MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4e051a0735b38629b41490c52c79a0bd1f612bad9994bd635adcfce1287b613. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4e051a0735b38629b41490c52c79a0bd1f612bad9994bd635adcfce1287b613
SHA3-384 hash: 2e5b6449633957f34f149a8e177d1571c083b9c077c963d500f24a70569cb32dcdd8571eb61a15a983db005db0c4797a
SHA1 hash: 7d8f29a1feba1a67886afc8b94939620f4ca434f
MD5 hash: 93b92abfcf3950cb2af241a33fdf16e3
humanhash: may-nine-gee-oven
File name:PQodI8lepJHfslp.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:679'424 bytes
First seen:2020-07-01 02:24:34 UTC
Last seen:2020-07-01 04:18:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:tIT6UO40fhFohFqGyBg5Qjx8aAwsdiAv/BrbnZPvG2dncT6:tITpF0fI7qGEQQjxkw+iwrbZnG2dn26
Threatray 10'606 similar samples on MalwareBazaar
TLSH 88E4F14072F8CFA7C6BF47F58621C61263308934354DCB89ACE67AFE2C71B9509A5297
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
6
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.56448.16918.24326.UNOFFICIAL
Create hunting rule

Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e4e051a0735b38629b41490c52c79a0bd1f612bad9994bd635adcfce1287b613/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-30 18:58:18 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4tqfdidtlm4gfg2bjegffr42bpi7mev23gmuxvrvvxh44euhwyjq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0442367788ead3ccf0c9a36805053be48c332ab656f51667f4c08cbbfa3f3ac0
AgentTesla
200e5b0b9f6c2ff5f4cce4653f467b8861983a566a6b5b68c878da8c0f30de4c
AgentTesla
2309aa4694a2bf38f32daaf9d90dad4a50aee5c98bb5fd0e868aa02e44f6f2ed
AgentTesla
2b350878e901bee046370a4265b157d3abf327e45eefac9a9a58a2b58aed0a43
AgentTesla
3c66f6c923c31e14a95ce0888a3ddbe65035b52f8f0477a9097df9c5ff8de1c8
AgentTesla
5d5010a8adc3bce8ff071d6b084ddd50bbc416a792d7865ba48864f4801eaf51
AgentTesla
81017d8c509a860f8c0181a8e7a33c1c6fd27e69d995a734ede171e4b999da81
AgentTesla
b62ae8994c57048042c61348dbdd8f8c9dbda4ae0dc627321e584eeceb9e9e23
AgentTesla
d6be58f8ff6c7e1a058e268255ff6ff3ec94b2e50a166cd8ba09ff466be82c5f
AgentTesla
e9b2a4f0d83f860386b4f5941d264b231f1e8c14899bb4a430b21f6123befcd8
AgentTesla
+ 10'596 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200701-ky9heht4es/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 235b3e73e5812044f0a64a578e5c30cc5181633be97e917bacf4e7f798cec597

AgentTesla

Executable exe e4e051a0735b38629b41490c52c79a0bd1f612bad9994bd635adcfce1287b613

(this sample)

  
Dropped by
MD5 2a42c504e51f6a8481dddf9cfc269125
  
Dropped by
SHA256 235b3e73e5812044f0a64a578e5c30cc5181633be97e917bacf4e7f798cec597
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/18143/

Comments