MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e70a32319ddb990bd412b11fc12e09e00105104fbd576e5e0f9c40445f910ae4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e70a32319ddb990bd412b11fc12e09e00105104fbd576e5e0f9c40445f910ae4
SHA3-384 hash: 70e659c19a707fd576591abdbd0eeffcbe388d69d0abaa3cf584e4dcb92b9c74bff33c2fa6a699840be97a518e568c52
SHA1 hash: 3a463187c7388a7f7bdd26673a3ebc6f540da0d7
MD5 hash: 69a0a39d6fd7052f2ecdc08aff4c0780
humanhash: edward-jupiter-maine-quiet
File name:PO C6469900H.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:430'592 bytes
First seen:2020-05-13 06:40:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:HPmySc/SN+Vf3mCVLtISZMFEs0GCEL2YvhX3ynwePWVh5dXC4WmkH4dSIaWhsTK/:HzE203pLhhywiW3XMVdWKKg42vw
Threatray 11'414 similar samples on MalwareBazaar
TLSH 0594012EB218941FCD9D53F48523599103B7AD2A78B2E38C8CC279A28BB77D65113D4F
Reporter abuse_ch
Tags:AgentTesla exe nVpn


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: yisun.co
Sending IP: 111.90.159.196
From: Edward Billingsley <e.billingsley@dencomedical.com>
Subject: RE:official PO
Attachment: PO C6469900H.zip (contains "PO C6469900H.exe")

AgentTesla C2:
http://79.134.225.114:34/qu/inc/f3da59b5b9f746.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 05:42:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=44fdemm53omqxvaswep4clqj4aaqkecpxvlw4xqptraeix4rblsa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0157268340dbee3d5090f2793561e90f051ea1a1f160cb420eacbd5525a94b93
AgentTesla
3497f186cb8e8ee119f82a97445bb6a6d75a73d480a57c12a864fcb7e8b3b725
AgentTesla
7a1cf26ab248a5fa19ed5df571e20fe4c85c2f304a0258311b07309775013d33
AgentTesla
9dfd11163e1b4b9fb8f4e30d59596095d75ae42234fbd9a90580260dd21f58a8
AgentTesla
aa00c67caa3688bdffc0b6edbb7c4b599c1e18e78c46f917dd28bc521af120cf
AgentTesla
b1518b96e396fc93c0aa5fc05ef7cfe9eef95efad173c0545e03a1240f57c219
AgentTesla
bc33d0face20153ffe1ebf0c3e9043894633a624d8e4214084c292e353777f46
AgentTesla
d21f5fcd18544952bb7012782c68b9ab3f89f1d4ee154564eafc32cce59e1ada
AgentTesla
d59fff0fc45ffa9a3a1863bf1d5ce120a510272cab077290f4277add894285be
AgentTesla
fe9ff97639cd33c6204a731b688b9fea1bd1a9df0c539717ae80816828edb600
AgentTesla
+ 11'404 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-5l7yxpswe6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip d0fa933bbc3012a9dda4ec4103e442d1fb67dcb7c862f307604ec1e42a559ee8

AgentTesla

Executable exe e70a32319ddb990bd412b11fc12e09e00105104fbd576e5e0f9c40445f910ae4

(this sample)

  
Dropped by
MD5 dff68de958abfd7cec0c1a11d5bdbd80
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d0fa933bbc3012a9dda4ec4103e442d1fb67dcb7c862f307604ec1e42a559ee8

Comments