FC44FF8AB697DA294A2D6
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30142/
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Setting a keyboard event handler
Stealing user critical data
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e4cfdad9d000b5d06751ff7d1b0d347e1aa1ce9e8ace7dac3148967879392cc4/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 12:24:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
25 of 29 (86.21%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4th5vwoqac25az2r756rwdjupynkdtu6rlhh3lbrjclhq6jzftca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
116b9d9f03805d0d52e9256a2a2d7104b91a6d67bbabc104c32c9f64511bd1ba
AgentTesla
6ba493ea1e159994234cd97a74f73df015437fecb04bf65c350d3d55f7940949
AgentTesla
73b78f2caff5099ed61689ba82eaa2d6dc19bb1fa2d619b9429d5f876a0ecd68
AgentTesla
81534a23f49b6824f8330f9e4943dcfcc6b4acc6ff71b31d729aaa889ec72083
AgentTesla
8ac57ec0d32b453aa23a1c7149d5cd5695c8a99a9bd0b792bfc1411b1216c4da
AgentTesla
8d98cc9cafea7bf31e27287f1002cbade82ac19f44d2b12584598509b8b10c99
AgentTesla
b90e9ce5f5236e570d28b1833f4f285527a486b885d82861e78a1bf3e2bcf827
AgentTesla
b9cd3f10b86eb37d59a6d3e1a43edb8c88bdb179bbc749e0920ea699fd255789
AgentTesla
d63ecbdde4826682339433f43e0cbdfcea27166df3be281c627edac8b30eb161
AgentTesla
d90041e6b2a7deca5936829d8a2f6b9c190abcab6c81c3a99b22d41ed6fffbb0
AgentTesla
+ 10'815 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200721-vz4zcaaj6j/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4cfdad9d000b5d06751ff7d1b0d347e1aa1ce9e8ace7dac3148967879392cc4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/30142/

Comments