MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e651957af4c527f8a23f8c3094232c887e2a433974ab54e48e2519e8361809a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e651957af4c527f8a23f8c3094232c887e2a433974ab54e48e2519e8361809a6
SHA3-384 hash: 67405eb0c785f107c49f0be8d91e871e9f8296f92a283d0655f462af8fd7a4e6f1964814a403d6762fadbd22bb063e13
SHA1 hash: 441ce22c6d9704888ce612f03c7f170b3e993c23
MD5 hash: 0163ac2797196663b91439a473b42751
humanhash: queen-delta-failed-tennessee
File name:Order_884773_List.doc.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:517'120 bytes
First seen:2020-05-26 16:10:16 UTC
Last seen:2020-05-26 17:03:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:iRr0lx5GLbfZXQfPuwxC6lItilGOaAcuW19EsDSrwg2yf0sXUj0DRGk+Y/:ik5cL2o6l+itUWsDcwg
Threatray 10'630 similar samples on MalwareBazaar
TLSH 08B4BE9D3650B1DFC817C937CEA81C60EA61B87B471BD203A41326AD9A1D6ABCF115F3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: zimbra207.megavelocity.net
Sending IP: 192.206.6.182
From: support-IN <support@budget1.in>
Subject: Pallex PO 884563_ITALY
Attachment: Pallex PO 884563_ITALY 1 (contains "Order_884773_List.doc.exe")

AgentTesla SMTP exfil server:
premium57.web-hosting.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WBA.29172.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 17:27:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
102cd8a7207ae8f27f844ffbb51eb18a95ba3f6647aa2b2d7031dd3000ff225c
AgentTesla
4119ad71f4f0b90b51e983fdf38008b853ebdfd0db175704d59fcbbc2adb8cda
AgentTesla
423c8c0b4eb6fc15b614326190cbd2b932f5480fdc1791ca9c03dc696ef61b31
AgentTesla
640e087a78aa77a9bb49027500f1f29f9d31f5b64c13c99b690ea813d0737fd4
AgentTesla
67819aacac4994b55659a8f7924ec0384e667ee74fe5b431a731ac5baf69448c
AgentTesla
71146568c5f7e1bc849a6f73bf08ba68c14e73fcaf049da083879f15a2cecc44
AgentTesla
8a463f15c830e566292963bf3473b16288e71350e97d84359499fd33b7329a66
AgentTesla
cea8cae444dd5dadf01c31def4681b170907b97e0cfb468a9ff317ce7ae736a3
AgentTesla
d3168e892cc0eac2e010fa380fd64aae8c55acddb06344b543a6fb0cc05e8dd3
AgentTesla
edced06a3011186bdf81b8e16739f41cb226ce9fdd57e9d8d006da27874aea65
AgentTesla
+ 10'620 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-hmx5739vea/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 5a394820228d34b9b0a7ecd5e02de5eef77988251a0ba90e17618fee964312e7

AgentTesla

Executable exe e651957af4c527f8a23f8c3094232c887e2a433974ab54e48e2519e8361809a6

(this sample)

  
Dropped by
MD5 8c00a22ad035812858244b1181907808
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5a394820228d34b9b0a7ecd5e02de5eef77988251a0ba90e17618fee964312e7

Comments