MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e909cbf5a12f8309b93746f877cb4cdf0b8a41d07c4b2badbf917748679213d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e909cbf5a12f8309b93746f877cb4cdf0b8a41d07c4b2badbf917748679213d2
SHA3-384 hash: d246dbe2aecddc468f573e52c9e92ddbf818885c29c8db0987ac9233d3a2584c50fd8392c5ec2406a13d822d8fa90c4b
SHA1 hash: 5ad79510851f743bb4be257e36a6a0729c5679d3
MD5 hash: 876593a2d1bede193fcc3ef81b5eef4e
humanhash: ten-carbon-october-charlie
File name:H8pkkXDMNSesvys.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:537'088 bytes
First seen:2020-05-07 07:05:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ECroJB2KRczsEsqOoCCOEdUYYkWIPu/VRx61W05YnEbCW:VIRcHxOoVJwC
Threatray 10'670 similar samples on MalwareBazaar
TLSH 00B4BE8C762C32FEC827C571CE98AC64EA5074B7635B53239423558E9ACDD87CF249B2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: gateway34.websitewelcome.com
Sending IP: 192.185.148.119
From: grp@buildtecfibreglass.com
Subject: PURCHASE ORDER
Attachment: PRODUCT SPECIFICATION.rar (contains "H8pkkXDMNSesvys.exe")

AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Razy.552185.17876.28839.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 01:31:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
28 of 31 (90.32%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ee4x5nbf6bqtojxi34hps2m34fyuqoqprfsxln7sf3uqz4scpja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
055dac93b366fb905ba0bc329170747973235cfffb8954783bc6977b2cca8c60
AgentTesla
2364247c3aeffef1ab3a097e386e61917c7083f53e016888d5c450e9f1c656ac
AgentTesla
33f3c581f4bc6cb4c7e6b63a6857220ab404020f188650f11bf0ec55e96877a4
AgentTesla
3a50e52732ad555ed6f785c81ab6b0aa11c4360a4a6a5c7daab07286b376a259
AgentTesla
89c7e12a078b0cfd756c1e3c5f2ca8255a8c2f7f81b9c66404b33cab73ca9bd7
AgentTesla
91460c91d05256b76b68f3f1167e085e9a1f7dfcbe6bb2e89eeca610d7cb0d83
AgentTesla
9251aefb3d0f5c1a21c9de09cb545c28e64c99c7424cba4021248f2cd35e6409
AgentTesla
cf927157736833cefb2d295baeaf8aab998c978ec326df974ed715c3d20b91a6
AgentTesla
ea56935a4dca19d4ed31da39e7e861574186defbb63896045cff26a38c5b3ae7
AgentTesla
fd88fa17d76588ec425e0bfe1ad1e5765dd5e6a81e32c7e30a88f7d3affd0731
AgentTesla
+ 10'660 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-vdap1eew9n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 482508de6517a1e9a74ae3bccb1c83ea87550cc65cf40cd4897f8d0baf654bce

AgentTesla

Executable exe e909cbf5a12f8309b93746f877cb4cdf0b8a41d07c4b2badbf917748679213d2

(this sample)

  
Dropped by
MD5 a561a9161e25ec162d66a86547951447
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 482508de6517a1e9a74ae3bccb1c83ea87550cc65cf40cd4897f8d0baf654bce

Comments